提交 1c57eea3 编写于 作者: P Pavel Hrdina

qemu: fix security labeling for attach/detach of char devices

Commit e93d844b was not enough to fix the permission denied
issue.  We need to apply security labels as well.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
上级 1b4f66ec
...@@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, ...@@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
bool chardevAttached = false; bool chardevAttached = false;
bool teardowncgroup = false; bool teardowncgroup = false;
bool teardowndevice = false; bool teardowndevice = false;
bool teardownlabel = false;
char *tlsAlias = NULL; char *tlsAlias = NULL;
char *secAlias = NULL; char *secAlias = NULL;
bool need_release = false; bool need_release = false;
...@@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, ...@@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
goto cleanup; goto cleanup;
teardowndevice = true; teardowndevice = true;
if (qemuSecuritySetChardevLabel(driver, vm, chr) < 0)
goto cleanup;
teardownlabel = true;
if (qemuSetupChardevCgroup(vm, chr) < 0) if (qemuSetupChardevCgroup(vm, chr) < 0)
goto cleanup; goto cleanup;
teardowncgroup = true; teardowncgroup = true;
...@@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn, ...@@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL); qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0) if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Unable to remove chr device cgroup ACL on hotplug fail"); VIR_WARN("Unable to remove chr device cgroup ACL on hotplug fail");
if (teardownlabel && qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0) if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev"); VIR_WARN("Unable to remove chr device from /dev");
} }
...@@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver, ...@@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
if (qemuTeardownChardevCgroup(vm, chr) < 0) if (qemuTeardownChardevCgroup(vm, chr) < 0)
VIR_WARN("Failed to remove chr device cgroup ACL"); VIR_WARN("Failed to remove chr device cgroup ACL");
if (qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
VIR_WARN("Unable to restore security label on char device");
if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0) if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
VIR_WARN("Unable to remove chr device from /dev"); VIR_WARN("Unable to remove chr device from /dev");
......
...@@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm, ...@@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virSecurityManagerTransactionAbort(driver->securityManager); virSecurityManagerTransactionAbort(driver->securityManager);
return ret; return ret;
} }
int
qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerSetChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
int
qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr)
{
int ret = -1;
qemuDomainObjPrivatePtr priv = vm->privateData;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionStart(driver->securityManager) < 0)
goto cleanup;
if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
vm->def,
chr->source,
priv->chardevStdioLogd) < 0)
goto cleanup;
if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
virSecurityManagerTransactionCommit(driver->securityManager,
vm->pid) < 0)
goto cleanup;
ret = 0;
cleanup:
virSecurityManagerTransactionAbort(driver->securityManager);
return ret;
}
...@@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm, ...@@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm,
int qemuSecurityRestoreInputLabel(virDomainObjPtr vm, int qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
virDomainInputDefPtr input); virDomainInputDefPtr input);
int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
virDomainObjPtr vm,
virDomainChrDefPtr chr);
/* Please note that for these APIs there is no wrapper yet. Do NOT blindly add /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
* new APIs here. If an API can touch a /dev file add a proper wrapper instead. * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
*/ */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册