diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index c3e33b48475269667617768f84165533eba1818c..2a453bc764ece845d14c3ac4d1125f6d2a9c6235 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel; virSecurityManagerSetProcessFDLabel; virSecurityManagerSetProcessLabel; virSecurityManagerSetSavedStateLabel; +virSecurityManagerSetSocketLabel; virSecurityManagerVerify; # sexpr.h diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 0ad772699d5612538feba43dfd50c150de11efc7..dbd12909f0b79db751f0d27402b9c4e6e1ee1c73 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -584,6 +584,13 @@ AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, return 0; } +static int +AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainObjPtr vm ATTRIBUTE_UNUSED) +{ + return 0; +} + static int AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED) @@ -836,6 +843,7 @@ virSecurityDriver virAppArmorSecurityDriver = { AppArmorRestoreSecurityImageLabel, AppArmorSetSecurityDaemonSocketLabel, + AppArmorSetSecuritySocketLabel, AppArmorClearSecuritySocketLabel, AppArmorGenSecurityLabel, diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 6df4087151f2b90fbc05f68e583d5d78ebbce098..e5465fc0db05d11ad7ad86eaa2a3c33659d17f49 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -674,6 +674,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, } +static int +virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainObjPtr vm ATTRIBUTE_UNUSED) +{ + return 0; +} + + static int virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED) @@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = { virSecurityDACRestoreSecurityImageLabel, virSecurityDACSetDaemonSocketLabel, + virSecurityDACSetSocketLabel, virSecurityDACClearSocketLabel, virSecurityDACGenLabel, diff --git a/src/security/security_driver.h b/src/security/security_driver.h index 73c8f0462424ca98e76a7b4983ec004f3d681bfc..94f27f81d7a169981a5df35dcdbe18af729b7886 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr, virDomainDiskDefPtr disk); typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr, virDomainObjPtr vm); +typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr, + virDomainObjPtr vm); typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr, virDomainObjPtr vm); typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr, @@ -102,6 +104,7 @@ struct _virSecurityDriver { virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel; virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel; + virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel; virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel; virSecurityDomainGenLabel domainGenSecurityLabel; diff --git a/src/security/security_manager.c b/src/security/security_manager.c index d30ebcf309df666247485804e604f44077f68dce..b2fd0d043c495b50cfe342529e4d4c1491155abd 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, return -1; } +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, + virDomainObjPtr vm) +{ + if (mgr->drv->domainSetSecuritySocketLabel) + return mgr->drv->domainSetSecuritySocketLabel(mgr, vm); + + virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) { diff --git a/src/security/security_manager.h b/src/security/security_manager.h index 8d614a78cb5b285084a6a7d870e92f81d2cfc46c..38342c28148ea43b3a9682674b1d42ac965673fc 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr, virDomainDiskDefPtr disk); int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm); +int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr, + virDomainObjPtr vm); int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm); int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr, diff --git a/src/security/security_nop.c b/src/security/security_nop.c index 67d3ff6f927d01c0e5049f111c29b4ec7f2686da..a68a6c0eea1e9c918cd96f0618d837f505badaeb 100644 --- a/src/security/security_nop.c +++ b/src/security/security_nop.c @@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT return 0; } +static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainObjPtr vm ATTRIBUTE_UNUSED) +{ + return 0; +} + static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, virDomainObjPtr vm ATTRIBUTE_UNUSED) { @@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = { virSecurityDomainRestoreImageLabelNop, virSecurityDomainSetDaemonSocketLabelNop, + virSecurityDomainSetSocketLabelNop, virSecurityDomainClearSocketLabelNop, virSecurityDomainGenLabelNop, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index f87c9a5b08bd02e268bf2dd8f063cc35db233b41..cddbed51a162ef246a3049415a869c6968bb1a27 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1136,6 +1136,43 @@ done: return rc; } +static int +SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr, + virDomainObjPtr vm) +{ + const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + int rc = -1; + + if (secdef->label == NULL) + return 0; + + if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) { + virSecurityReportError(VIR_ERR_INTERNAL_ERROR, + _("security label driver mismatch: " + "'%s' model configured for domain, but " + "hypervisor driver is '%s'."), + secdef->model, virSecurityManagerGetModel(mgr)); + goto done; + } + + VIR_DEBUG("Setting VM %s socket context %s", + vm->def->name, secdef->label); + if (setsockcreatecon(secdef->label) == -1) { + virReportSystemError(errno, + _("unable to set socket security context '%s'"), + secdef->label); + goto done; + } + + rc = 0; + +done: + if (security_getenforce() != 1) + rc = 0; + + return rc; +} + static int SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) @@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = { SELinuxRestoreSecurityImageLabel, SELinuxSetSecurityDaemonSocketLabel, + SELinuxSetSecuritySocketLabel, SELinuxClearSecuritySocketLabel, SELinuxGenSecurityLabel, diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 404ff65d4dbfcb5e42e32cf63d54a0cd4b0af8fd..f263f5bcef2f86560ac36c2c445a6a1d108cbee6 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -354,6 +354,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr, } +static int +virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr, + virDomainObjPtr vm) +{ + virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr); + int rc = 0; + + if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0) + rc = -1; + if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0) + rc = -1; + + return rc; +} + + static int virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr, virDomainObjPtr vm) @@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = { virSecurityStackRestoreSecurityImageLabel, virSecurityStackSetDaemonSocketLabel, + virSecurityStackSetSocketLabel, virSecurityStackClearSocketLabel, virSecurityStackGenLabel,