From 520d91f8bd8aeba9cfd05f33eb7fea2fecc936c6 Mon Sep 17 00:00:00 2001
From: Jiri Denemark <jdenemar@redhat.com>
Date: Fri, 26 Aug 2011 09:39:32 +0200
Subject: [PATCH] security: Introduce SetSocketLabel

This API labels all sockets created until ClearSocketLabel is called in
a way that a vm can access them (i.e., they are labeled with svirt_t
based label in SELinux).
---
 src/libvirt_private.syms         |  1 +
 src/security/security_apparmor.c |  8 +++++++
 src/security/security_dac.c      |  9 ++++++++
 src/security/security_driver.h   |  3 +++
 src/security/security_manager.c  | 10 +++++++++
 src/security/security_manager.h  |  2 ++
 src/security/security_nop.c      |  7 ++++++
 src/security/security_selinux.c  | 38 ++++++++++++++++++++++++++++++++
 src/security/security_stack.c    | 17 ++++++++++++++
 9 files changed, 95 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index c3e33b4847..2a453bc764 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
+virSecurityManagerSetSocketLabel;
 virSecurityManagerVerify;
 
 # sexpr.h
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 0ad772699d..dbd12909f0 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -584,6 +584,13 @@ AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return 0;
 }
 
+static int
+AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int
 AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
@@ -836,6 +843,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
     AppArmorRestoreSecurityImageLabel,
 
     AppArmorSetSecurityDaemonSocketLabel,
+    AppArmorSetSecuritySocketLabel,
     AppArmorClearSecuritySocketLabel,
 
     AppArmorGenSecurityLabel,
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6df4087151..e5465fc0db 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -674,6 +674,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }
 
 
+static int
+virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
 static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
@@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
     virSecurityDACRestoreSecurityImageLabel,
 
     virSecurityDACSetDaemonSocketLabel,
+    virSecurityDACSetSocketLabel,
     virSecurityDACClearSocketLabel,
 
     virSecurityDACGenLabel,
diff --git a/src/security/security_driver.h b/src/security/security_driver.h
index 73c8f04624..94f27f81d7 100644
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                    virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
                                                      virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
+                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
                                                 virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@@ -102,6 +104,7 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
 
     virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
+    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
     virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
 
     virSecurityDomainGenLabel domainGenSecurityLabel;
diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index d30ebcf309..b2fd0d043c 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
     return -1;
 }
 
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm)
+{
+    if (mgr->drv->domainSetSecuritySocketLabel)
+        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+
+    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
+
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm)
 {
diff --git a/src/security/security_manager.h b/src/security/security_manager.h
index 8d614a78cb..38342c2814 100644
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                         virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                            virDomainObjPtr vm);
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,
diff --git a/src/security/security_nop.c b/src/security/security_nop.c
index 67d3ff6f92..a68a6c0eea 100644
--- a/src/security/security_nop.c
+++ b/src/security/security_nop.c
@@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
     return 0;
 }
 
+static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
     virSecurityDomainRestoreImageLabelNop,
 
     virSecurityDomainSetDaemonSocketLabelNop,
+    virSecurityDomainSetSocketLabelNop,
     virSecurityDomainClearSocketLabelNop,
 
     virSecurityDomainGenLabelNop,
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index f87c9a5b08..cddbed51a1 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1136,6 +1136,43 @@ done:
     return rc;
 }
 
+static int
+SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
+                              virDomainObjPtr vm)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+
+    if (secdef->label == NULL)
+        return 0;
+
+    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("security label driver mismatch: "
+                                 "'%s' model configured for domain, but "
+                                 "hypervisor driver is '%s'."),
+                               secdef->model, virSecurityManagerGetModel(mgr));
+        goto done;
+    }
+
+    VIR_DEBUG("Setting VM %s socket context %s",
+              vm->def->name, secdef->label);
+    if (setsockcreatecon(secdef->label) == -1) {
+        virReportSystemError(errno,
+                             _("unable to set socket security context '%s'"),
+                             secdef->label);
+        goto done;
+    }
+
+    rc = 0;
+
+done:
+    if (security_getenforce() != 1)
+        rc = 0;
+
+    return rc;
+}
+
 static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                 virDomainObjPtr vm)
@@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
     SELinuxRestoreSecurityImageLabel,
 
     SELinuxSetSecurityDaemonSocketLabel,
+    SELinuxSetSecuritySocketLabel,
     SELinuxClearSecuritySocketLabel,
 
     SELinuxGenSecurityLabel,
diff --git a/src/security/security_stack.c b/src/security/security_stack.c
index 404ff65d4d..f263f5bcef 100644
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@@ -354,6 +354,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 }
 
 
+static int
+virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
+                               virDomainObjPtr vm)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int rc = 0;
+
+    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+        rc = -1;
+    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
 static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
                                  virDomainObjPtr vm)
@@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
     virSecurityStackRestoreSecurityImageLabel,
 
     virSecurityStackSetDaemonSocketLabel,
+    virSecurityStackSetSocketLabel,
     virSecurityStackClearSocketLabel,
 
     virSecurityStackGenLabel,
-- 
GitLab