security: Introduce SetSocketLabel

This API labels all sockets created until ClearSocketLabel is called in
a way that a vm can access them (i.e., they are labeled with svirt_t
based label in SELinux).

src/libvirt_private.syms

@@ -911,6 +911,7 @@ virSecurityManagerSetHostdevLabel;
 virSecurityManagerSetProcessFDLabel;
 virSecurityManagerSetProcessLabel;
 virSecurityManagerSetSavedStateLabel;
+virSecurityManagerSetSocketLabel;
 virSecurityManagerVerify;
 
 # sexpr.h

src/security/security_apparmor.c

@@ -584,6 +584,13 @@ AppArmorSetSecurityDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
     return 0;
 }
 
+static int
+AppArmorSetSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int
 AppArmorClearSecuritySocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
@@ -836,6 +843,7 @@ virSecurityDriver virAppArmorSecurityDriver = {
     AppArmorRestoreSecurityImageLabel,
 
     AppArmorSetSecurityDaemonSocketLabel,
+    AppArmorSetSecuritySocketLabel,
     AppArmorClearSecuritySocketLabel,
 
     AppArmorGenSecurityLabel,

src/security/security_dac.c

@@ -674,6 +674,14 @@ virSecurityDACSetDaemonSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
 }
 
 
+static int
+virSecurityDACSetSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                             virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
+
 static int
 virSecurityDACClearSocketLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                  virDomainObjPtr vm ATTRIBUTE_UNUSED)
@@ -715,6 +723,7 @@ virSecurityDriver virSecurityDriverDAC = {
     virSecurityDACRestoreSecurityImageLabel,
 
     virSecurityDACSetDaemonSocketLabel,
+    virSecurityDACSetSocketLabel,
     virSecurityDACClearSocketLabel,
 
     virSecurityDACGenLabel,

src/security/security_driver.h

@@ -43,6 +43,8 @@ typedef int (*virSecurityDomainRestoreImageLabel) (virSecurityManagerPtr mgr,
                                                    virDomainDiskDefPtr disk);
 typedef int (*virSecurityDomainSetDaemonSocketLabel)(virSecurityManagerPtr mgr,
                                                      virDomainObjPtr vm);
+typedef int (*virSecurityDomainSetSocketLabel) (virSecurityManagerPtr mgr,
+                                                virDomainObjPtr vm);
 typedef int (*virSecurityDomainClearSocketLabel)(virSecurityManagerPtr mgr,
                                                 virDomainObjPtr vm);
 typedef int (*virSecurityDomainSetImageLabel) (virSecurityManagerPtr mgr,
@@ -102,6 +104,7 @@ struct _virSecurityDriver {
     virSecurityDomainRestoreImageLabel domainRestoreSecurityImageLabel;
 
     virSecurityDomainSetDaemonSocketLabel domainSetSecurityDaemonSocketLabel;
+    virSecurityDomainSetSocketLabel domainSetSecuritySocketLabel;
     virSecurityDomainClearSocketLabel domainClearSecuritySocketLabel;
 
     virSecurityDomainGenLabel domainGenSecurityLabel;

src/security/security_manager.c

@@ -170,6 +170,16 @@ int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
     return -1;
 }
 
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm)
+{
+    if (mgr->drv->domainSetSecuritySocketLabel)
+        return mgr->drv->domainSetSecuritySocketLabel(mgr, vm);
+
+    virSecurityReportError(VIR_ERR_NO_SUPPORT, __FUNCTION__);
+    return -1;
+}
+
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm)
 {

src/security/security_manager.h

@@ -55,6 +55,8 @@ int virSecurityManagerRestoreImageLabel(virSecurityManagerPtr mgr,
                                         virDomainDiskDefPtr disk);
 int virSecurityManagerSetDaemonSocketLabel(virSecurityManagerPtr mgr,
                                            virDomainObjPtr vm);
+int virSecurityManagerSetSocketLabel(virSecurityManagerPtr mgr,
+                                     virDomainObjPtr vm);
 int virSecurityManagerClearSocketLabel(virSecurityManagerPtr mgr,
                                        virDomainObjPtr vm);
 int virSecurityManagerSetImageLabel(virSecurityManagerPtr mgr,

src/security/security_nop.c

@@ -59,6 +59,12 @@ static int virSecurityDomainSetDaemonSocketLabelNop(virSecurityManagerPtr mgr AT
     return 0;
 }
 
+static int virSecurityDomainSetSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                                              virDomainObjPtr vm ATTRIBUTE_UNUSED)
+{
+    return 0;
+}
+
 static int virSecurityDomainClearSocketLabelNop(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                                 virDomainObjPtr vm ATTRIBUTE_UNUSED)
 {
@@ -172,6 +178,7 @@ virSecurityDriver virSecurityDriverNop = {
     virSecurityDomainRestoreImageLabelNop,
 
     virSecurityDomainSetDaemonSocketLabelNop,
+    virSecurityDomainSetSocketLabelNop,
     virSecurityDomainClearSocketLabelNop,
 
     virSecurityDomainGenLabelNop,

src/security/security_selinux.c

@@ -1136,6 +1136,43 @@ done:
     return rc;
 }
 
+static int
+SELinuxSetSecuritySocketLabel(virSecurityManagerPtr mgr,
+                              virDomainObjPtr vm)
+{
+    const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
+    int rc = -1;
+
+    if (secdef->label == NULL)
+        return 0;
+
+    if (!STREQ(virSecurityManagerGetModel(mgr), secdef->model)) {
+        virSecurityReportError(VIR_ERR_INTERNAL_ERROR,
+                               _("security label driver mismatch: "
+                                 "'%s' model configured for domain, but "
+                                 "hypervisor driver is '%s'."),
+                               secdef->model, virSecurityManagerGetModel(mgr));
+        goto done;
+    }
+
+    VIR_DEBUG("Setting VM %s socket context %s",
+              vm->def->name, secdef->label);
+    if (setsockcreatecon(secdef->label) == -1) {
+        virReportSystemError(errno,
+                             _("unable to set socket security context '%s'"),
+                             secdef->label);
+        goto done;
+    }
+
+    rc = 0;
+
+done:
+    if (security_getenforce() != 1)
+        rc = 0;
+
+    return rc;
+}
+
 static int
 SELinuxClearSecuritySocketLabel(virSecurityManagerPtr mgr,
                                 virDomainObjPtr vm)
@@ -1313,6 +1350,7 @@ virSecurityDriver virSecurityDriverSELinux = {
     SELinuxRestoreSecurityImageLabel,
 
     SELinuxSetSecurityDaemonSocketLabel,
+    SELinuxSetSecuritySocketLabel,
     SELinuxClearSecuritySocketLabel,
 
     SELinuxGenSecurityLabel,

src/security/security_stack.c

@@ -354,6 +354,22 @@ virSecurityStackSetDaemonSocketLabel(virSecurityManagerPtr mgr,
 }
 
 
+static int
+virSecurityStackSetSocketLabel(virSecurityManagerPtr mgr,
+                               virDomainObjPtr vm)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    int rc = 0;
+
+    if (virSecurityManagerSetSocketLabel(priv->secondary, vm) < 0)
+        rc = -1;
+    if (virSecurityManagerSetSocketLabel(priv->primary, vm) < 0)
+        rc = -1;
+
+    return rc;
+}
+
+
 static int
 virSecurityStackClearSocketLabel(virSecurityManagerPtr mgr,
                                  virDomainObjPtr vm)
@@ -419,6 +435,7 @@ virSecurityDriver virSecurityDriverStack = {
     virSecurityStackRestoreSecurityImageLabel,
 
     virSecurityStackSetDaemonSocketLabel,
+    virSecurityStackSetSocketLabel,
     virSecurityStackClearSocketLabel,
 
     virSecurityStackGenLabel,