Ensure sanlock socket is labelled with the VM process label

The libvirt sanlock plugin is intentionally leaking a file descriptor to QEMU. To enable QEMU to use this FD under SELinux, it must be labelled correctly. We dont want to use the svirt_image_t for this, since QEMU must not be allowed to actually use the FD. So instead we label it with svirt_t using virSecurityManagerSetProcessFDLabel * src/locking/domain_lock.c, src/locking/domain_lock.h, src/locking/lock_driver.h, src/locking/lock_driver_nop.c, src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c, src/locking/lock_manager.h: Optionally pass an FD back to the hypervisor for security driver labelling * src/qemu/qemu_process.c: label the lock manager plugin FD with the process label

Ensure sanlock socket is labelled with the VM process label
The libvirt sanlock plugin is intentionally leaking a file descriptor to QEMU. To enable QEMU to use this FD under SELinux, it must be labelled correctly. We dont want to use the svirt_image_t for this, since QEMU must not be allowed to actually use the FD. So instead we label it with svirt_t using virSecurityManagerSetProcessFDLabel * src/locking/domain_lock.c, src/locking/domain_lock.h, src/locking/lock_driver.h, src/locking/lock_driver_nop.c, src/locking/lock_driver_sanlock.c, src/locking/lock_manager.c, src/locking/lock_manager.h: Optionally pass an FD back to the hypervisor for security driver labelling * src/qemu/qemu_process.c: label the lock manager plugin FD with the process label
5247b069 · Daniel P. Berrange · 8e3c6fbb · 5247b069 · 5247b069 · 5247b069
8 changed file
--- a/src/locking/domain_lock.c
+++ b/src/locking/domain_lock.c
@@ -153,7 +153,8 @@ error:
 int virDomainLockProcessStart(virLockManagerPluginPtr plugin,
                              virDomainObjPtr dom,
-                              bool paused)
+                              bool paused,
+                              int *fd)
 {
    virLockManagerPtr lock;
    int ret;
@@ -165,7 +166,7 @@ int virDomainLockProcessStart(virLockManagerPluginPtr plugin,
    if (paused)
        flags |= VIR_LOCK_MANAGER_ACQUIRE_REGISTER_ONLY;
-    ret = virLockManagerAcquire(lock, NULL, flags);
+    ret = virLockManagerAcquire(lock, NULL, flags, fd);
    virLockManagerFree(lock);
@@ -198,7 +199,7 @@ int virDomainLockProcessResume(virLockManagerPluginPtr plugin,
    if (!(lock = virDomainLockManagerNew(plugin, dom, true)))
        return -1;
-    ret = virLockManagerAcquire(lock, state, 0);
+    ret = virLockManagerAcquire(lock, state, 0, NULL);
    virLockManagerFree(lock);
    return ret;
@@ -234,7 +235,7 @@ int virDomainLockDiskAttach(virLockManagerPluginPtr plugin,
    if (virDomainLockManagerAddDisk(lock, disk) < 0)
        goto cleanup;
-    if (virLockManagerAcquire(lock, NULL, 0) < 0)
+    if (virLockManagerAcquire(lock, NULL, 0, NULL) < 0)
        goto cleanup;
    ret = 0;
@@ -283,7 +284,7 @@ int virDomainLockLeaseAttach(virLockManagerPluginPtr plugin,
    if (virDomainLockManagerAddLease(lock, lease) < 0)
        goto cleanup;
-    if (virLockManagerAcquire(lock, NULL, 0) < 0)
+    if (virLockManagerAcquire(lock, NULL, 0, NULL) < 0)
        goto cleanup;
    ret = 0;

--- a/src/locking/domain_lock.h
+++ b/src/locking/domain_lock.h
@@ -28,7 +28,8 @@
 int virDomainLockProcessStart(virLockManagerPluginPtr plugin,
                              virDomainObjPtr dom,
-                              bool paused);
+                              bool paused,
+                              int *fd);
 int virDomainLockProcessPause(virLockManagerPluginPtr plugin,
                              virDomainObjPtr dom,
                              char **state);

--- a/src/locking/lock_driver.h
+++ b/src/locking/lock_driver.h
@@ -214,6 +214,7 @@ typedef int (*virLockDriverAddResource)(virLockManagerPtr man,
 * @manager: the lock manager context
 * @state: the current lock state
 * @flags: optional flags, currently unused
+ * @fd: optional return the leaked FD
 *
 * Start managing resources for the object. This
 * must be called from the PID that represents the
@@ -222,11 +223,17 @@ typedef int (*virLockDriverAddResource)(virLockManagerPtr man,
 * The optional state contains information about the
 * locks previously held for the object.
 *
+ * The file descriptor returned in @fd is one that
+ * is intentionally leaked and should not be closed.
+ * It is returned so that it can be labelled by the
+ * security managers (if required).
+ *
 * Returns 0 on success, or -1 on failure
 */
 typedef int (*virLockDriverAcquire)(virLockManagerPtr man,
                                    const char *state,
-                                    unsigned int flags);
+                                    unsigned int flags,
+                                    int *fd);
 /**
 * virLockDriverRelease:

--- a/src/locking/lock_driver_nop.c
+++ b/src/locking/lock_driver_nop.c
@@ -66,9 +66,9 @@ static int virLockManagerNopAddResource(virLockManagerPtr lock ATTRIBUTE_UNUSED,
 static int virLockManagerNopAcquire(virLockManagerPtr lock ATTRIBUTE_UNUSED,
                                    const char *state ATTRIBUTE_UNUSED,
-                                    unsigned int flags ATTRIBUTE_UNUSED)
+                                    unsigned int flags ATTRIBUTE_UNUSED,
+                                    int *fd ATTRIBUTE_UNUSED)
 {
    return 0;
 }

--- a/src/locking/lock_driver_sanlock.c
+++ b/src/locking/lock_driver_sanlock.c
@@ -229,7 +229,8 @@ error:
 static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
                                        const char *state,
-                                        unsigned int flags)
+                                        unsigned int flags,
+                                        int *fd)
 {
    virLockManagerSanlockPrivatePtr priv = lock->privateData;
    struct sanlk_options *opt;
@@ -349,6 +350,9 @@ static int virLockManagerSanlockAcquire(virLockManagerPtr lock,
        VIR_FREE(res_args);
    }
+    if (fd)
+        *fd = sock;
    return 0;
 error:

--- a/src/locking/lock_manager.c
+++ b/src/locking/lock_manager.c
@@ -330,13 +330,17 @@ int virLockManagerAddResource(virLockManagerPtr lock,
 int virLockManagerAcquire(virLockManagerPtr lock,
                          const char *state,
-                          unsigned int flags)
+                          unsigned int flags,
+                          int *fd)
 {
-    VIR_DEBUG("lock=%p state='%s' flags=%u", lock, NULLSTR(state), flags);
+    VIR_DEBUG("lock=%p state='%s' flags=%u fd=%p", lock, NULLSTR(state), flags, fd);
    CHECK_MANAGER(drvAcquire, -1);
-    return lock->driver->drvAcquire(lock, state, flags);
+    if (fd)
+        *fd = -1;
+    return lock->driver->drvAcquire(lock, state, flags, fd);
 }

--- a/src/locking/lock_manager.h
+++ b/src/locking/lock_manager.h
@@ -52,7 +52,8 @@ int virLockManagerAddResource(virLockManagerPtr manager,
 int virLockManagerAcquire(virLockManagerPtr manager,
                          const char *state,
-                          unsigned int flags);
+                          unsigned int flags,
+                          int *fd);
 int virLockManagerRelease(virLockManagerPtr manager,
                          char **state,
                          unsigned int flags);

--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2033,6 +2033,7 @@ static int qemuProcessHook(void *data)
 {
    struct qemuProcessHookData *h = data;
    int ret = -1;
+    int fd;
    /* Some later calls want pid present */
    h->vm->pid = getpid();
@@ -2041,7 +2042,8 @@ static int qemuProcessHook(void *data)
    if (virDomainLockProcessStart(h->driver->lockManager,
                                  h->vm,
                                  /* QEMU is always pased initially */
-                                  true) < 0)
+                                  true,
+                                  &fd) < 0)
        goto cleanup;
    if (qemuProcessLimits(h->driver) < 0)
@@ -2063,10 +2065,16 @@ static int qemuProcessHook(void *data)
    if (qemuProcessInitNumaMemoryPolicy(h->vm) < 0)
        return -1;
-    VIR_DEBUG("Setting up security labeling");
+    VIR_DEBUG("Setting up security labelling");
    if (virSecurityManagerSetProcessLabel(h->driver->securityManager, h->vm) < 0)
        goto cleanup;
+    if (fd != -1) {
+        VIR_DEBUG("Setting up lock manager FD labelling");
+        if (virSecurityManagerSetProcessFDLabel(h->driver->securityManager, h->vm, fd) < 0)
+            goto cleanup;
+    }
    ret = 0;
 cleanup: