diff options
| author | Michal Privoznik <mprivozn@redhat.com> | 2022-12-02 15:59:28 +0100 |
|---|---|---|
| committer | Michal Privoznik <mprivozn@redhat.com> | 2022-12-05 10:40:52 +0100 |
| commit | f3259f82fd53a499c24dce69b469ff8769c72909 (patch) | |
| tree | 2b45a45060f9fa8b7dde4db7c1bcbc2f8f51a337 /src/security | |
| parent | 26cceb2a2ae33e09a12b75ce31bbf040ef56c432 (diff) | |
| download | libvirt-f3259f82fd53a499c24dce69b469ff8769c72909.tar.gz | |
security: Extend TPM label APIs
The virSecurityDomainSetTPMLabels() and
virSecurityDomainRestoreTPMLabels() APIs set/restore label on two
files/directories:
1) the TPM state (tpm->data.emulator.storagepath), and
2) the TPM log file (tpm->data.emulator.logfile).
Soon there will be a need to set the label on the log file but
not on the state. Therefore, extend these APIs for a boolean flag
that when set does both, but when unset does only 2).
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Diffstat (limited to 'src/security')
| -rw-r--r-- | src/security/security_driver.h | 6 | ||||
| -rw-r--r-- | src/security/security_manager.c | 10 | ||||
| -rw-r--r-- | src/security/security_manager.h | 6 | ||||
| -rw-r--r-- | src/security/security_selinux.c | 40 | ||||
| -rw-r--r-- | src/security/security_stack.c | 12 |
5 files changed, 47 insertions, 27 deletions
diff --git a/src/security/security_driver.h b/src/security/security_driver.h index a1fc23be38..fe6982ceca 100644 --- a/src/security/security_driver.h +++ b/src/security/security_driver.h @@ -154,9 +154,11 @@ typedef int (*virSecurityDomainRestoreChardevLabel) (virSecurityManager *mgr, virDomainChrSourceDef *dev_source, bool chardevStdioLogd); typedef int (*virSecurityDomainSetTPMLabels) (virSecurityManager *mgr, - virDomainDef *def); + virDomainDef *def, + bool setTPMStateLabel); typedef int (*virSecurityDomainRestoreTPMLabels) (virSecurityManager *mgr, - virDomainDef *def); + virDomainDef *def, + bool restoreTPMStateLabel); typedef int (*virSecurityDomainSetNetdevLabel) (virSecurityManager *mgr, virDomainDef *def, virDomainNetDef *net); diff --git a/src/security/security_manager.c b/src/security/security_manager.c index 572e400a48..2f8e89cb04 100644 --- a/src/security/security_manager.c +++ b/src/security/security_manager.c @@ -1188,27 +1188,29 @@ virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr, int virSecurityManagerSetTPMLabels(virSecurityManager *mgr, - virDomainDef *vm) + virDomainDef *vm, + bool setTPMStateLabel) { VIR_LOCK_GUARD lock = virObjectLockGuard(mgr); if (!mgr->drv->domainSetSecurityTPMLabels) return 0; - return mgr->drv->domainSetSecurityTPMLabels(mgr, vm); + return mgr->drv->domainSetSecurityTPMLabels(mgr, vm, setTPMStateLabel); } int virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr, - virDomainDef *vm) + virDomainDef *vm, + bool restoreTPMStateLabel) { VIR_LOCK_GUARD lock = virObjectLockGuard(mgr); if (!mgr->drv->domainRestoreSecurityTPMLabels) return 0; - return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm); + return mgr->drv->domainRestoreSecurityTPMLabels(mgr, vm, restoreTPMStateLabel); } diff --git a/src/security/security_manager.h b/src/security/security_manager.h index bb3855efef..60597ffc0a 100644 --- a/src/security/security_manager.h +++ b/src/security/security_manager.h @@ -214,10 +214,12 @@ int virSecurityManagerRestoreChardevLabel(virSecurityManager *mgr, bool chardevStdioLogd); int virSecurityManagerSetTPMLabels(virSecurityManager *mgr, - virDomainDef *vm); + virDomainDef *vm, + bool setTPMStateLabel); int virSecurityManagerRestoreTPMLabels(virSecurityManager *mgr, - virDomainDef *vm); + virDomainDef *vm, + bool restoreTPMStateLabel); int virSecurityManagerSetNetdevLabel(virSecurityManager *mgr, virDomainDef *vm, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 92e85c92e0..415a26a386 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -3526,7 +3526,8 @@ virSecuritySELinuxRestoreFileLabels(virSecurityManager *mgr, static int virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr, - virDomainDef *def) + virDomainDef *def, + bool setTPMStateLabel) { int ret = 0; size_t i; @@ -3540,13 +3541,18 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr, if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR) continue; - ret = virSecuritySELinuxSetFileLabels( - mgr, def->tpms[i]->data.emulator.storagepath, - seclabel); - if (ret == 0 && def->tpms[i]->data.emulator.logfile) - ret = virSecuritySELinuxSetFileLabels( - mgr, def->tpms[i]->data.emulator.logfile, - seclabel); + if (setTPMStateLabel) { + ret = virSecuritySELinuxSetFileLabels(mgr, + def->tpms[i]->data.emulator.storagepath, + seclabel); + } + + if (ret == 0 && + def->tpms[i]->data.emulator.logfile) { + ret = virSecuritySELinuxSetFileLabels(mgr, + def->tpms[i]->data.emulator.logfile, + seclabel); + } } return ret; @@ -3555,7 +3561,8 @@ virSecuritySELinuxSetTPMLabels(virSecurityManager *mgr, static int virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr, - virDomainDef *def) + virDomainDef *def, + bool restoreTPMStateLabel) { int ret = 0; size_t i; @@ -3564,11 +3571,16 @@ virSecuritySELinuxRestoreTPMLabels(virSecurityManager *mgr, if (def->tpms[i]->type != VIR_DOMAIN_TPM_TYPE_EMULATOR) continue; - ret = virSecuritySELinuxRestoreFileLabels( - mgr, def->tpms[i]->data.emulator.storagepath); - if (ret == 0 && def->tpms[i]->data.emulator.logfile) - ret = virSecuritySELinuxRestoreFileLabels( - mgr, def->tpms[i]->data.emulator.logfile); + if (restoreTPMStateLabel) { + ret = virSecuritySELinuxRestoreFileLabels(mgr, + def->tpms[i]->data.emulator.storagepath); + } + + if (ret == 0 && + def->tpms[i]->data.emulator.logfile) { + ret = virSecuritySELinuxRestoreFileLabels(mgr, + def->tpms[i]->data.emulator.logfile); + } } return ret; diff --git a/src/security/security_stack.c b/src/security/security_stack.c index 0c72f93a20..560f797030 100644 --- a/src/security/security_stack.c +++ b/src/security/security_stack.c @@ -916,14 +916,15 @@ virSecurityStackDomainRestoreChardevLabel(virSecurityManager *mgr, static int virSecurityStackSetTPMLabels(virSecurityManager *mgr, - virDomainDef *vm) + virDomainDef *vm, + bool setTPMStateLabel) { virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackItem *item = priv->itemsHead; for (; item; item = item->next) { if (virSecurityManagerSetTPMLabels(item->securityManager, - vm) < 0) + vm, setTPMStateLabel) < 0) goto rollback; } @@ -932,7 +933,7 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr, rollback: for (item = item->prev; item; item = item->prev) { if (virSecurityManagerRestoreTPMLabels(item->securityManager, - vm) < 0) { + vm, setTPMStateLabel) < 0) { VIR_WARN("Unable to restore TPM label after failed set label " "call virDriver=%s driver=%s domain=%s", virSecurityManagerGetVirtDriver(mgr), @@ -946,7 +947,8 @@ virSecurityStackSetTPMLabels(virSecurityManager *mgr, static int virSecurityStackRestoreTPMLabels(virSecurityManager *mgr, - virDomainDef *vm) + virDomainDef *vm, + bool restoreTPMStateLabel) { virSecurityStackData *priv = virSecurityManagerGetPrivateData(mgr); virSecurityStackItem *item = priv->itemsHead; @@ -954,7 +956,7 @@ virSecurityStackRestoreTPMLabels(virSecurityManager *mgr, for (; item; item = item->next) { if (virSecurityManagerRestoreTPMLabels(item->securityManager, - vm) < 0) + vm, restoreTPMStateLabel) < 0) rc = -1; } |