From patchwork Mon Jul 17 16:31:50 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 108020 Delivered-To: patch@linaro.org Received: by 10.140.101.44 with SMTP id t41csp4732478qge; Mon, 17 Jul 2017 09:32:08 -0700 (PDT) X-Received: by 10.237.33.69 with SMTP id 63mr30413312qtc.11.1500309128366; Mon, 17 Jul 2017 09:32:08 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1500309128; cv=none; d=google.com; s=arc-20160816; b=oc2juFJ0Rsa2+zp3We8kFx2cxeXT+Mwh86KxwttaaWhIusutZVidu8r2TH3j2+iTD9 7oWjJPzdxQLliiLXh5FzOpcyZg38Q5CZNM10I60ZLDdMZxrRlyy/wgVHbIEgZEw7qLmI 3K+oxn7Rj9iF1eXTABCxpxeZIua9PBaVPJfpSc1xLH3+lycqxO+YQ2bOg/YhjYL1gNkZ +PI8gDL5ZYbwZY4HDpNt+eBtRb1D5meM5ueSfUNHIJmFSt9xVFlNItrgK1dNzJuu6AiG 1aEHGx4WzR84QlJT9SWm7380GVjnbUoQdALH8InAbZX4nQnVLT2yckbKntfxVeZsWbpt IdMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to :dkim-filter:dmarc-filter:arc-authentication-results; bh=CCOGZY9MV+p6pO71OK2/t24FNIz7f5cjPwXRP0K3YdY=; b=luuqEmYQRUH/ukq9sjwVZl9QhYUpqdsarqxmRD/5dPStoFURBQxFEaPk773TY/o9L9 IeIzhvx8bRVptGXLFBcbFyy+svri2mM8lR5T3Gzp9f7jjR7VTX37r/OGG7rBiM7beUXB xfOdJWYKof9WDNCA+FDiWK/oWdyxG3rCjNxKpIOA5fHQkPcmRiGTAXTC0pe69sVDSvBY yO6eoeSz8w9BL0BkniKNW4OZvLZ0w/jFKb9Qecs67q9nNPwWSAcJa6vy7vRFLV4qWAg8 e1RjOF6ex2WBcT6XjaWIhdMoq6uGTgCzU/iN+EMU117RulxD/gbasQYARrxs8DQ7o2l/ UOnQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id o11si15292782qke.275.2017.07.17.09.32.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jul 2017 09:32:08 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6C9F4C058EBD; Mon, 17 Jul 2017 16:32:06 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 6C9F4C058EBD Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx08.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=libvir-list-bounces@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 6C9F4C058EBD Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8354477A1A; Mon, 17 Jul 2017 16:32:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1AEB04A491; Mon, 17 Jul 2017 16:32:04 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v6HGW3cd008404 for ; Mon, 17 Jul 2017 12:32:03 -0400 Received: by smtp.corp.redhat.com (Postfix) id 48BD67770B; Mon, 17 Jul 2017 16:32:03 +0000 (UTC) Delivered-To: libvir-list@redhat.com Received: from worklaptop.redhat.com (ovpn-116-195.phx2.redhat.com [10.3.116.195]) by smtp.corp.redhat.com (Postfix) with ESMTP id E4AF477BE8; Mon, 17 Jul 2017 16:31:57 +0000 (UTC) From: Cole Robinson To: libvir-list@redhat.com Date: Mon, 17 Jul 2017 12:31:50 -0400 Message-Id: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH] security: dac: relabel spice rendernode X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Mon, 17 Jul 2017 16:32:07 +0000 (UTC) For a logged in user this a path like /dev/dri/renderD128 will have default ownership root:video which won't work for the qemu:qemu user, so we need to chown it. Thankfully with the namespace work we don't need to worry about this shutting out other legitimate users https://bugzilla.redhat.com/show_bug.cgi?id=1460804 Signed-off-by: Cole Robinson --- Sidenote: Not sure about security_selinux changes... Fedora selinux policy doesn't require relabeling /dev/dri/* nowadays so it isn't required to get qemu to startup, and infact will probably cause issues for qemu:///session and non-namespace qemu:///system src/security/security_dac.c | 61 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) -- 2.13.3 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list diff --git a/src/security/security_dac.c b/src/security/security_dac.c index ca7a6af6d..4c86e5fe8 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1371,6 +1371,57 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr, static int +virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def, + virDomainGraphicsDefPtr gfx) + +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + + if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE && + gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES && + gfx->data.spice.rendernode) { + if (virSecurityDACSetOwnership(priv, NULL, + gfx->data.spice.rendernode, + user, group) < 0) + return -1; + } + + return 0; +} + + +static int +virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainGraphicsDefPtr gfx) + +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + + if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE && + gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES && + gfx->data.spice.rendernode) { + if (virSecurityDACRestoreFileLabel(priv, + gfx->data.spice.rendernode) < 0) + return -1; + } + + return 0; +} + + +static int virSecurityDACSetInputLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainInputDefPtr input) @@ -1481,6 +1532,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } + for (i = 0; i < def->ngraphics; i++) { + if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0) + return -1; + } + for (i = 0; i < def->ninputs; i++) { if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0) rc = -1; @@ -1601,6 +1657,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, return -1; } + for (i = 0; i < def->ngraphics; i++) { + if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0) + return -1; + } + for (i = 0; i < def->ninputs; i++) { if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0) return -1;