qemu: fix security labeling for attach/detach of char devices

Commit e93d844b90 was not enough to fix the permission denied issue. We need to apply security labels as well. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1465833 Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2024-12-22 17:34:18 +03:00 · 2017-12-01 13:10:35 +01:00 · 2017-12-01 13:10:35 +01:00 · 1c57eea362
commit 1c57eea362
parent 1b4f66ec80
3 changed files with 78 additions and 0 deletions
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@ -1815,6 +1815,7 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
    bool chardevAttached = false;
    bool teardowncgroup = false;
    bool teardowndevice = false;
+    bool teardownlabel = false;
    char *tlsAlias = NULL;
    char *secAlias = NULL;
    bool need_release = false;
@ -1835,6 +1836,10 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
        goto cleanup;
    teardowndevice = true;

+    if (qemuSecuritySetChardevLabel(driver, vm, chr) < 0)
+        goto cleanup;
+    teardownlabel = true;
+
    if (qemuSetupChardevCgroup(vm, chr) < 0)
        goto cleanup;
    teardowncgroup = true;
@ -1877,6 +1882,8 @@ int qemuDomainAttachChrDevice(virConnectPtr conn,
            qemuDomainReleaseDeviceAddress(vm, &chr->info, NULL);
        if (teardowncgroup && qemuTeardownChardevCgroup(vm, chr) < 0)
            VIR_WARN("Unable to remove chr device cgroup ACL on hotplug fail");
+        if (teardownlabel && qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
+            VIR_WARN("Unable to restore security label on char device");
        if (teardowndevice && qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
            VIR_WARN("Unable to remove chr device from /dev");
    }
@ -4154,6 +4161,9 @@ qemuDomainRemoveChrDevice(virQEMUDriverPtr driver,
    if (qemuTeardownChardevCgroup(vm, chr) < 0)
        VIR_WARN("Failed to remove chr device cgroup ACL");

+    if (qemuSecurityRestoreChardevLabel(driver, vm, chr) < 0)
+        VIR_WARN("Unable to restore security label on char device");
+
    if (qemuDomainNamespaceTeardownChardev(driver, vm, chr) < 0)
        VIR_WARN("Unable to remove chr device from /dev");

--- a/src/qemu/qemu_security.c
+++ b/src/qemu/qemu_security.c
@ -364,3 +364,63 @@ qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
    virSecurityManagerTransactionAbort(driver->securityManager);
    return ret;
 }
+
+
+int
+qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
+                            virDomainObjPtr vm,
+                            virDomainChrDefPtr chr)
+{
+    int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerSetChardevLabel(driver->securityManager,
+                                          vm->def,
+                                          chr->source,
+                                          priv->chardevStdioLogd) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
+
+
+int
+qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
+                                virDomainObjPtr vm,
+                                virDomainChrDefPtr chr)
+{
+    int ret = -1;
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionStart(driver->securityManager) < 0)
+        goto cleanup;
+
+    if (virSecurityManagerRestoreChardevLabel(driver->securityManager,
+                                              vm->def,
+                                              chr->source,
+                                              priv->chardevStdioLogd) < 0)
+        goto cleanup;
+
+    if (qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT) &&
+        virSecurityManagerTransactionCommit(driver->securityManager,
+                                            vm->pid) < 0)
+        goto cleanup;
+
+    ret = 0;
+ cleanup:
+    virSecurityManagerTransactionAbort(driver->securityManager);
+    return ret;
+}
--- a/src/qemu/qemu_security.h
+++ b/src/qemu/qemu_security.h
@ -76,6 +76,14 @@ int qemuSecuritySetInputLabel(virDomainObjPtr vm,
 int qemuSecurityRestoreInputLabel(virDomainObjPtr vm,
                                  virDomainInputDefPtr input);

+int qemuSecuritySetChardevLabel(virQEMUDriverPtr driver,
+                                virDomainObjPtr vm,
+                                virDomainChrDefPtr chr);
+
+int qemuSecurityRestoreChardevLabel(virQEMUDriverPtr driver,
+                                    virDomainObjPtr vm,
+                                    virDomainChrDefPtr chr);
+
 /* Please note that for these APIs there is no wrapper yet. Do NOT blindly add
 * new APIs here. If an API can touch a /dev file add a proper wrapper instead.
 */