shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-12-26 03:21:44 +03:00
Code Releases Activity

security: Don't remember labels for TPM

Browse Source 
https://bugzilla.redhat.com/show_bug.cgi?id=1755803

The /dev/tpmN file can be opened only once, as implemented in
drivers/char/tpm/tpm-dev.c:tpm_open() from the kernel's tree. Any
other attempt to open the file fails. And since we're opening the
file ourselves and passing the FD to qemu we will not succeed
opening the file again when locking it for seclabel remembering.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Cole Robinson <crobinso@redhat.com>
This commit is contained in:
Michal Privoznik 2019-10-01 10:32:26 +02:00
parent 2b44cf8c32
commit 4e95cdcbb3
2 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/security/security_dac.c
View File

@ -1653,14 +1653,14 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
ret = virSecurityDACSetChardevLabel(mgr, def,
&tpm->data.passthrough.source,
false);
ret = virSecurityDACSetChardevLabelHelper(mgr, def,
&tpm->data.passthrough.source,
false, false);
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
ret = virSecurityDACSetChardevLabel(mgr, def,
&tpm->data.emulator.source,
false);
ret = virSecurityDACSetChardevLabelHelper(mgr, def,
&tpm->data.emulator.source,
false, false);
break;
case VIR_DOMAIN_TPM_TYPE_LAST:
break;
@ -1679,9 +1679,9 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
ret = virSecurityDACRestoreChardevLabel(mgr, def,
&tpm->data.passthrough.source,
false);
ret = virSecurityDACRestoreChardevLabelHelper(mgr, def,
&tpm->data.passthrough.source,
false, false);
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
/* swtpm will have removed the Unix socket upon termination */

10
src/security/security_selinux.c
View File

@ -1682,14 +1682,14 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, false);
if (rc < 0)
return -1;
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
rc = virSecuritySELinuxSetFilecon(mgr,
cancel_path,
seclabel->imagelabel, true);
seclabel->imagelabel, false);
VIR_FREE(cancel_path);
if (rc < 0) {
virSecuritySELinuxRestoreTPMFileLabelInt(mgr, def, tpm);
@ -1701,7 +1701,7 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
break;
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
tpmdev = tpm->data.emulator.source.data.nix.path;
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, true);
rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel, false);
if (rc < 0)
return -1;
break;
@ -1730,10 +1730,10 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr,
switch (tpm->type) {
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
tpmdev = tpm->data.passthrough.source.data.file.path;
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, true);
rc = virSecuritySELinuxRestoreFileLabel(mgr, tpmdev, false);
if ((cancel_path = virTPMCreateCancelPath(tpmdev)) != NULL) {
if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, true) < 0)
if (virSecuritySELinuxRestoreFileLabel(mgr, cancel_path, false) < 0)
rc = -1;
VIR_FREE(cancel_path);
}