diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c index 446df3e1d8..c7f9932307 100644 --- a/src/qemu/qemu_command.c +++ b/src/qemu/qemu_command.c @@ -4931,6 +4931,7 @@ qemuOpenChrChardevUNIXSocket(const virDomainChrSourceDef *dev) * host side of the character device */ static char * qemuBuildChrChardevStr(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -5065,7 +5066,13 @@ qemuBuildChrChardevStr(virLogManagerPtr logManager, case VIR_DOMAIN_CHR_TYPE_UNIX: if (virQEMUCapsGet(qemuCaps, QEMU_CAPS_CHARDEV_FD_PASS)) { + if (qemuSecuritySetSocketLabel(secManager, (virDomainDefPtr)def) < 0) + goto cleanup; int fd = qemuOpenChrChardevUNIXSocket(dev); + if (qemuSecurityClearSocketLabel(secManager, (virDomainDefPtr)def) < 0) { + VIR_FORCE_CLOSE(fd); + goto cleanup; + } if (fd < 0) goto cleanup; @@ -5404,6 +5411,7 @@ qemuBuildHostdevCommandLine(virCommandPtr cmd, static int qemuBuildMonitorCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, virDomainDefPtr def, @@ -5414,7 +5422,8 @@ qemuBuildMonitorCommandLine(virLogManagerPtr logManager, if (!priv->monConfig) return 0; - if (!(chrdev = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(chrdev = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, priv->monConfig, "monitor", priv->qemuCaps, true, priv->chardevStdioLogd))) @@ -5533,6 +5542,7 @@ qemuBuildSclpDevStr(virDomainChrDefPtr dev) static int qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -5550,7 +5560,8 @@ qemuBuildRNGBackendChrdevStr(virLogManagerPtr logManager, return 0; case VIR_DOMAIN_RNG_BACKEND_EGD: - if (!(*chr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(*chr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, rng->source.chardev, rng->info.alias, qemuCaps, true, chardevStdioLogd))) @@ -5680,6 +5691,7 @@ qemuBuildRNGDevStr(const virDomainDef *def, static int qemuBuildRNGCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -5702,7 +5714,7 @@ qemuBuildRNGCommandLine(virLogManagerPtr logManager, } /* possibly add character device for backend */ - if (qemuBuildRNGBackendChrdevStr(logManager, cmd, cfg, def, + if (qemuBuildRNGBackendChrdevStr(logManager, secManager, cmd, cfg, def, rng, qemuCaps, &tmp, chardevStdioLogd) < 0) return -1; @@ -8135,6 +8147,7 @@ qemuBuildGraphicsCommandLine(virQEMUDriverConfigPtr cfg, static int qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver, virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virDomainDefPtr def, virDomainNetDefPtr net, @@ -8157,7 +8170,8 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver, switch ((virDomainChrType)net->data.vhostuser->type) { case VIR_DOMAIN_CHR_TYPE_UNIX: - if (!(chardev = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(chardev = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, net->data.vhostuser, net->info.alias, qemuCaps, false, chardevStdioLogd))) @@ -8225,6 +8239,7 @@ qemuBuildVhostuserCommandLine(virQEMUDriverPtr driver, static int qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virDomainDefPtr def, virDomainNetDefPtr net, @@ -8356,7 +8371,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, break; case VIR_DOMAIN_NET_TYPE_VHOSTUSER: - ret = qemuBuildVhostuserCommandLine(driver, logManager, cmd, def, + ret = qemuBuildVhostuserCommandLine(driver, logManager, secManager, cmd, def, net, qemuCaps, bootindex, chardevStdioLogd); goto cleanup; @@ -8534,6 +8549,7 @@ qemuBuildInterfaceCommandLine(virQEMUDriverPtr driver, static int qemuBuildNetCommandLine(virQEMUDriverPtr driver, virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virDomainDefPtr def, virQEMUCapsPtr qemuCaps, @@ -8566,7 +8582,7 @@ qemuBuildNetCommandLine(virQEMUDriverPtr driver, for (i = 0; i < def->nnets; i++) { virDomainNetDefPtr net = def->nets[i]; - if (qemuBuildInterfaceCommandLine(driver, logManager, cmd, def, net, + if (qemuBuildInterfaceCommandLine(driver, logManager, secManager, cmd, def, net, qemuCaps, bootNet, vmop, standalone, nnicindexes, nicindexes, @@ -8629,6 +8645,7 @@ qemuBuildSmartcardFindCCIDController(const virDomainDef *def, static int qemuBuildSmartcardCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -8702,7 +8719,8 @@ qemuBuildSmartcardCommandLine(virLogManagerPtr logManager, return -1; } - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, smartcard->data.passthru, smartcard->info.alias, qemuCaps, true, @@ -8862,6 +8880,7 @@ qemuBuildShmemBackendMemProps(virDomainShmemDefPtr shmem) static int qemuBuildShmemCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, virDomainDefPtr def, @@ -8933,7 +8952,8 @@ qemuBuildShmemCommandLine(virLogManagerPtr logManager, VIR_FREE(devstr); if (shmem->server.enabled) { - devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, &shmem->server.chr, shmem->info.alias, qemuCaps, true, chardevStdioLogd); @@ -9020,6 +9040,7 @@ qemuChrIsPlatformDevice(const virDomainDef *def, static int qemuBuildSerialCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -9043,7 +9064,8 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager, if (serial->source->type == VIR_DOMAIN_CHR_TYPE_SPICEPORT && !havespice) continue; - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, serial->source, serial->info.alias, qemuCaps, true, @@ -9080,6 +9102,7 @@ qemuBuildSerialCommandLine(virLogManagerPtr logManager, static int qemuBuildParallelsCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -9092,7 +9115,8 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager, virDomainChrDefPtr parallel = def->parallels[i]; char *devstr; - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, parallel->source, parallel->info.alias, qemuCaps, true, @@ -9113,6 +9137,7 @@ qemuBuildParallelsCommandLine(virLogManagerPtr logManager, static int qemuBuildChannelsCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -9127,7 +9152,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager, switch (channel->targetType) { case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_GUESTFWD: - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, channel->source, channel->info.alias, qemuCaps, true, @@ -9144,7 +9170,8 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager, break; case VIR_DOMAIN_CHR_CHANNEL_TARGET_TYPE_VIRTIO: - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, channel->source, channel->info.alias, qemuCaps, true, @@ -9166,6 +9193,7 @@ qemuBuildChannelsCommandLine(virLogManagerPtr logManager, static int qemuBuildConsoleCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -9187,7 +9215,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager, return -1; } - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, console->source, console->info.alias, qemuCaps, true, @@ -9208,7 +9237,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager, return -1; } - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, console->source, console->info.alias, qemuCaps, true, @@ -9223,7 +9253,8 @@ qemuBuildConsoleCommandLine(virLogManagerPtr logManager, break; case VIR_DOMAIN_CHR_CONSOLE_TARGET_TYPE_VIRTIO: - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, console->source, console->info.alias, qemuCaps, true, @@ -9342,6 +9373,7 @@ qemuBuildRedirdevDevStr(const virDomainDef *def, static int qemuBuildRedirdevCommandLine(virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virCommandPtr cmd, virQEMUDriverConfigPtr cfg, const virDomainDef *def, @@ -9354,7 +9386,8 @@ qemuBuildRedirdevCommandLine(virLogManagerPtr logManager, virDomainRedirdevDefPtr redirdev = def->redirdevs[i]; char *devstr; - if (!(devstr = qemuBuildChrChardevStr(logManager, cmd, cfg, def, + if (!(devstr = qemuBuildChrChardevStr(logManager, secManager, + cmd, cfg, def, redirdev->source, redirdev->info.alias, qemuCaps, true, @@ -10065,6 +10098,7 @@ qemuBuildVsockCommandLine(virCommandPtr cmd, virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver, virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virDomainObjPtr vm, const char *migrateURI, virDomainSnapshotObjPtr snapshot, @@ -10181,7 +10215,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, if (qemuBuildSgaCommandLine(cmd, def, qemuCaps) < 0) goto error; - if (qemuBuildMonitorCommandLine(logManager, cmd, cfg, def, priv) < 0) + if (qemuBuildMonitorCommandLine(logManager, secManager, cmd, cfg, def, priv) < 0) goto error; if (qemuBuildClockCommandLine(cmd, def, qemuCaps) < 0) @@ -10211,29 +10245,29 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, if (qemuBuildFSDevCommandLine(cmd, def, qemuCaps) < 0) goto error; - if (qemuBuildNetCommandLine(driver, logManager, cmd, def, + if (qemuBuildNetCommandLine(driver, logManager, secManager, cmd, def, qemuCaps, vmop, standalone, nnicindexes, nicindexes, &bootHostdevNet, chardevStdioLogd) < 0) goto error; - if (qemuBuildSmartcardCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildSmartcardCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; - if (qemuBuildSerialCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildSerialCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; - if (qemuBuildParallelsCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildParallelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; - if (qemuBuildChannelsCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildChannelsCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; - if (qemuBuildConsoleCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildConsoleCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; @@ -10258,7 +10292,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, if (qemuBuildWatchdogCommandLine(cmd, def, qemuCaps) < 0) goto error; - if (qemuBuildRedirdevCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildRedirdevCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; @@ -10271,7 +10305,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, if (qemuBuildMemballoonCommandLine(cmd, def, qemuCaps) < 0) goto error; - if (qemuBuildRNGCommandLine(logManager, cmd, cfg, def, qemuCaps, + if (qemuBuildRNGCommandLine(logManager, secManager, cmd, cfg, def, qemuCaps, chardevStdioLogd) < 0) goto error; @@ -10306,7 +10340,7 @@ qemuBuildCommandLine(virQEMUDriverPtr driver, goto error; for (i = 0; i < def->nshmems; i++) { - if (qemuBuildShmemCommandLine(logManager, cmd, cfg, + if (qemuBuildShmemCommandLine(logManager, secManager, cmd, cfg, def, def->shmems[i], qemuCaps, chardevStdioLogd)) goto error; diff --git a/src/qemu/qemu_command.h b/src/qemu/qemu_command.h index c78282eb09..4f1b360130 100644 --- a/src/qemu/qemu_command.h +++ b/src/qemu/qemu_command.h @@ -46,6 +46,7 @@ VIR_ENUM_DECL(qemuVideo) virCommandPtr qemuBuildCommandLine(virQEMUDriverPtr driver, virLogManagerPtr logManager, + virSecurityManagerPtr secManager, virDomainObjPtr vm, const char *migrateURI, virDomainSnapshotObjPtr snapshot, diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 2967568f62..7e9ad01e61 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -6174,6 +6174,7 @@ qemuProcessLaunch(virConnectPtr conn, VIR_DEBUG("Building emulator command line"); if (!(cmd = qemuBuildCommandLine(driver, qemuDomainLogContextGetManager(logCtxt), + driver->securityManager, vm, incoming ? incoming->launchURI : NULL, snapshot, vmop, @@ -6642,6 +6643,7 @@ qemuProcessCreatePretendCmd(virQEMUDriverPtr driver, VIR_DEBUG("Building emulator command line"); cmd = qemuBuildCommandLine(driver, NULL, + driver->securityManager, vm, migrateURI, NULL,