libvirt/17f6a257-security-dac-sev.patch

commit 17f6a257f1ea484489277f4da38be914b246a30b
Author: Erik Skultety <eskultet@redhat.com>
Date:   Thu Jan 31 15:16:50 2019 +0100

    security: dac: Relabel /dev/sev in the namespace
    
    The default permissions (0600 root:root) are of no use to the qemu
    process so we need to change the owner to qemu iff running with
    namespaces.
    
    Signed-off-by: Erik Skultety <eskultet@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-5.0.0/src/security/security_dac.c
===================================================================
--- libvirt-5.0.0.orig/src/security/security_dac.c
+++ libvirt-5.0.0/src/security/security_dac.c
@@ -48,6 +48,7 @@
 VIR_LOG_INIT("security.security_dac");
 
 #define SECURITY_DAC_NAME "dac"
+#define DEV_SEV "/dev/sev"
 
 typedef struct _virSecurityDACData virSecurityDACData;
 typedef virSecurityDACData *virSecurityDACDataPtr;
@@ -1690,6 +1691,16 @@ virSecurityDACRestoreMemoryLabel(virSecu
 
 
 static int
+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                              virDomainDefPtr def ATTRIBUTE_UNUSED)
+{
+    /* we only label /dev/sev when running with namespaces, so we don't need to
+     * restore anything */
+    return 0;
+}
+
+
+static int
 virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
                               virDomainDefPtr def,
                               bool migrated,
@@ -1759,6 +1770,11 @@ virSecurityDACRestoreAllLabel(virSecurit
             rc = -1;
     }
 
+    if (def->sev) {
+        if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
+            rc = -1;
+    }
+
     if (def->os.loader && def->os.loader->nvram &&
         virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
         rc = -1;
@@ -1833,6 +1849,36 @@ virSecurityDACSetMemoryLabel(virSecurity
 
 
 static int
+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
+                          virDomainDefPtr def)
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    uid_t user;
+    gid_t group;
+
+    /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
+     * increase the chance of a DOS attack on SEV
+     */
+    if (!priv->mountNamespace)
+        return 0;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+        return -1;
+
+    if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,
+                                   user, group, false) < 0)
+        return -1;
+
+    return 0;
+}
+
+
+static int
 virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
                           virDomainDefPtr def,
                           const char *stdin_path ATTRIBUTE_UNUSED,
@@ -1902,6 +1948,11 @@ virSecurityDACSetAllLabel(virSecurityMan
             return -1;
     }
 
+    if (def->sev) {
+        if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+            return -1;
+    }
+
     if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
         return -1;
Accepting request 672885 from home:jfehlig:branches:Virtualization - qemu: fix issues related to restricted permissions on /dev/sev b6440119-qemu-conf-sev.patch, a404ac34-qemu-cgroup-sev.patch, 6fd4c8f8-qemu-domain-sev.patch, 17f6a257-security-dac-sev.patch, a2d3dea9-qemu-caps-dac-override-sev.patch bsc#1124842 OBS-URL: https://build.opensuse.org/request/show/672885 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=728 2019-02-08 22:26:33 +00:00			`commit 17f6a257f1ea484489277f4da38be914b246a30b`
			`Author: Erik Skultety <eskultet@redhat.com>`
			`Date: Thu Jan 31 15:16:50 2019 +0100`

			`security: dac: Relabel /dev/sev in the namespace`

			`The default permissions (0600 root:root) are of no use to the qemu`
			`process so we need to change the owner to qemu iff running with`
			`namespaces.`

			`Signed-off-by: Erik Skultety <eskultet@redhat.com>`
			`Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>`

			`Index: libvirt-5.0.0/src/security/security_dac.c`
			`===================================================================`
			`--- libvirt-5.0.0.orig/src/security/security_dac.c`
			`+++ libvirt-5.0.0/src/security/security_dac.c`
			`@@ -48,6 +48,7 @@`
			`VIR_LOG_INIT("security.security_dac");`

			`#define SECURITY_DAC_NAME "dac"`
			`+#define DEV_SEV "/dev/sev"`

			`typedef struct _virSecurityDACData virSecurityDACData;`
			`typedef virSecurityDACData *virSecurityDACDataPtr;`
			`@@ -1690,6 +1691,16 @@ virSecurityDACRestoreMemoryLabel(virSecu`


			`static int`
			`+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,`
			`+ virDomainDefPtr def ATTRIBUTE_UNUSED)`
			`+{`
			`+ /* we only label /dev/sev when running with namespaces, so we don't need to`
			`+ * restore anything */`
			`+ return 0;`
			`+}`
			`+`
			`+`
			`+static int`
			`virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,`
			`virDomainDefPtr def,`
			`bool migrated,`
			`@@ -1759,6 +1770,11 @@ virSecurityDACRestoreAllLabel(virSecurit`
			`rc = -1;`
			`}`

			`+ if (def->sev) {`
			`+ if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)`
			`+ rc = -1;`
			`+ }`
			`+`
			`if (def->os.loader && def->os.loader->nvram &&`
			`virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)`
			`rc = -1;`
			`@@ -1833,6 +1849,36 @@ virSecurityDACSetMemoryLabel(virSecurity`


			`static int`
			`+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,`
			`+ virDomainDefPtr def)`
			`+{`
			`+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);`
			`+ virSecurityLabelDefPtr seclabel;`
			`+ uid_t user;`
			`+ gid_t group;`
			`+`
			`+ /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly`
			`+ * increase the chance of a DOS attack on SEV`
			`+ */`
			`+ if (!priv->mountNamespace)`
			`+ return 0;`
			`+`
			`+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);`
			`+ if (seclabel && !seclabel->relabel)`
			`+ return 0;`
			`+`
			`+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)`
			`+ return -1;`
			`+`
			`+ if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,`
			`+ user, group, false) < 0)`
			`+ return -1;`
			`+`
			`+ return 0;`
			`+}`
			`+`
			`+`
			`+static int`
			`virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,`
			`virDomainDefPtr def,`
			`const char *stdin_path ATTRIBUTE_UNUSED,`
			`@@ -1902,6 +1948,11 @@ virSecurityDACSetAllLabel(virSecurityMan`
			`return -1;`
			`}`

			`+ if (def->sev) {`
			`+ if (virSecurityDACSetSEVLabel(mgr, def) < 0)`
			`+ return -1;`
			`+ }`
			`+`
			`if (virSecurityDACGetImageIds(secdef, priv, &user, &group))`
			`return -1;`