rpm/libvirt
SHA256
1
0
Fork 0
forked from pool/libvirt
Code Pull Requests Activity
66085e7438
libvirt/17f6a257-security-dac-sev.patch
James Fehlig 3558b40b5b Accepting request 672885 from home:jfehlig:branches:Virtualization 
- qemu: fix issues related to restricted permissions on /dev/sev
  b6440119-qemu-conf-sev.patch, a404ac34-qemu-cgroup-sev.patch,
  6fd4c8f8-qemu-domain-sev.patch, 17f6a257-security-dac-sev.patch,
  a2d3dea9-qemu-caps-dac-override-sev.patch
  bsc#1124842

OBS-URL: https://build.opensuse.org/request/show/672885
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=728
2019-02-08 22:26:33 +00:00

104 lines
3.1 KiB
Diff
Raw Blame History

commit 17f6a257f1ea484489277f4da38be914b246a30b
Author: Erik Skultety <eskultet@redhat.com>
Date: Thu Jan 31 15:16:50 2019 +0100
security: dac: Relabel /dev/sev in the namespace
The default permissions (0600 root:root) are of no use to the qemu
process so we need to change the owner to qemu iff running with
namespaces.
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Index: libvirt-5.0.0/src/security/security_dac.c
===================================================================
--- libvirt-5.0.0.orig/src/security/security_dac.c
+++ libvirt-5.0.0/src/security/security_dac.c
@@ -48,6 +48,7 @@
VIR_LOG_INIT("security.security_dac");
#define SECURITY_DAC_NAME "dac"
+#define DEV_SEV "/dev/sev"
typedef struct _virSecurityDACData virSecurityDACData;
typedef virSecurityDACData *virSecurityDACDataPtr;
@@ -1690,6 +1691,16 @@ virSecurityDACRestoreMemoryLabel(virSecu
static int
+virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+ virDomainDefPtr def ATTRIBUTE_UNUSED)
+{
+ /* we only label /dev/sev when running with namespaces, so we don't need to
+ * restore anything */
+ return 0;
+}
+
+
+static int
virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
bool migrated,
@@ -1759,6 +1770,11 @@ virSecurityDACRestoreAllLabel(virSecurit
rc = -1;
}
+ if (def->sev) {
+ if (virSecurityDACRestoreSEVLabel(mgr, def) < 0)
+ rc = -1;
+ }
+
if (def->os.loader && def->os.loader->nvram &&
virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0)
rc = -1;
@@ -1833,6 +1849,36 @@ virSecurityDACSetMemoryLabel(virSecurity
static int
+virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr,
+ virDomainDefPtr def)
+{
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+ virSecurityLabelDefPtr seclabel;
+ uid_t user;
+ gid_t group;
+
+ /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly
+ * increase the chance of a DOS attack on SEV
+ */
+ if (!priv->mountNamespace)
+ return 0;
+
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+ if (seclabel && !seclabel->relabel)
+ return 0;
+
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+ return -1;
+
+ if (virSecurityDACSetOwnership(mgr, NULL, DEV_SEV,
+ user, group, false) < 0)
+ return -1;
+
+ return 0;
+}
+
+
+static int
virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
virDomainDefPtr def,
const char *stdin_path ATTRIBUTE_UNUSED,
@@ -1902,6 +1948,11 @@ virSecurityDACSetAllLabel(virSecurityMan
return -1;
}
+ if (def->sev) {
+ if (virSecurityDACSetSEVLabel(mgr, def) < 0)
+ return -1;
+ }
+
if (virSecurityDACGetImageIds(secdef, priv, &user, &group))
return -1;
View Git Blame Copy Permalink