diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 7b95a6f86d..7e65b78fbe 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1916,6 +1916,24 @@ virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr G_GNUC_UNUSED, } +static int +virSecurityDACRestoreSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def) +{ + size_t i; + + for (i = 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i]; + + if (f->file && + virSecurityDACRestoreFileLabel(mgr, f->file) < 0) + return -1; + } + + return 0; +} + + static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -1991,6 +2009,12 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, rc = -1; } + for (i = 0; i < def->nsysinfo; i++) { + if (virSecurityDACRestoreSysinfoLabel(mgr, + def->sysinfo[i]) < 0) + rc = -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(mgr, def->os.loader->nvram) < 0) rc = -1; @@ -2094,6 +2118,27 @@ virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr, } +static int +virSecurityDACSetSysinfoLabel(virSecurityManagerPtr mgr, + uid_t user, + gid_t group, + virSysinfoDefPtr def) +{ + size_t i; + + for (i = 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i]; + + if (f->file && + virSecurityDACSetOwnership(mgr, NULL, f->file, + user, group, true) < 0) + return -1; + } + + return 0; +} + + static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -2173,6 +2218,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1; + for (i = 0; i < def->nsysinfo; i++) { + if (virSecurityDACSetSysinfoLabel(mgr, user, group, def->sysinfo[i]) < 0) + return -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACSetOwnership(mgr, NULL, def->os.loader->nvram, diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 7bb7c2b7b1..e6819af26c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2720,6 +2720,24 @@ virSecuritySELinuxGetBaseLabel(virSecurityManagerPtr mgr, int virtType) } +static int +virSecuritySELinuxRestoreSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def) +{ + size_t i; + + for (i = 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i]; + + if (f->file && + virSecuritySELinuxRestoreFileLabel(mgr, f->file, true) < 0) + return -1; + } + + return 0; +} + + static int virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -2786,6 +2804,11 @@ virSecuritySELinuxRestoreAllLabel(virSecurityManagerPtr mgr, mgr) < 0) rc = -1; + for (i = 0; i < def->nsysinfo; i++) { + if (virSecuritySELinuxRestoreSysinfoLabel(mgr, def->sysinfo[i]) < 0) + rc = -1; + } + if (def->os.loader && def->os.loader->nvram && virSecuritySELinuxRestoreFileLabel(mgr, def->os.loader->nvram, true) < 0) rc = -1; @@ -3123,6 +3146,26 @@ virSecuritySELinuxSetSecuritySmartcardCallback(virDomainDefPtr def, } +static int +virSecuritySELinuxSetSysinfoLabel(virSecurityManagerPtr mgr, + virSysinfoDefPtr def, + virSecuritySELinuxDataPtr data) +{ + size_t i; + + for (i = 0; i < def->nfw_cfgs; i++) { + virSysinfoFWCfgDefPtr f = &def->fw_cfgs[i]; + + if (f->file && + virSecuritySELinuxSetFilecon(mgr, f->file, + data->content_context, true) < 0) + return -1; + } + + return 0; +} + + static int virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, @@ -3194,6 +3237,13 @@ virSecuritySELinuxSetAllLabel(virSecurityManagerPtr mgr, mgr) < 0) return -1; + for (i = 0; i < def->nsysinfo; i++) { + if (virSecuritySELinuxSetSysinfoLabel(mgr, + def->sysinfo[i], + data) < 0) + return -1; + } + /* This is different than kernel or initrd. The nvram store * is really a disk, qemu can read and write to it. */ if (def->os.loader && def->os.loader->nvram && diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6e6dd1b1db..34c281100e 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1175,6 +1175,18 @@ get_files(vahControl * ctl) } } + for (i = 0; i < ctl->def->nsysinfo; i++) { + size_t j; + + for (j = 0; j < ctl->def->sysinfo[i]->nfw_cfgs; j++) { + virSysinfoFWCfgDefPtr f = &ctl->def->sysinfo[i]->fw_cfgs[j]; + + if (f->file && + vah_add_file(&buf, f->file, "r") != 0) + goto cleanup; + } + } + for (i = 0; i < ctl->def->nshmems; i++) { virDomainShmemDef *shmem = ctl->def->shmems[i]; /* explicit server paths can be on any model to overwrites defaults.