Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
libvirt.11701
17f6a257-security-dac-sev.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 17f6a257-security-dac-sev.patch of Package libvirt.11701
commit 17f6a257f1ea484489277f4da38be914b246a30b Author: Erik Skultety <eskultet@redhat.com> Date: Thu Jan 31 15:16:50 2019 +0100 security: dac: Relabel /dev/sev in the namespace The default permissions (0600 root:root) are of no use to the qemu process so we need to change the owner to qemu iff running with namespaces. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Index: libvirt-4.0.0/src/security/security_dac.c =================================================================== --- libvirt-4.0.0.orig/src/security/security_dac.c +++ libvirt-4.0.0/src/security/security_dac.c @@ -47,6 +47,7 @@ VIR_LOG_INIT("security.security_dac"); #define SECURITY_DAC_NAME "dac" +#define DEV_SEV "/dev/sev" typedef struct _virSecurityDACData virSecurityDACData; typedef virSecurityDACData *virSecurityDACDataPtr; @@ -1533,6 +1534,16 @@ virSecurityDACRestoreMemoryLabel(virSecu static int +virSecurityDACRestoreSEVLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED, + virDomainDefPtr def ATTRIBUTE_UNUSED) +{ + /* we only label /dev/sev when running with namespaces, so we don't need to + * restore anything */ + return 0; +} + + +static int virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, bool migrated, @@ -1602,6 +1613,11 @@ virSecurityDACRestoreAllLabel(virSecurit rc = -1; } + if (def->sev) { + if (virSecurityDACRestoreSEVLabel(mgr, def) < 0) + rc = -1; + } + if (def->os.loader && def->os.loader->nvram && virSecurityDACRestoreFileLabel(priv, def->os.loader->nvram) < 0) rc = -1; @@ -1658,6 +1674,35 @@ virSecurityDACSetMemoryLabel(virSecurity static int +virSecurityDACSetSEVLabel(virSecurityManagerPtr mgr, + virDomainDefPtr def) +{ + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr); + virSecurityLabelDefPtr seclabel; + uid_t user; + gid_t group; + + /* Skip chowning /dev/sev if namespaces are disabled as we'd significantly + * increase the chance of a DOS attack on SEV + */ + if (!priv->mountNamespace) + return 0; + + seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME); + if (seclabel && !seclabel->relabel) + return 0; + + if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0) + return -1; + + if (virSecurityDACSetOwnership(priv, NULL, DEV_SEV, user, group) < 0) + return -1; + + return 0; +} + + +static int virSecurityDACSetAllLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, const char *stdin_path ATTRIBUTE_UNUSED, @@ -1727,6 +1772,11 @@ virSecurityDACSetAllLabel(virSecurityMan return -1; } + if (def->sev) { + if (virSecurityDACSetSEVLabel(mgr, def) < 0) + return -1; + } + if (virSecurityDACGetImageIds(secdef, priv, &user, &group)) return -1;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor