9c6c51
From d81bacdc16215d7cf0d175187f1d342e1081cf33 Mon Sep 17 00:00:00 2001
9c6c51
Message-Id: <d81bacdc16215d7cf0d175187f1d342e1081cf33@dist-git>
9c6c51
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
9c6c51
Date: Tue, 2 Oct 2018 14:00:41 +0200
9c6c51
Subject: [PATCH] security: dac: also label listen UNIX sockets
9c6c51
MIME-Version: 1.0
9c6c51
Content-Type: text/plain; charset=UTF-8
9c6c51
Content-Transfer-Encoding: 8bit
9c6c51
9c6c51
We switched to opening mode='bind' sockets ourselves:
9c6c51
commit 30fb2276d88b275dc2aad6ddd28c100d944b59a5
9c6c51
    qemu: support passing pre-opened UNIX socket listen FD
9c6c51
in v4.5.0-rc1~251
9c6c51
9c6c51
Then fixed qemuBuildChrChardevStr to change libvirtd's label
9c6c51
while creating the socket:
9c6c51
commit b0c6300fc42bbc3e5eb0b236392f7344581c5810
9c6c51
    qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels
9c6c51
v4.5.0-rc1~52
9c6c51
9c6c51
Also add labeling of these sockets to the DAC driver.
9c6c51
Instead of duplicating the logic which decides whether libvirt should
9c6c51
pre-create the socket, assume an existing path meaning that it was created
9c6c51
by libvirt.
9c6c51
9c6c51
https://bugzilla.redhat.com/show_bug.cgi?id=1633389
9c6c51
9c6c51
Signed-off-by: Ján Tomko <jtomko@redhat.com>
9c6c51
Reviewed-by: Erik Skultety <eskultet@redhat.com>
9c6c51
(cherry picked from commit d6b8838dd83697f721fe0706068df765148154de)
9c6c51
Signed-off-by: Ján Tomko <jtomko@redhat.com>
9c6c51
9c6c51
RHEL 8.0: https://bugzilla.redhat.com/show_bug.cgi?id=1634775
9c6c51
9c6c51
Conflicts: src/security/security_dac.c
9c6c51
    commit 3ac7793ad1ae0f4dc7b7ddbcfd182d5ff0b45538
9c6c51
      security_dac: Pass virSecurityManagerPtr to virSecurityDACSetOwnership
9c6c51
    is not backported
9c6c51
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
9c6c51
---
9c6c51
 src/security/security_dac.c | 7 ++++++-
9c6c51
 1 file changed, 6 insertions(+), 1 deletion(-)
9c6c51
9c6c51
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
9c6c51
index 4b623dcf39..74c70dd092 100644
9c6c51
--- a/src/security/security_dac.c
9c6c51
+++ b/src/security/security_dac.c
9c6c51
@@ -1248,7 +1248,12 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
9c6c51
         break;
9c6c51
 
9c6c51
     case VIR_DOMAIN_CHR_TYPE_UNIX:
9c6c51
-        if (!dev_source->data.nix.listen) {
9c6c51
+        if (!dev_source->data.nix.listen ||
9c6c51
+            (dev_source->data.nix.path &&
9c6c51
+             virFileExists(dev_source->data.nix.path))) {
9c6c51
+            /* Also label mode='bind' sockets if they exist,
9c6c51
+             * e.g. because they were created by libvirt
9c6c51
+             * and passed via FD */
9c6c51
             if (virSecurityDACSetOwnership(priv, NULL,
9c6c51
                                            dev_source->data.nix.path,
9c6c51
                                            user, group) < 0)
9c6c51
-- 
9c6c51
2.19.1
9c6c51