From a21c45c41d336fb1b292ab945e1e5379876f6f1d Mon Sep 17 00:00:00 2001
From: Stefan Berger <stefanb@linux.vnet.ibm.com>
Date: Tue, 4 Apr 2017 12:22:31 -0400
Subject: [PATCH] security: Add DAC and SELinux security for tpm-emulator
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extend the DAC and SELinux modules with support for the tpm-emulator.
We label the Unix socket that QEMU connects to after starting swtmp
with DAC and SELinux labels. We do not have to restore the labels in
this case since the tpm-emulator will remove the Unix socket when it
terminates.

Signed-off-by: Stefan Berger <stefanb@linux.vnet.ibm.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/security/security_dac.c     | 5 +++++
 src/security/security_selinux.c | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 3ab229992a..4b623dcf39 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1373,6 +1373,10 @@ virSecurityDACSetTPMFileLabel(virSecurityManagerPtr mgr,
                                             false);
         break;
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+        ret = virSecurityDACSetChardevLabel(mgr, def,
+                                            &tpm->data.emulator.source,
+                                            false);
+        break;
     case VIR_DOMAIN_TPM_TYPE_LAST:
         break;
     }
@@ -1395,6 +1399,7 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
                                                 false);
         break;
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+        /* swtpm will have removed the Unix socket upon termination */
     case VIR_DOMAIN_TPM_TYPE_LAST:
         break;
     }
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 5d20fdae70..92e84155d1 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1473,6 +1473,11 @@ virSecuritySELinuxSetTPMFileLabel(virSecurityManagerPtr mgr,
         }
         break;
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+        tpmdev = tpm->data.emulator.source.data.nix.path;
+        rc = virSecuritySELinuxSetFilecon(mgr, tpmdev, seclabel->imagelabel);
+        if (rc < 0)
+            return -1;
+        break;
     case VIR_DOMAIN_TPM_TYPE_LAST:
         break;
     }
@@ -1507,6 +1512,7 @@ virSecuritySELinuxRestoreTPMFileLabelInt(virSecurityManagerPtr mgr,
         }
         break;
     case VIR_DOMAIN_TPM_TYPE_EMULATOR:
+        /* swtpm will have removed the Unix socket upon termination */
     case VIR_DOMAIN_TPM_TYPE_LAST:
         break;
     }