Implement proper isolation and access control for EGM memory devices: - Add device to cgroup for access control - Set up namespace mappings for device access - Ensure proper permissions in containerized environments - Allow EGM device path access to bypass SELinux, AppArmor, and DAC permissions
Signed-off-by: Nathan Chen <[email protected]> --- src/qemu/qemu_cgroup.c | 10 ++++++++++ src/qemu/qemu_namespace.c | 3 +++ src/security/apparmor/usr.sbin.libvirtd.in | 3 +++ src/security/security_apparmor.c | 2 ++ src/security/security_dac.c | 8 ++++++++ src/security/security_selinux.c | 6 ++++++ src/security/virt-aa-helper.c | 4 ++++ 7 files changed, 36 insertions(+) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7dadef0739..8b70740121 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -577,6 +577,11 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm, VIR_CGROUP_DEVICE_RW, false) < 0) return -1; break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + if (qemuCgroupAllowDevicePath(vm, mem->source.egm.path, + VIR_CGROUP_DEVICE_RW, false) < 0) + return -1; + break; case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: @@ -615,6 +620,11 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm, VIR_CGROUP_DEVICE_RW, false) < 0) return -1; break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + if (qemuCgroupDenyDevicePath(vm, mem->source.egm.path, + VIR_CGROUP_DEVICE_RWM, false) < 0) + return -1; + break; case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index c689cc3e40..f6404cb280 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -394,6 +394,9 @@ qemuDomainSetupMemory(virDomainMemoryDef *mem, *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_VEPVC)); *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_PROVISION)); break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + *paths = g_slist_prepend(*paths, g_strdup(mem->source.egm.path)); + break; case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_DIMM: diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in index 6267e4f737..2a6a4b979c 100644 --- a/src/security/apparmor/usr.sbin.libvirtd.in +++ b/src/security/apparmor/usr.sbin.libvirtd.in @@ -47,6 +47,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) { mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**, umount /{,var/}run/libvirt/qemu/*{,/}, + # Allow bind mounting EGM devices into qemu namespaces + mount options=(rw, bind) /dev/egm* -> /{,var/}run/libvirt/qemu/**, + network inet stream, network inet dgram, network inet6 stream, diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 68ac39611f..ea04e756d6 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -631,6 +631,8 @@ AppArmorSetMemoryLabel(virSecurityManager *mgr, case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC: + case VIR_DOMAIN_MEMORY_MODEL_EGM: + path = mem->source.egm.path; case VIR_DOMAIN_MEMORY_MODEL_LAST: break; } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..2d79009ee9 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1890,6 +1890,9 @@ virSecurityDACRestoreMemoryLabel(virSecurityManager *mgr, * don't need to restore anything. */ break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + return virSecurityDACRestoreFileLabel(mgr, mem->source.egm.path); + case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: case VIR_DOMAIN_MEMORY_MODEL_LAST: @@ -2121,6 +2124,11 @@ virSecurityDACSetMemoryLabel(virSecurityManager *mgr, return -1; break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + return virSecurityDACSetOwnership(mgr, NULL, + mem->source.egm.path, + user, group, true); + case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: case VIR_DOMAIN_MEMORY_MODEL_LAST: diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index 2f3cc274a5..b288778634 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1666,6 +1666,9 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr, seclabel->imagelabel, true) < 0) return -1; break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + path = mem->source.egm.path; + break; case VIR_DOMAIN_MEMORY_MODEL_NONE: case VIR_DOMAIN_MEMORY_MODEL_DIMM: @@ -1709,6 +1712,9 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr, if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true, false) < 0) ret = -1; return ret; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + path = mem->source.egm.path; + break; case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index de0a826063..0e387dd4be 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1194,6 +1194,10 @@ get_files(vahControl * ctl) return -1; } break; + case VIR_DOMAIN_MEMORY_MODEL_EGM: + if (vah_add_file(&buf, mem->source.egm.path, "rw") != 0) + return -1; + break; case VIR_DOMAIN_MEMORY_MODEL_DIMM: case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM: -- 2.43.0
