Skip to content

Commit

Permalink
vtpm: Run swtpm with an SELinux label
Browse files Browse the repository at this point in the history
On systems supporting SELinux run swtpm with an SELinux label
applied. Also label the required files in the state directory.

Signed-off-by: Stefan Berger <[email protected]>
  • Loading branch information
stefanberger committed Jan 6, 2020
1 parent f5cde70 commit d8f8e71
Showing 1 changed file with 56 additions and 0 deletions.
56 changes: 56 additions & 0 deletions libcontainer/vtpm/vtpm.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"unsafe"

"github.com/opencontainers/runc/libcontainer/apparmor"
selinux "github.com/opencontainers/selinux/go-selinux"

"github.com/sirupsen/logrus"
)
Expand Down Expand Up @@ -459,6 +460,10 @@ again:
if err != nil {
return false, err
}
err = vtpm.setupSELinux()
if err != nil {
return false, err
}

tpmname := vtpm.GetTPMDevname()
fdstr := fmt.Sprintf("%d", vtpm.fd)
Expand Down Expand Up @@ -490,6 +495,7 @@ again:
return false, err
}

vtpm.resetSELinux()
vtpm.resetAppArmor()

cmd = exec.Command("swtpm_bios", "-n", "-cs", "-u", "--tpm-device", tpmname)
Expand Down Expand Up @@ -533,6 +539,7 @@ func (vtpm *VTPM) Stop(deleteStatePath bool) error {

vtpm.CloseServer()

vtpm.teardownSELinux()
vtpm.teardownAppArmor()

vtpm.Tpm_dev_num = VTPM_DEV_NUM_INVALID
Expand Down Expand Up @@ -666,3 +673,52 @@ func (vtpm *VTPM) teardownAppArmor() {
vtpm.aaprofile = ""
}
}

// setupSELinux labels the swtpm files with SELinux labels if SELinux is enabled
func (vtpm *VTPM) setupSELinux() error {
if !selinux.GetEnabled() {
return nil
}

processLabel, fileLabel := selinux.ContainerLabels()
if len(processLabel) == 0 || len(fileLabel) == 0 {
return nil
}

err := filepath.Walk(vtpm.StatePath, func(path string, info os.FileInfo, err error) error {
if (err != nil) {
return err
}
if (info.IsDir() && path != vtpm.StatePath) {
return filepath.SkipDir
}
return selinux.SetFileLabel(path, fileLabel)
})

err = selinux.SetFSCreateLabel(fileLabel)
if err != nil {
return err
}
err = ioutil.WriteFile("/sys/fs/selinux/context", []byte(processLabel), 0000)
if err != nil {
return err
}
err = selinux.SetExecLabel(processLabel)
if err != nil {
return err
}

return nil
}

// resetSELinux resets the prepared SELinux labels
func (vtpm *VTPM) resetSELinux() {
selinux.SetExecLabel("")
selinux.SetFSCreateLabel("")
ioutil.WriteFile("/sys/fs/selinux/context", []byte(""), 0000)
}

// teardownSELinux cleans up SELinux for next spawned process
func (vtpm *VTPM) teardownSELinux() {
vtpm.resetSELinux()
}

0 comments on commit d8f8e71

Please sign in to comment.