From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 3ED765A0262 for ; Fri, 10 Mar 2023 15:39:25 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678459164; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=qW1GHqoDuiPuTirrvEh+Rpjcy7sD+oAJgW0D1prU0fk=; b=IXfWsqriux4G5N+PFzaZF42fRJYj2AopzVinY0Cc2oVu2ujQ5GrJ3gOjXl/u0F7BOYYMae mXQ0hBInhs5x/q/mRAQEvrqh80JkhjoRbFnhxvbirsxzFSuDLEduJJBvnVei2voycmFcp2 Bcor3FDbhzdhP4NxAABHout/5ZMLlHc= Received: from mail-pj1-f70.google.com (mail-pj1-f70.google.com [209.85.216.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-475-LdO1J7_iPcCWSHIVP3D52w-1; Fri, 10 Mar 2023 09:39:23 -0500 X-MC-Unique: LdO1J7_iPcCWSHIVP3D52w-1 Received: by mail-pj1-f70.google.com with SMTP id f1-20020a17090aa78100b00239fd9e3e17so2803574pjq.5 for ; Fri, 10 Mar 2023 06:39:22 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678459162; h=content-transfer-encoding:cc:to:subject:message-id:date:in-reply-to :mime-version:references:from:x-gm-message-state:from:to:cc:subject :date:message-id:reply-to; bh=qW1GHqoDuiPuTirrvEh+Rpjcy7sD+oAJgW0D1prU0fk=; b=pHZjs9w4AzKqsDBlbBki5d1yPf/jHtie9Y5rbBlSNSu0MWxxhDGbFe6yfZjkDJDN5P uAiY6evq2a57eSqOYDa4B0rW9gQW9m7dUnaKYL9CE9qtIj+ETZUElCKQz1SYblJcx7YK VGRM+BFqFY2eENpLWgFzFkUwbOKgAeVYy9H1YeByC5xiQmgLNKQaoZWVnCvwp8SJDbro gI/j7CJ4KpwubuMTJyUKVvK0BDhlaHvU/Hw/vyfd+l57WIT0B0cdOvaHOU3VqB7FovO7 gKy6YB0qDmcr/U7G3fcp2PbYtCC2MFEC912+5d1kcC2Cv0DPAY+b+aVE+Ix1vXsQ5lZf hSJA== X-Gm-Message-State: AO0yUKWsSI7CWmjpdX9S4Ls7Wpi3r7QDtXPQI4FgpTIWSswpIsHFK60e vbxKif4zgLcVSW9Idi4VNwKCBn8k5nXHg1raOh3zTOh1sh6B8sLWA6OZtoT7WXrLraUtZTz3L7T ds91EZ4aZpQU4+Hl+Cbd/6q3MbT/s X-Received: by 2002:a17:902:9a03:b0:199:2f45:19dc with SMTP id v3-20020a1709029a0300b001992f4519dcmr9792636plp.9.1678459162048; Fri, 10 Mar 2023 06:39:22 -0800 (PST) X-Google-Smtp-Source: AK7set9ZeGPjFofX8udVCZJRDBn4qJhaZJPSqzOUfpoPQ2omkoxloVi+ibVwwzPruD3Jw3kuo6MzltajmfAWwzOJAis= X-Received: by 2002:a17:902:9a03:b0:199:2f45:19dc with SMTP id v3-20020a1709029a0300b001992f4519dcmr9792629plp.9.1678459161644; Fri, 10 Mar 2023 06:39:21 -0800 (PST) Received: from 744723338238 named unknown by gmailapi.google.com with HTTPREST; Fri, 10 Mar 2023 06:39:20 -0800 From: Andrea Bolognani References: <20230309044908.29316-1-laine@redhat.com> MIME-Version: 1.0 In-Reply-To: Date: Fri, 10 Mar 2023 06:39:20 -0800 Message-ID: Subject: Re: [libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label To: =?UTF-8?B?TWljaGFsIFByw612b3puw61r?= X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: MYTVMRUJ44IDZDSTSH7A24HDF5VOWCYX X-Message-ID-Hash: MYTVMRUJ44IDZDSTSH7A24HDF5VOWCYX X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Laine Stump , libvir-list@redhat.com, passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Fri, Mar 10, 2023 at 12:58:46PM +0100, Michal Pr=C3=ADvozn=C3=ADk wrote: > On 3/9/23 05:49, Laine Stump wrote: > > Laine Stump (4): > > util: add an API to retrieve the resolved path to a virCommand's > > binary > > security: make args to virSecuritySELinuxContextAddRange() const > > security: make it possible to set SELinux label of child process from > > its binary > > qemu: set SELinux label of passt process to its own binary's label > > > > src/libvirt_private.syms | 1 + > > src/qemu/qemu_dbus.c | 2 +- > > src/qemu/qemu_passt.c | 2 +- > > src/qemu/qemu_process.c | 2 +- > > src/qemu/qemu_security.c | 5 ++- > > src/qemu/qemu_security.h | 1 + > > src/qemu/qemu_slirp.c | 2 +- > > src/qemu/qemu_tpm.c | 3 +- > > src/qemu/qemu_vhost_user_gpu.c | 2 +- > > src/security/security_apparmor.c | 1 + > > src/security/security_dac.c | 1 + > > src/security/security_driver.h | 1 + > > src/security/security_manager.c | 8 +++- > > src/security/security_manager.h | 1 + > > src/security/security_nop.c | 1 + > > src/security/security_selinux.c | 77 ++++++++++++++++++++++++++++++-- > > src/security/security_stack.c | 5 ++- > > src/util/vircommand.c | 51 ++++++++++++++++----- > > src/util/vircommand.h | 1 + > > 19 files changed, 143 insertions(+), 24 deletions(-) Reviewed-by: Andrea Bolognani > Does this mean, we should lift the temporary limitation documented in > NEWS.rst? Yes, we should definitely include that information in the release notes. And since I've just pushed the patch that addresses the same limitation for AppArmor, we can mention both in the same entry. --=20 Andrea Bolognani / Red Hat / Virtualization