From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by passt.top (Postfix) with ESMTP id 917335A0262 for ; Fri, 10 Mar 2023 12:58:51 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1678449530; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Eu7BgkSbc3IoNbousdaA2BubthjLbF+/ZR3mz0GqWjE=; b=ffy00NZifuucVxeXUr8MSeVgqD703Bi9/ziYg3iyZPw1PwwK+gpv6Gf92xjwAfdrzYGItY j2Pr94jot5R3afZcrXmwhbh1/cqGR00GICT66qT9/FIdWxRCLUyIYWuih172gW6D5uBKSJ Cx3lqs7aX+c8FsBTG7sfPS9F8REv/fE= Received: from mail-ed1-f72.google.com (mail-ed1-f72.google.com [209.85.208.72]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-569-MMfpP5rENbegB7UYvrCGEA-1; Fri, 10 Mar 2023 06:58:49 -0500 X-MC-Unique: MMfpP5rENbegB7UYvrCGEA-1 Received: by mail-ed1-f72.google.com with SMTP id c1-20020a0564021f8100b004acbe232c03so7288855edc.9 for ; Fri, 10 Mar 2023 03:58:49 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678449527; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Eu7BgkSbc3IoNbousdaA2BubthjLbF+/ZR3mz0GqWjE=; b=RqoQDVreRVa1/0ulaEMQm4G5eEa9mPRbFBJlkVCtnuotXPG+AouApJnmrFkJb0t7JZ DYl3PTZO1EnN8UoO79/SRhGLH0x9e1Gp9iCOzxeJvER1+oOgWzN6u8xJEZNN+yY0C3ra Jq20GOGHZD8b80NQgWmUY8h3d22GwkYgzoKiRvDRcHQqODhiwzfETevKgQ8u/kcIPIRu leDgWboUWIXp+ZK0vW3uw81X8lo3DXvZLqh3+LX1BYz19CkbMtxV8PlfHDOgGMSpS3Up AOoggRWH3IDAMNhRchPJiQc3LkcvmrHUGc1Ca/aIJns+QTfgIGEVQ533ORXgun6AsIUj tXqw== X-Gm-Message-State: AO0yUKWwW72slCX2YtBpoZVr6GF8JJ5vK7rg0HwnWC/ko5oEG1OGSSRY /s+qfBeorwu6fUBG1uvY9GknsHBJI5NMmo+PI6ZOpz12fPUK1k5L3Qe0oVhzJ+NOmzFixGL4kvv RJwEx9MNqUSUe X-Received: by 2002:a17:907:2d93:b0:8b2:2141:6de8 with SMTP id gt19-20020a1709072d9300b008b221416de8mr32959137ejc.73.1678449527741; Fri, 10 Mar 2023 03:58:47 -0800 (PST) X-Google-Smtp-Source: AK7set+kdg/xTaXPwSUuMZxziZ19ODdl4VsIhuTm6oa9jn6dmdPGlFbmvxytxxvqWx2jP8iI7ru31g== X-Received: by 2002:a17:907:2d93:b0:8b2:2141:6de8 with SMTP id gt19-20020a1709072d9300b008b221416de8mr32959122ejc.73.1678449527486; Fri, 10 Mar 2023 03:58:47 -0800 (PST) Received: from [10.43.2.39] (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id a25-20020a170906369900b008e267d7ec18sm886826ejc.50.2023.03.10.03.58.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 10 Mar 2023 03:58:47 -0800 (PST) Message-ID: Date: Fri, 10 Mar 2023 12:58:46 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: [libvirt PATCH 0/4] qemu/security: start passt process with correct SELinux label To: Laine Stump , libvir-list@redhat.com References: <20230309044908.29316-1-laine@redhat.com> From: =?UTF-8?B?TWljaGFsIFByw612b3puw61r?= In-Reply-To: <20230309044908.29316-1-laine@redhat.com> X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-MailFrom: mprivozn@redhat.com X-Mailman-Rule-Hits: nonmember-moderation X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation Message-ID-Hash: X7RIL54EPBNJAVWYICEKDVKBZYVKRXET X-Message-ID-Hash: X7RIL54EPBNJAVWYICEKDVKBZYVKRXET X-Mailman-Approved-At: Fri, 10 Mar 2023 13:08:54 +0100 CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On 3/9/23 05:49, Laine Stump wrote: > All the necessary explanation is in Path 3/4 > > We may want to turn on this same behavior for some other external > processes, but right now the one we need it for is passt. > > Resolves: https://bugzilla.redhat.com/2172267 > > Laine Stump (4): > util: add an API to retrieve the resolved path to a virCommand's > binary > security: make args to virSecuritySELinuxContextAddRange() const > security: make it possible to set SELinux label of child process from > its binary > qemu: set SELinux label of passt process to its own binary's label > > src/libvirt_private.syms | 1 + > src/qemu/qemu_dbus.c | 2 +- > src/qemu/qemu_passt.c | 2 +- > src/qemu/qemu_process.c | 2 +- > src/qemu/qemu_security.c | 5 ++- > src/qemu/qemu_security.h | 1 + > src/qemu/qemu_slirp.c | 2 +- > src/qemu/qemu_tpm.c | 3 +- > src/qemu/qemu_vhost_user_gpu.c | 2 +- > src/security/security_apparmor.c | 1 + > src/security/security_dac.c | 1 + > src/security/security_driver.h | 1 + > src/security/security_manager.c | 8 +++- > src/security/security_manager.h | 1 + > src/security/security_nop.c | 1 + > src/security/security_selinux.c | 77 ++++++++++++++++++++++++++++++-- > src/security/security_stack.c | 5 ++- > src/util/vircommand.c | 51 ++++++++++++++++----- > src/util/vircommand.h | 1 + > 19 files changed, 143 insertions(+), 24 deletions(-) > Reviewed-by: Michal Privoznik Does this mean, we should lift the temporary limitation documented in NEWS.rst? Michal