Skip to content

qemu#1169

Open
etbe wants to merge 1 commit into
SELinuxProject:mainfrom
etbe:qemu
Open

qemu#1169
etbe wants to merge 1 commit into
SELinuxProject:mainfrom
etbe:qemu

Conversation

@etbe

@etbe etbe commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Signed-off-by: Russell Coker <russell@coker.com.au>
Comment on lines +1153 to +1155
optional_policy(`
qemu_domain(virt_bridgehelper_t)
')

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should instead be a run interface provided by the virt module.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think the role matters. If a role is not authorized to associate with qemu_t then it should also not be authorized to associate with virt_bridgehelper_t because let's face it: it only makes sense for qemu to ever run that helper.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this comment. It sounds like you're agreeing with me?. The point of the run interface is to pass the qemu roles down to virt_bridgehelper_t.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure I understand this comment. It sounds like you're agreeing with me?. The point of the run interface is to pass the qemu roles down to virt_bridgehelper_t.

Yes. Sorry.

kernel_read_network_state(virt_bridgehelper_t)
kernel_read_system_state(virt_bridgehelper_t)

dev_read_sysfs(virt_bridgehelper_t)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What entries are read? Please add a comment in the policy with that info.


dev_read_sysfs(qemu_t)

allow qemu_t self:anon_inode { create map read write };

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Probably can fully upgrade to mmap_manage_file_perms.

Comment on lines +906 to +908
optional_policy(`
qemu_role(sysadm_r, sysadm_t)
')

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's the use case here?


dev_read_sysfs(qemu_t)

allow qemu_t self:anon_inode { create map read write };

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not use "self" for anon_inode because then you lose control over the various kinds like uffd, io_uring, perf_event, secretmem etc.

In the case of qemu you would allow excessive permissions because afaik qemu only leverages io_uring and uffd anon_inodes

Here is how i deal with anon_inodes:

https://git.defensec.nl/forge/defensec/dssp5/src/branch/dssp5-debian/src/anoninode.cil
https://git.defensec.nl/forge/defensec/dssp5/src/branch/dssp5-debian/src/anoninode

https://git.defensec.nl/forge/defensec/dssp5/src/branch/dssp5-debian/src/anoninode/iouringanoninode.cil#L32

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

root@nimbus:~# sesearch -A -s qemu.guest.subj -c anon_inode
allow qemu.guest.subj qemu.guest.iouring.anon_inode:anon_inode { append create getattr ioctl link lock map open read rename setattr unlink write };
allow qemu.guest.subj qemu.guest.uffd.anon_inode:anon_inode { append create getattr ioctl link lock open read rename setattr unlink write };

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

root@nimbus:~# sesearch -T -s qemu.guest.subj -c anon_inode
type_transition qemu.guest.subj qemu.guest.subj:anon_inode qemu.guest.iouring.anon_inode [io_uring];
type_transition qemu.guest.subj qemu.guest.subj:anon_inode qemu.guest.uffd.anon_inode [userfaultfd];

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants