qemu-e2k/tools/virtiofsd
Vivek Goyal 0c3f81e131 virtiofsd: Create new file with security context
This patch adds support for creating new file with security context
as sent by client. It basically takes three paths.

- If no security context enabled, then it continues to create files without
  security context.

- If security context is enabled and but security.selinux has not been
  remapped, then it uses /proc/thread-self/attr/fscreate knob to set
  security context and then create the file. This will make sure that
  newly created file gets the security context as set in "fscreate" and
  this is atomic w.r.t file creation.

  This is useful and host and guest SELinux policies don't conflict and
  can work with each other. In that case, guest security.selinux xattr
  is not remapped and it is passthrough as "security.selinux" xattr
  on host.

- If security context is enabled but security.selinux xattr has been
  remapped to something else, then it first creates the file and then
  uses setxattr() to set the remapped xattr with the security context.
  This is a non-atomic operation w.r.t file creation.

  This mode will be most versatile and allow host and guest to have their
  own separate SELinux xattrs and have their own separate SELinux policies.

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
Signed-off-by: Vivek Goyal <vgoyal@redhat.com>
Message-Id: <20220208204813.682906-9-vgoyal@redhat.com>
Signed-off-by: Dr. David Alan Gilbert <dgilbert@redhat.com>
2022-02-17 17:22:26 +00:00
..
50-qemu-virtiofsd.json.in virtiofsd: add vhost-user.json file 2020-01-23 16:41:36 +00:00
buffer.c tools/virtiofsd/buffer.c: replaced a calloc call with GLib's g_try_new0 2021-05-26 18:39:32 +01:00
fuse_common.h virtiofsd, fuse_lowlevel.c: Add capability to parse security context 2022-02-17 17:22:26 +00:00
fuse_i.h virtiofsd, fuse_lowlevel.c: Add capability to parse security context 2022-02-17 17:22:26 +00:00
fuse_log.c Clean up includes 2020-12-10 17:16:44 +01:00
fuse_log.h Clean up includes 2020-12-10 17:16:44 +01:00
fuse_lowlevel.c virtiofsd, fuse_lowlevel.c: Add capability to parse security context 2022-02-17 17:22:26 +00:00
fuse_lowlevel.h spelling: sytem => system 2021-09-15 15:51:07 +02:00
fuse_misc.h Clean up includes 2020-12-10 17:16:44 +01:00
fuse_opt.c tools/virtiofsd/fuse_opt.c: Replaced a malloc with GLib's g_try_malloc 2021-05-26 18:39:32 +01:00
fuse_opt.h virtiofsd: Format imported files to qemu style 2020-01-23 16:41:36 +00:00
fuse_signals.c Clean up includes 2020-12-10 17:16:44 +01:00
fuse_virtio.c virtiofsd: Error on bad socket group name 2021-10-25 19:38:32 +01:00
fuse_virtio.h virtiofsd: cleanup allocated resource in se 2020-01-23 16:41:37 +00:00
helper.c virtiofsd: Add an option to enable/disable posix acls 2021-07-05 10:51:26 +01:00
meson.build libvhost-user: make it a meson subproject 2020-12-08 13:48:58 -05:00
passthrough_helpers.h virtiofsd: Format imported files to qemu style 2020-01-23 16:41:36 +00:00
passthrough_ll.c virtiofsd: Create new file with security context 2022-02-17 17:22:26 +00:00
passthrough_seccomp.c tools/virtiofsd: Add rseq syscall to the seccomp allowlist 2022-02-14 17:11:20 +00:00
passthrough_seccomp.h Clean up includes 2020-12-10 17:16:44 +01:00