[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] security: aa-helper: fix static defined vfio MDEVs

For vfio MDEVs we need to allow qemu the vfio access in apparmor.

This is extending the older fix 74e86b6b: "Fix apparmor profile
to make vfio pci passthrough work" which was for VFIO PCI
passthrough on static hostdevs to now also cover vfio MDEVs.
It is having the same limitations of the lifecycle at that time
being unable to detect the actual vfio device and therefore
adds a wildcars.

Please also note that hotplug - which in can detect the right
device at runtime - is covered by labeling callbacks in
606afafb: "security: Enable labeling of vfio mediated devices"

Signed-off-by: Christian Ehrhardt <christian ehrhardt canonical com>
 src/security/virt-aa-helper.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 03cc15c9d3..c7488432d6 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1105,6 +1105,23 @@ get_files(vahControl * ctl)
+                virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
+                switch ((virMediatedDeviceModelType) mdevsrc->model) {
+                    case VIR_MDEV_MODEL_TYPE_VFIO_PCI:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_AP:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_CCW:
+                        needsVfio = true;
+                        break;
+                    case VIR_MDEV_MODEL_TYPE_LAST:
+                    default:
+                        virReportEnumRangeError(virMediatedDeviceModelType,
+                                                mdevsrc->model);
+                        break;
+                }
+                break;
+            }
                 virPCIDevicePtr pci = virPCIDeviceNew(

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]