From nobody Thu Apr 25 07:45:55 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 152871801749013.577469988788607; Mon, 11 Jun 2018 04:53:37 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E1445883B4; Mon, 11 Jun 2018 11:53:35 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 9E0AD9D7CD; Mon, 11 Jun 2018 11:53:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3C29B4CA82; Mon, 11 Jun 2018 11:53:35 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w5BBr2u2014817 for ; Mon, 11 Jun 2018 07:53:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id 51EFC8F6C7; Mon, 11 Jun 2018 11:53:02 +0000 (UTC) Received: from mx1.redhat.com (ext-mx14.extmail.prod.ext.phx2.redhat.com [10.5.110.43]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4920A8F6CE for ; Mon, 11 Jun 2018 11:52:58 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 129DD30BF559 for ; Mon, 11 Jun 2018 11:52:57 +0000 (UTC) Received: from 049-140-067-156.ip-addr.inexio.net ([156.67.140.49] helo=lap.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1fSLNX-0007D7-Rq; Mon, 11 Jun 2018 11:52:55 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com Date: Mon, 11 Jun 2018 13:52:54 +0200 Message-Id: <20180611115254.18111-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 207 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 11 Jun 2018 11:52:57 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.43]); Mon, 11 Jun 2018 11:52:57 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.43 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-loop: libvir-list@redhat.com Cc: Stefan Bader , Christian Ehrhardt Subject: [libvirt] [PATCH] apparmor: fix vfio usage without initial hostdev X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk Reply-To: CAATJJ0JNEaaNLjpktcGsLNMLf0zTFXCCpXUUqAiyg-5gzvj1+w@mail.gmail.com List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Mon, 11 Jun 2018 11:53:36 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" The base vfio has not much functionality but to provide a custom container by opening this path. See https://www.kernel.org/doc/Documentation/vfio.txt for more. Systems with static hostdevs will get /dev/vfio/vfio by virt-aa-hotplug right from the beginning. But if the guest initially had no hostdev at all it will run into the following deny before the security module labelling callbacks will make the actual vfio device (like /dev/vfio/93) known. Access by qemu is "wr" even thou in theory it could maybe be "r": [ 2652.756712] audit: type=3D1400 audit(1491303691.719:25): apparmor=3D"DENIED" operation=3D"open" profile=3D"libvirt-17a61b87-5132-497c-b928-421ac2ee0c8a" name=3D"/dev/vfio/vfio" pid=3D8486 comm=3D"qemu-system-x86" requested_mask=3D"wr" denied_mask=3D"wr" fsuid=3D64055 ouid=3D0 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1678322 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1775777 Signed-off-by: Christian Ehrhardt Signed-off-by: Stefan Bader Reviewed-by: Erik Skultety --- examples/apparmor/libvirt-qemu | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index 2c47652250..874aca2092 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -193,6 +193,9 @@ deny /dev/shm/lttng-ust-wait-* r, deny /run/shm/lttng-ust-wait-* r, =20 + # for vfio hotplug on systems without static vfio (LP: #1775777) + /dev/vfio/vfio rw, + # required for sasl GSSAPI plugin /etc/gss/mech.d/ r, /etc/gss/mech.d/* r, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list