From nobody Fri Apr 26 10:49:32 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=canonical.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1542882471959743.8311000037768; Thu, 22 Nov 2018 02:27:51 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 17DD85D685; Thu, 22 Nov 2018 10:27:49 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 96DF55D75C; Thu, 22 Nov 2018 10:27:47 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 359B318005AF; Thu, 22 Nov 2018 10:27:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wAMARhFY002922 for ; Thu, 22 Nov 2018 05:27:43 -0500 Received: by smtp.corp.redhat.com (Postfix) id 53BF36013F; Thu, 22 Nov 2018 10:27:43 +0000 (UTC) Received: from mx1.redhat.com (ext-mx11.extmail.prod.ext.phx2.redhat.com [10.5.110.40]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 4B7746012B for ; Thu, 22 Nov 2018 10:27:40 +0000 (UTC) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id B19273084026 for ; Thu, 22 Nov 2018 10:27:39 +0000 (UTC) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.nvidia.com) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1gPmCw-0007hm-8c; Thu, 22 Nov 2018 10:27:38 +0000 From: Christian Ehrhardt To: libvir-list@redhat.com, =?UTF-8?q?Guido=20G=C3=BCnther?= , Jamie Strandboge Date: Thu, 22 Nov 2018 11:27:36 +0100 Message-Id: <20181122102736.14853-1-christian.ehrhardt@canonical.com> X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216 matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 22 Nov 2018 10:27:39 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Thu, 22 Nov 2018 10:27:39 +0000 (UTC) for IP:'91.189.89.112' DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com' FROM:'christian.ehrhardt@canonical.com' RCPT:'' X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112 youngberry.canonical.com 91.189.89.112 youngberry.canonical.com X-Scanned-By: MIMEDefang 2.84 on 10.5.110.40 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Christian Ehrhardt Subject: [libvirt] [PATCH] security: aa-helper: fix static defined vfio MDEVs X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Thu, 22 Nov 2018 10:27:51 +0000 (UTC) Content-Type: text/plain; charset="utf-8" For vfio MDEVs we need to allow qemu the vfio access in apparmor. This is extending the older fix 74e86b6b: "Fix apparmor profile to make vfio pci passthrough work" which was for VFIO PCI passthrough on static hostdevs to now also cover vfio MDEVs. It is having the same limitations of the lifecycle at that time being unable to detect the actual vfio device and therefore adds a wildcars. Please also note that hotplug - which in can detect the right device at runtime - is covered by labeling callbacks in 606afafb: "security: Enable labeling of vfio mediated devices" Signed-off-by: Christian Ehrhardt Reviewed-by: Boris Fiuczynski Reviewed-by: Erik Skultety --- src/security/virt-aa-helper.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 03cc15c9d3..c7488432d6 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1105,6 +1105,23 @@ get_files(vahControl * ctl) break; } =20 + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: { + virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->sou= rce.subsys.u.mdev; + switch ((virMediatedDeviceModelType) mdevsrc->model) { + case VIR_MDEV_MODEL_TYPE_VFIO_PCI: + case VIR_MDEV_MODEL_TYPE_VFIO_AP: + case VIR_MDEV_MODEL_TYPE_VFIO_CCW: + needsVfio =3D true; + break; + case VIR_MDEV_MODEL_TYPE_LAST: + default: + virReportEnumRangeError(virMediatedDeviceModelType, + mdevsrc->model); + break; + } + break; + } + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: { virPCIDevicePtr pci =3D virPCIDeviceNew( dev->source.subsys.u.pci.addr.domain, --=20 2.17.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list