[libvirt] [PATCH v2] security: aa-helper: fix static defined vfio MDEVs

Christian Ehrhardt posted 1 patch 3 weeks ago
Test syntax-check passed
Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20181122125502.28814-1-christian.ehrhardt@canonical.com
src/security/virt-aa-helper.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)

[libvirt] [PATCH v2] security: aa-helper: fix static defined vfio MDEVs

Posted by Christian Ehrhardt 3 weeks ago
virt-aa-helper needs to grant QEMU access to VFIO MDEV devices.

This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
assignment by now also covering vfio MDEVs.
It has still the same limitations regarding the device lifecycle, IOW we're
unable to predict the actual VFIO device being created, thus we need
wildcards.

Also note that the hotplug case, where apparmor is able to detect the actual
VFIO device during runtime, is already covered by commit 606afafb.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
---
 src/security/virt-aa-helper.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 03cc15c9d3..c7488432d6 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1105,6 +1105,23 @@ get_files(vahControl * ctl)
                 break;
             }
 
+            case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
+                virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
+                switch ((virMediatedDeviceModelType) mdevsrc->model) {
+                    case VIR_MDEV_MODEL_TYPE_VFIO_PCI:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_AP:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_CCW:
+                        needsVfio = true;
+                        break;
+                    case VIR_MDEV_MODEL_TYPE_LAST:
+                    default:
+                        virReportEnumRangeError(virMediatedDeviceModelType,
+                                                mdevsrc->model);
+                        break;
+                }
+                break;
+            }
+
             case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
                 virPCIDevicePtr pci = virPCIDeviceNew(
                            dev->source.subsys.u.pci.addr.domain,
-- 
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2] security: aa-helper: fix static defined vfio MDEVs

Posted by Erik Skultety 3 weeks ago
On Thu, Nov 22, 2018 at 01:55:02PM +0100, Christian Ehrhardt wrote:
> virt-aa-helper needs to grant QEMU access to VFIO MDEV devices.
>
> This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
> assignment by now also covering vfio MDEVs.
> It has still the same limitations regarding the device lifecycle, IOW we're
> unable to predict the actual VFIO device being created, thus we need
> wildcards.
>
> Also note that the hotplug case, where apparmor is able to detect the actual
> VFIO device during runtime, is already covered by commit 606afafb.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> Reviewed-by: Erik Skultety <eskultet@redhat.com>
> Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
> ---

I'm sorry if I sounded like I need to see a v2, I just wanted to give other
people time to look at it too before I merge it.
Anyhow, I merged the patch.

Thanks,
Erik

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list