From nobody Fri Apr 26 20:58:50 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=fail(p=none dis=none)  header.from=canonical.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1542891319524553.4967826949539;
 Thu, 22 Nov 2018 04:55:19 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
 [10.5.11.23])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id F1A88307EA89;
	Thu, 22 Nov 2018 12:55:16 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id CBA2428D01;
	Thu, 22 Nov 2018 12:55:15 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 359413F953;
	Thu, 22 Nov 2018 12:55:13 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id wAMCtAXl024251 for <libvir-list@listman.util.phx.redhat.com>;
	Thu, 22 Nov 2018 07:55:11 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id E380816BE8; Thu, 22 Nov 2018 12:55:10 +0000 (UTC)
Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com
	[10.5.110.28])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id D59A428D02;
	Thu, 22 Nov 2018 12:55:07 +0000 (UTC)
Received: from youngberry.canonical.com (youngberry.canonical.com
	[91.189.89.112]) (using TLSv1 with cipher AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 7C89485546;
	Thu, 22 Nov 2018 12:55:06 +0000 (UTC)
Received: from 2.general.paelzer.uk.vpn ([10.172.196.173]
	helo=Keschdeichel.nvidia.com)
	by youngberry.canonical.com with esmtpsa
	(TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76)
	(envelope-from <christian.ehrhardt@canonical.com>)
	id 1gPoVc-0006sI-7S; Thu, 22 Nov 2018 12:55:04 +0000
From: Christian Ehrhardt <christian.ehrhardt@canonical.com>
To: libvir-list@redhat.com
Date: Thu, 22 Nov 2018 13:55:02 +0100
Message-Id: <20181122125502.28814-1-christian.ehrhardt@canonical.com>
In-Reply-To: <=<3fdf27c3-348f-bd88-0296-28d49bbe20ea@linux.ibm.com>
References: <=<3fdf27c3-348f-bd88-0296-28d49bbe20ea@linux.ibm.com>
X-Greylist: Sender passed SPF test, Sender IP whitelisted by DNSRBL, ACL 216
	matched, not delayed by milter-greylist-4.5.16 (mx1.redhat.com
	[10.5.110.28]); Thu, 22 Nov 2018 12:55:06 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com
 [10.5.110.28]);
	Thu, 22 Nov 2018 12:55:06 +0000 (UTC) for IP:'91.189.89.112'
	DOMAIN:'youngberry.canonical.com' HELO:'youngberry.canonical.com'
	FROM:'christian.ehrhardt@canonical.com' RCPT:''
X-RedHat-Spam-Score: -5 (RCVD_IN_DNSWL_HI) 91.189.89.112
	youngberry.canonical.com 91.189.89.112 youngberry.canonical.com
	<christian.ehrhardt@canonical.com>
X-Scanned-By: MIMEDefang 2.78 on 10.5.110.28
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
Cc: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>,
	Boris Fiuczynski <fiuczy@linux.ibm.com>,
	Christian Ehrhardt <christian.ehrhardt@canonical.com>,
	Erik Skultety <eskultet@redhat.com>
Subject: [libvirt] [PATCH v2] security: aa-helper: fix static defined vfio
	MDEVs
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.44]);
 Thu, 22 Nov 2018 12:55:18 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

virt-aa-helper needs to grant QEMU access to VFIO MDEV devices.

This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
assignment by now also covering vfio MDEVs.
It has still the same limitations regarding the device lifecycle, IOW we're
unable to predict the actual VFIO device being created, thus we need
wildcards.

Also note that the hotplug case, where apparmor is able to detect the actual
VFIO device during runtime, is already covered by commit 606afafb.

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Boris Fiuczynski <fiuczy@linux.ibm.com>
---
 src/security/virt-aa-helper.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 03cc15c9d3..c7488432d6 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1105,6 +1105,23 @@ get_files(vahControl * ctl)
                 break;
             }
=20
+            case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
+                virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->sou=
rce.subsys.u.mdev;
+                switch ((virMediatedDeviceModelType) mdevsrc->model) {
+                    case VIR_MDEV_MODEL_TYPE_VFIO_PCI:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_AP:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_CCW:
+                        needsVfio =3D true;
+                        break;
+                    case VIR_MDEV_MODEL_TYPE_LAST:
+                    default:
+                        virReportEnumRangeError(virMediatedDeviceModelType,
+                                                mdevsrc->model);
+                        break;
+                }
+                break;
+            }
+
             case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
                 virPCIDevicePtr pci =3D virPCIDeviceNew(
                            dev->source.subsys.u.pci.addr.domain,
--=20
2.17.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list