From nobody Tue Sep 9 03:13:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1748618150; cv=none; d=zohomail.com; s=zohoarc; b=Oiw096kVYKmbaFhTzn4zUkMV2Z4gFAYkg+P1T9NiZ6o3ov3VFl7gGjZ+4vjtyU5+BQVgKb73CUKIIEg8FkZKxPvDk1V3RCJEHpK8h4tr4AV1k7wOzZ/+UAyfax4L4boZbQsvpkpwf75kwWV2voKJSedd59ry1nybrWKPD0W98qI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748618150; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=jpe5iiNc7mX4r+FEvCUBWpYl34a8h9D22OyNsGH/kdg=; b=laLMF/OrlCRqYTrfYEM7bbLgHlja5kN/wfL9QQ6wjdTPgsbSd7ZwMuOg4RqWQoAOKeFR8XUCdkzxo9ShQEtQjYgJBzraE1OTBjc9StALNw2dw28qrv3LobcUgL8wC4tqysPc/jfPCMM0876Tnmr0cwPxtOWIt1vTzLc+bkjlTno= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1748618149902611.8669803381022; Fri, 30 May 2025 08:15:49 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id C9B481295; Fri, 30 May 2025 11:15:48 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 3136611E7; Fri, 30 May 2025 11:15:34 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id A12F1CCB; Fri, 30 May 2025 11:15:31 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A669111D9 for ; Fri, 30 May 2025 11:15:30 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uL1SC-0000zm-98; Fri, 30 May 2025 15:15:28 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Zq598MZ16DkgsGupKwdd3YGa8yPhNA22U+9JQpCjiEA=; b=zhOcv6lpI+HE4yowFTsSWKyYxC 7xAsdDfrwn6stZUmepN+BlPztNlOciOlVTui3aChT48eT8UZZjU36LuKyanHC9BiBt3rmgJigo6hR lFCgpmiBffq25ayUmRWS/lSEg0LgT4O1Ae128TC2oRVGdFuo2PPPRFoHnS08dhJah2cM=; To: devel@lists.libvirt.org Subject: [PATCH v2 1/2] virt-aa-helper: refactor for readability Date: Fri, 30 May 2025 16:12:50 +0100 Message-ID: <20250530151333.463934-4-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk> References: <20250506160020.2118323-1-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: WBW57QG6ERGXIVCC5XP6J3D6QNWTC3LN X-Message-ID-Hash: WBW57QG6ERGXIVCC5XP6J3D6QNWTC3LN X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Tim Small X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1748618151102116600 Content-Type: text/plain; charset="utf-8" Signed-off-by: Tim Small --- src/security/virt-aa-helper.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e3802c18be..6481e9cfd7 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1134,10 +1134,10 @@ get_files(vahControl * ctl) } =20 for (i =3D 0; i < ctl->def->nnets; i++) { - if (ctl->def->nets[i] && - ctl->def->nets[i]->type =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUS= ER && - ctl->def->nets[i]->data.vhostuser) { - virDomainChrSourceDef *vhu =3D ctl->def->nets[i]->data.vhostus= er; + virDomainNetDef *net =3D ctl->def->nets[i]; + + if (net && net->type =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUSER && net->= data.vhostuser) { + virDomainChrSourceDef *vhu =3D net->data.vhostuser; =20 if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw", vhu->type) !=3D 0) --=20 2.47.2 From nobody Tue Sep 9 03:13:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1746548687; cv=none; d=zohomail.com; s=zohoarc; b=YKTZuxqH4Ot90bzmhqL+YlLr5Dmvu8LdEaRAl600z/oGjVHjLmdY5ntAUYfrGIJqzBpjNUbEQGywv/TKq1hJBMqKoFmj41U7J4lU16fH5dwaeNyFBvVqwWdG68s3YO1R9MusBArPWex5IKJ0kLuhMSxcy9UOesJxHGMDDNVdtIc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1746548687; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=Xt0RSHIGIp62qKeHd1W/IT0JjvOQTtZxSBLSHixSsGU=; b=bfVsvDUh1pesD3rGbpjTvyieR7C7wlfqzS+39Qu35LwqonHTF9b8b9aFqNJhzSKIYjFp09MMmozNVP6baWTs5igv3ni9QEcHgfkz7FgfeLKfuNju8CL3vihTH9Ay9g3GrZIm69GeYZXNL8liuxvE2lvcBgZ7wRqK+mOWE7Xw1RE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1746548687576505.98986788051366; Tue, 6 May 2025 09:24:47 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 90F1915C7; Tue, 6 May 2025 12:24:46 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 4038F13A1; Tue, 6 May 2025 12:24:28 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id CEB70136B; Tue, 6 May 2025 12:24:25 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 2718A130C for ; Tue, 6 May 2025 12:24:25 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uCKkW-0005th-Pj; Tue, 06 May 2025 16:02:28 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bXfyqeGm6ViR17Q4ePqQa3gSIl+TNg2zrUBJ9x2Clio=; b=FqhUQ4+q1jVWHwBYuENvmYC+JK AdrA/JeCSN7RZUiu4hYRVrvDtHtRLxDLH8PunU5tK3JHfngGkvi2Og41AwV/LWazsmZLosnzYlWwp O9ER9s6lQpn6XFN5szdVmA05Jm//i1lQBEv+vZnWBEDsdV5tY8hVCoRpoRAlOTH2Lg28=; To: devel@lists.libvirt.org Subject: [RFC PATCH 1/2] virt-aa-helper: refactor for readability Date: Tue, 6 May 2025 17:00:10 +0100 Message-ID: <20250506160020.2118323-2-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk> References: <20250506160020.2118323-1-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: ZIQXVI7GU7PNGTVF5ZW5WRGPBKQZY6QJ X-Message-ID-Hash: ZIQXVI7GU7PNGTVF5ZW5WRGPBKQZY6QJ X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Tim Small X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1746548688337116600 Content-Type: text/plain; charset="utf-8" Signed-off-by: Tim Small Reviewed-by: Peter Krempa --- src/security/virt-aa-helper.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e3802c18be..fa69245324 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1134,10 +1134,9 @@ get_files(vahControl * ctl) } =20 for (i =3D 0; i < ctl->def->nnets; i++) { - if (ctl->def->nets[i] && - ctl->def->nets[i]->type =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUS= ER && - ctl->def->nets[i]->data.vhostuser) { - virDomainChrSourceDef *vhu =3D ctl->def->nets[i]->data.vhostus= er; + virDomainNetDef *net =3D ctl->def->nets[i]; + if (net && net->type =3D=3D VIR_DOMAIN_NET_TYPE_VHOSTUSER && net->= data.vhostuser) { + virDomainChrSourceDef *vhu =3D net->data.vhostuser; =20 if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw", vhu->type) !=3D 0) --=20 2.47.2 From nobody Tue Sep 9 03:13:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1748618180; cv=none; d=zohomail.com; s=zohoarc; b=AYTe587gKEfWs0bTXhcCMt1LwQouXloj0CHTui9h7LAnsXIRt5UegqHX8Q6L6K/PW+i1WYeWbQhV7ag0lpdWm6ZYPGOBODFAVmAuKJmhHn4u+g+WeQvqR4osEe79lEPqvK+9KxZxWiDJwZqf84gyumcoUH7LJN77O5kZg4tLxcA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748618180; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=TgCmD192xMt56fEs62MlstkK4Xzi0ro69ZDg+21HQNw=; b=eeuCwH2l5dJDgsKp3HeB+cnEFUZuiOyTbJGy92zFxScY3yeKG06YYf10BTwWV1QVCWluj9SRnx7XC51BTX+mfdv+LnPjnTh35HiPI5CD84qKsPNm5zmA/HhSV+yKhwSay0iLQxvoARFlULYV++1sQjc+XCxYLv4CIGUutKmwHz4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1748618180428828.6478533430502; Fri, 30 May 2025 08:16:20 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6C82ED11; Fri, 30 May 2025 11:16:19 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id BC400CE3; Fri, 30 May 2025 11:15:58 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8246195B; Fri, 30 May 2025 11:15:55 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DFDD6965 for ; Fri, 30 May 2025 11:15:54 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uL1SZ-0000zm-LB; Fri, 30 May 2025 15:15:51 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bn+v6FznKIii66eakLIsJ/7cHjPUPZHGJP3MJB1kv8E=; b=yksBr3d4DeJPYZOkne9waauDDo arGEtKVMkzwlpFUDmEH4SvEI86cE/dX7A6x/+XVFzzwXuWHmKWSwTBPUmXxCE0iz7OpszIwt5PctQ U8HB5GQxn/mgHnsMILDOBu73tEKrL9sYhna/Lq2Ui94t7KWbxiDz+3486bf8zc5pZ5MQ=; To: devel@lists.libvirt.org Subject: [PATCH v2 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks Date: Fri, 30 May 2025 16:12:53 +0100 Message-ID: <20250530151333.463934-7-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk> References: <20250506160020.2118323-1-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: DFGFWP56H4DWSJKKSWI3JIR3IQ2OYYX3 X-Message-ID-Hash: DFGFWP56H4DWSJKKSWI3JIR3IQ2OYYX3 X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Tim Small X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1748618181686116600 Content-Type: text/plain; charset="utf-8" Add check for networks which were previously neglected (as opposed to explicit PCI hostdev devices), so that they can be granted the necessary permissions for PCI device access. The network type lookup in-turn requires the helper to read libvirt.conf See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D993856 Signed-off-by: Tim Small --- .../usr.lib.libvirt.virt-aa-helper.in | 4 ++++ src/security/virt-aa-helper.c | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..4cbad6986d 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -49,6 +49,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw, =20 + # The helper may read libvirt.conf in the course of connecting to a runn= ing + # libvirt deamon e.g. to resolve network configuration for a given domain + @sysconfdir@/libvirt/libvirt.conf r, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6481e9cfd7..f1d8feee11 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1143,6 +1143,16 @@ get_files(vahControl * ctl) vhu->type) !=3D 0) goto cleanup; } + /* + * Grant vfio for SR-IOV PCI VFs shared via + * networks. Calling virDomainNetResolveActualType() results in IP= C. + */ + if (!needsVfio && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_TYPE_= HOSTDEV) { + needsVfio =3D true; + } } =20 for (i =3D 0; i < ctl->def->nmems; i++) { @@ -1301,12 +1311,22 @@ get_files(vahControl * ctl) if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KVM) { for (i =3D 0; i < ctl->def->nnets; i++) { virDomainNetDef *net =3D ctl->def->nets[i]; + if (net && virDomainNetGetModelString(net)) { if (net->driver.virtio.name =3D=3D VIR_DOMAIN_NET_DRIVER_T= YPE_QEMU) continue; if (!virDomainNetIsVirtioModel(net)) continue; } + + /* n.b. Calling virDomainNetResolveActualType() results in IPC= . */ + if (!needsvhost && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_T= YPE_HOSTDEV) { + continue; + } + needsvhost =3D true; } } --=20 2.47.2 From nobody Tue Sep 9 03:13:18 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1746548557; cv=none; d=zohomail.com; s=zohoarc; b=l/z6+DQvGgRn5St6ZOxymnnDYA/mEgczXyPu5tzMcV/I5YiwFezKHKmbtAIbXsG2CaaHYWUey5hd7+KKs8NeVIWUvHo3r7gaJL2KYlkCU6AyUobbE0hHwMzIb8astnbRkCDMfG6yN9rHE9yY9gSMLwpRYs3RsfmEDM6r6DBgR/I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1746548557; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=wPa61aETuBGmB3turvu32uC3ZhFApP/N9LXmpdDuOO0=; b=f2awnPgTYKCeH8tFsub0JakqjePZzfeSbp25opC8TVH4a13jho9xhwcV19PO8r8nSMSJD1MVWuZZ7kcnJRG1reKDdVtsrJC2tDKA6rYMEe6C8bmVe2TVxk8/CNnYxDZDn0CBBpuV175iU5vTH4h7ywb6gt8GKKnEdeMDecXa2Io= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 174654855733990.71159923912671; Tue, 6 May 2025 09:22:37 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 9FDF81362; Tue, 6 May 2025 12:22:36 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id B2B431384; Tue, 6 May 2025 12:22:18 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id DCBCC1364; Tue, 6 May 2025 12:22:15 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id A71281362 for ; Tue, 6 May 2025 12:22:14 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uCKkY-0005th-1z; Tue, 06 May 2025 16:02:30 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 X-Greylist: delayed 1203 seconds by postgrey-1.37 at lists.libvirt.org; Tue, 06 May 2025 12:22:14 EDT DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=6WAdZ9nenDucZ/WVm2dXZn+bM4ukn4FENI55T0Kr0vY=; b=PkunNXmzymXIPPLwGzcdd/kyyN svkFLm/VpzZDa6AIMfnJ+9FnhLjZV3/0W9R5/BR8CxAh7Toq1rQOBpZQ4RtQKAXNkoJCcLiHT0HgK /u5/yhDQOU5XuXtY5clgqrrD2Wl9LgMhM1LuFVslVMz9swG2/k8arclzVdAyJfxIT6tE=; To: devel@lists.libvirt.org Subject: [RFC PATCH 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks Date: Tue, 6 May 2025 17:00:11 +0100 Message-ID: <20250506160020.2118323-3-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk> References: <20250506160020.2118323-1-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 3HG3H2AXEQB6ZMCRTF4OJWQNVLOE42RH X-Message-ID-Hash: 3HG3H2AXEQB6ZMCRTF4OJWQNVLOE42RH X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Tim Small X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1746548559650019000 Content-Type: text/plain; charset="utf-8" Add check for networks which were previously neglected (as opposed to explicit PCI hostdev devices), so that they can be granted the necessary permissions for PCI device access. The network type lookup in-turn requires the helper to read libvirt.conf Downstream bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D993856 Signed-off-by: Tim Small --- .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ src/security/virt-aa-helper.c | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..3b3d733b5e 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -49,6 +49,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw, =20 + # allow network type lookup to check for forward type=3Dhostdev networks + @sysconfdir@/libvirt/libvirt.conf r, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index fa69245324..7228292358 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,6 +1142,12 @@ get_files(vahControl * ctl) vhu->type) !=3D 0) goto cleanup; } + /* Grant vfio for SR-IOV PCI VFs shared via networks */ + if (net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_T= YPE_HOSTDEV) { + needsVfio =3D true; + } } =20 for (i =3D 0; i < ctl->def->nmems; i++) { @@ -1306,6 +1312,11 @@ get_files(vahControl * ctl) if (!virDomainNetIsVirtioModel(net)) continue; } + if (net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_N= ET_TYPE_HOSTDEV) { + continue; + } needsvhost =3D true; } } --=20 2.47.2