From nobody Tue Sep  9 09:50:22 2025
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates
 8.43.85.245 as permitted sender) client-ip=8.43.85.245;
 envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org;
Authentication-Results: mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass(p=reject dis=none)  header.from=lists.libvirt.org
ARC-Seal: i=1; a=rsa-sha256; t=1746548557; cv=none;
	d=zohomail.com; s=zohoarc;
	b=l/z6+DQvGgRn5St6ZOxymnnDYA/mEgczXyPu5tzMcV/I5YiwFezKHKmbtAIbXsG2CaaHYWUey5hd7+KKs8NeVIWUvHo3r7gaJL2KYlkCU6AyUobbE0hHwMzIb8astnbRkCDMfG6yN9rHE9yY9gSMLwpRYs3RsfmEDM6r6DBgR/I=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1746548557;
 h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id;
	bh=wPa61aETuBGmB3turvu32uC3ZhFApP/N9LXmpdDuOO0=;
	b=f2awnPgTYKCeH8tFsub0JakqjePZzfeSbp25opC8TVH4a13jho9xhwcV19PO8r8nSMSJD1MVWuZZ7kcnJRG1reKDdVtsrJC2tDKA6rYMEe6C8bmVe2TVxk8/CNnYxDZDn0CBBpuV175iU5vTH4h7ywb6gt8GKKnEdeMDecXa2Io=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=fail;
	spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as
 permitted sender)  smtp.mailfrom=devel-bounces@lists.libvirt.org;
	dmarc=pass header.from=<devel@lists.libvirt.org> (p=reject dis=none)
Return-Path: <devel-bounces@lists.libvirt.org>
Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by
 mx.zohomail.com
	with SMTPS id 174654855733990.71159923912671;
 Tue, 6 May 2025 09:22:37 -0700 (PDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id 9FDF81362; Tue,  6 May 2025 12:22:36 -0400 (EDT)
Received: from lists.libvirt.org (localhost [IPv6:::1])
	by lists.libvirt.org (Postfix) with ESMTP id B2B431384;
	Tue,  6 May 2025 12:22:18 -0400 (EDT)
Received: by lists.libvirt.org (Postfix, from userid 996)
	id DCBCC1364; Tue,  6 May 2025 12:22:15 -0400 (EDT)
Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com
 [51.68.204.196])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by lists.libvirt.org (Postfix) with ESMTPS id A71281362
	for <devel@lists.libvirt.org>; Tue,  6 May 2025 12:22:14 -0400 (EDT)
Received: from [81.174.144.187] (helo=custard.lan)
	by relay0.allsecuredomains.com with esmtpsa
 (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.92)
	(envelope-from <tim@seoss.co.uk>)
	id 1uCKkY-0005th-1z; Tue, 06 May 2025 16:02:30 +0000
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED,
	MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED,
	RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable
	autolearn_force=no version=3.4.4
X-Greylist: delayed 1203 seconds by postgrey-1.37 at lists.libvirt.org;
 Tue, 06 May 2025 12:22:14 EDT
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk
	; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References:
	In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type:
	Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender:
	Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:
	List-Subscribe:List-Post:List-Owner:List-Archive;
	bh=6WAdZ9nenDucZ/WVm2dXZn+bM4ukn4FENI55T0Kr0vY=; b=PkunNXmzymXIPPLwGzcdd/kyyN
	svkFLm/VpzZDa6AIMfnJ+9FnhLjZV3/0W9R5/BR8CxAh7Toq1rQOBpZQ4RtQKAXNkoJCcLiHT0HgK
	/u5/yhDQOU5XuXtY5clgqrrD2Wl9LgMhM1LuFVslVMz9swG2/k8arclzVdAyJfxIT6tE=;
To: devel@lists.libvirt.org
Subject: [RFC PATCH 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev
 networks
Date: Tue,  6 May 2025 17:00:11 +0100
Message-ID: <20250506160020.2118323-3-tim@seoss.co.uk>
X-Mailer: git-send-email 2.47.2
In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk>
References: <20250506160020.2118323-1-tim@seoss.co.uk>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: 3HG3H2AXEQB6ZMCRTF4OJWQNVLOE42RH
X-Message-ID-Hash: 3HG3H2AXEQB6ZMCRTF4OJWQNVLOE42RH
X-MailFrom: tim@seoss.co.uk
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-config-1;
 header-match-config-2; header-match-config-3;
 header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 suspicious-header
CC: Tim Small <tim@seoss.co.uk>
X-Mailman-Version: 3.2.2
Precedence: list
List-Id: Development discussions about the libvirt library & tools
 <devel.lists.libvirt.org>
Archived-At: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/message/3HG3H2AXEQB6ZMCRTF4OJWQNVLOE42RH/>
List-Archive: 
 <https://lists.libvirt.org/archives/list/devel@lists.libvirt.org/>
List-Help: <mailto:devel-request@lists.libvirt.org?subject=help>
List-Post: <mailto:devel@lists.libvirt.org>
List-Subscribe: <mailto:devel-join@lists.libvirt.org>
List-Unsubscribe: <mailto:devel-leave@lists.libvirt.org>
From: Tim Small via Devel <devel@lists.libvirt.org>
Reply-To: Tim Small <tim@seoss.co.uk>
X-ZohoMail-DKIM: fail (Header signature does not verify)
X-ZM-MESSAGEID: 1746548559650019000
Content-Type: text/plain; charset="utf-8"

Add check for <forward type=3D'hostdev'> networks which were previously
neglected (as opposed to explicit PCI hostdev devices), so that they can
be granted the necessary permissions for PCI device access. The network
type lookup in-turn requires the helper to read libvirt.conf

Downstream bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D993856

Signed-off-by: Tim Small <tim@seoss.co.uk>

---
 .../apparmor/usr.lib.libvirt.virt-aa-helper.in        |  3 +++
 src/security/virt-aa-helper.c                         | 11 +++++++++++
 2 files changed, 14 insertions(+)

diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/=
security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index e209a8bff7..3b3d733b5e 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -49,6 +49,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
   @sysconfdir@/apparmor.d/libvirt/* r,
   @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw,
=20
+  # allow network type lookup to check for forward type=3Dhostdev networks
+  @sysconfdir@/libvirt/libvirt.conf r,
+
   # for backingstore -- allow access to non-hidden files in @{HOME} as well
   # as storage pools
   audit deny @{HOME}/.* mrwkl,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index fa69245324..7228292358 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1142,6 +1142,12 @@ get_files(vahControl * ctl)
                        vhu->type) !=3D 0)
                 goto cleanup;
         }
+        /* Grant vfio for SR-IOV PCI VFs shared via <forward type=3D'hostd=
ev'> networks */
+        if (net &&
+                net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK &&
+                virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_T=
YPE_HOSTDEV) {
+            needsVfio =3D true;
+        }
     }
=20
     for (i =3D 0; i < ctl->def->nmems; i++) {
@@ -1306,6 +1312,11 @@ get_files(vahControl * ctl)
                 if (!virDomainNetIsVirtioModel(net))
                     continue;
             }
+            if (net &&
+                    net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK &&
+                    virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_N=
ET_TYPE_HOSTDEV) {
+                continue;
+            }
             needsvhost =3D true;
         }
     }
--=20
2.47.2