From nobody Tue Sep 9 09:50:20 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1748618180; cv=none; d=zohomail.com; s=zohoarc; b=AYTe587gKEfWs0bTXhcCMt1LwQouXloj0CHTui9h7LAnsXIRt5UegqHX8Q6L6K/PW+i1WYeWbQhV7ag0lpdWm6ZYPGOBODFAVmAuKJmhHn4u+g+WeQvqR4osEe79lEPqvK+9KxZxWiDJwZqf84gyumcoUH7LJN77O5kZg4tLxcA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1748618180; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id; bh=TgCmD192xMt56fEs62MlstkK4Xzi0ro69ZDg+21HQNw=; b=eeuCwH2l5dJDgsKp3HeB+cnEFUZuiOyTbJGy92zFxScY3yeKG06YYf10BTwWV1QVCWluj9SRnx7XC51BTX+mfdv+LnPjnTh35HiPI5CD84qKsPNm5zmA/HhSV+yKhwSay0iLQxvoARFlULYV++1sQjc+XCxYLv4CIGUutKmwHz4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1748618180428828.6478533430502; Fri, 30 May 2025 08:16:20 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 6C82ED11; Fri, 30 May 2025 11:16:19 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id BC400CE3; Fri, 30 May 2025 11:15:58 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 8246195B; Fri, 30 May 2025 11:15:55 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id DFDD6965 for ; Fri, 30 May 2025 11:15:54 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uL1SZ-0000zm-LB; Fri, 30 May 2025 15:15:51 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bn+v6FznKIii66eakLIsJ/7cHjPUPZHGJP3MJB1kv8E=; b=yksBr3d4DeJPYZOkne9waauDDo arGEtKVMkzwlpFUDmEH4SvEI86cE/dX7A6x/+XVFzzwXuWHmKWSwTBPUmXxCE0iz7OpszIwt5PctQ U8HB5GQxn/mgHnsMILDOBu73tEKrL9sYhna/Lq2Ui94t7KWbxiDz+3486bf8zc5pZ5MQ=; To: devel@lists.libvirt.org Subject: [PATCH v2 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks Date: Fri, 30 May 2025 16:12:53 +0100 Message-ID: <20250530151333.463934-7-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250506160020.2118323-1-tim@seoss.co.uk> References: <20250506160020.2118323-1-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: DFGFWP56H4DWSJKKSWI3JIR3IQ2OYYX3 X-Message-ID-Hash: DFGFWP56H4DWSJKKSWI3JIR3IQ2OYYX3 X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header CC: Tim Small X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1748618181686116600 Content-Type: text/plain; charset="utf-8" Add check for networks which were previously neglected (as opposed to explicit PCI hostdev devices), so that they can be granted the necessary permissions for PCI device access. The network type lookup in-turn requires the helper to read libvirt.conf See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D993856 Signed-off-by: Tim Small --- .../usr.lib.libvirt.virt-aa-helper.in | 4 ++++ src/security/virt-aa-helper.c | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..4cbad6986d 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -49,6 +49,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw, =20 + # The helper may read libvirt.conf in the course of connecting to a runn= ing + # libvirt deamon e.g. to resolve network configuration for a given domain + @sysconfdir@/libvirt/libvirt.conf r, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6481e9cfd7..f1d8feee11 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1143,6 +1143,16 @@ get_files(vahControl * ctl) vhu->type) !=3D 0) goto cleanup; } + /* + * Grant vfio for SR-IOV PCI VFs shared via + * networks. Calling virDomainNetResolveActualType() results in IP= C. + */ + if (!needsVfio && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_TYPE_= HOSTDEV) { + needsVfio =3D true; + } } =20 for (i =3D 0; i < ctl->def->nmems; i++) { @@ -1301,12 +1311,22 @@ get_files(vahControl * ctl) if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KVM) { for (i =3D 0; i < ctl->def->nnets; i++) { virDomainNetDef *net =3D ctl->def->nets[i]; + if (net && virDomainNetGetModelString(net)) { if (net->driver.virtio.name =3D=3D VIR_DOMAIN_NET_DRIVER_T= YPE_QEMU) continue; if (!virDomainNetIsVirtioModel(net)) continue; } + + /* n.b. Calling virDomainNetResolveActualType() results in IPC= . */ + if (!needsvhost && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_T= YPE_HOSTDEV) { + continue; + } + needsvhost =3D true; } } --=20 2.47.2