From nobody Tue Sep 9 23:22:45 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org ARC-Seal: i=1; a=rsa-sha256; t=1749470551; cv=none; d=zohomail.com; s=zohoarc; b=lAFQ6N578v3c6YoIsjR/nf3PDXeT8pBaE9k75fKx3chS78XM1Ycd5fjzMWUu1f5ns+pt2QWrWV6GSj4puMbWPs3OVpfArLIv3ho6bcn/EZYtUbmaHjdy3Zn9/RogbYob3DbhVZAIHt9NttpwDu9YYCML0jS2BIX+PqneZYLZqEg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1749470551; h=Content-Transfer-Encoding:Date:Date:From:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Reply-To:Reply-To:References:Subject:Subject:To:To:Message-Id:Cc; bh=Dr3YOizSRmNtgSjDN4e+ulzSkqrMcK8kh6WzK0lCxz0=; b=Y8HIlcBzjB1KGGQSpusFYuEMI8guForikAuJQjHhO8tG5we2gmCyXk6rAumW2tf0VhASZxRLSPAirZe62OYtCAOox1SDVCBHmPOQZgyYCOfTR2bwAVd+Vv/nHsGbq6VTrIO/ofskOOe5pYxucie4X/VkF7AiAXWEietIUEIyeXs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=reject dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1749470551898919.1403721960921; Mon, 9 Jun 2025 05:02:31 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 996) id 0313711FA; Mon, 9 Jun 2025 08:02:31 -0400 (EDT) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 444F111F4; Mon, 9 Jun 2025 08:02:08 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 996) id A7F07145B; Mon, 9 Jun 2025 08:02:04 -0400 (EDT) Received: from relay0.allsecuredomains.com (relay0.allsecuredomains.com [51.68.204.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 8B7731626 for ; Mon, 9 Jun 2025 08:01:54 -0400 (EDT) Received: from [81.174.144.187] (helo=custard.lan) by relay0.allsecuredomains.com with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1uObCK-000L0a-1r; Mon, 09 Jun 2025 12:01:52 +0000 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_INVALID,DKIM_SIGNED, MAILING_LIST_MULTI,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_HELO_NONE autolearn=unavailable autolearn_force=no version=3.4.4 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=seoss.co.uk ; s=asd201810; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=wEG4ZllWrky27TtbR3PxyFXxelZ/CrIDakWalm/15GE=; b=Eb4CUwgtcKvWDXxdEDsdYo3K0h 7e61ofrTwAvsKuZmD7qMDIwjFyIPcrkniazL09UoIc8/71Upui50xiGq6GlBK4imZsORitYd03Fpj mOil4iyy4KE9fnSjNSuT18KT6CzgYEC0m3mkh+PvoNM3Cb6NM0kI4IJMV/vKlSi3k1hU=; To: tim@seoss.co.uk, devel@lists.libvirt.org Subject: [PATCH v3 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks Date: Mon, 9 Jun 2025 12:59:07 +0100 Message-ID: <20250609115903.796595-7-tim@seoss.co.uk> X-Mailer: git-send-email 2.47.2 In-Reply-To: <20250609115903.796595-2-tim@seoss.co.uk> References: <20250609115903.796595-2-tim@seoss.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: PCMB4LMVSPGIS4M55MFQQRK7YIDVFNTM X-Message-ID-Hash: PCMB4LMVSPGIS4M55MFQQRK7YIDVFNTM X-MailFrom: tim@seoss.co.uk X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: From: Tim Small via Devel Reply-To: Tim Small X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1749470554615116600 Content-Type: text/plain; charset="utf-8" From: Tim Small Add check for networks which were previously neglected (as opposed to explicit PCI hostdev devices), so that they can be granted the necessary permissions for PCI device access. The network type lookup in-turn requires the helper to read libvirt.conf See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=3D993856 Signed-off-by: Tim Small --- Changes since earlier patch versions: Since V2: . Fix missing from line in patch body . Add this narrative Since V1: . Formatting - ref Peter Krempa's feedback . Comments - ref Peter Krempa's feedback . Minimise calls to virDomainNetResolveActualType() since it obtains info via IPC calls - ref Peter Krempa's feedback .../usr.lib.libvirt.virt-aa-helper.in | 4 ++++ src/security/virt-aa-helper.c | 20 +++++++++++++++++++ 2 files changed, 24 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/= security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..4cbad6986d 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -49,6 +49,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw, =20 + # The helper may read libvirt.conf in the course of connecting to a runn= ing + # libvirt deamon e.g. to resolve network configuration for a given domain + @sysconfdir@/libvirt/libvirt.conf r, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 6481e9cfd7..f1d8feee11 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1143,6 +1143,16 @@ get_files(vahControl * ctl) vhu->type) !=3D 0) goto cleanup; } + /* + * Grant vfio for SR-IOV PCI VFs shared via + * networks. Calling virDomainNetResolveActualType() results in IP= C. + */ + if (!needsVfio && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_TYPE_= HOSTDEV) { + needsVfio =3D true; + } } =20 for (i =3D 0; i < ctl->def->nmems; i++) { @@ -1301,12 +1311,22 @@ get_files(vahControl * ctl) if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KVM) { for (i =3D 0; i < ctl->def->nnets; i++) { virDomainNetDef *net =3D ctl->def->nets[i]; + if (net && virDomainNetGetModelString(net)) { if (net->driver.virtio.name =3D=3D VIR_DOMAIN_NET_DRIVER_T= YPE_QEMU) continue; if (!virDomainNetIsVirtioModel(net)) continue; } + + /* n.b. Calling virDomainNetResolveActualType() results in IPC= . */ + if (!needsvhost && + net && + net->type =3D=3D VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) =3D=3D VIR_DOMAIN_NET_T= YPE_HOSTDEV) { + continue; + } + needsvhost =3D true; } } --=20 2.47.2