From nobody Fri Dec 12 14:06:20 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1763778533491182.0737150910836; Fri, 21 Nov 2025 18:28:53 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id D4B4843FFC; Fri, 21 Nov 2025 21:28:52 -0500 (EST) Received: from [172.19.199.56] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 2C1B74441F; Fri, 21 Nov 2025 21:27:16 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 927A941905; Fri, 21 Nov 2025 21:22:45 -0500 (EST) Received: from SN4PR0501CU005.outbound.protection.outlook.com (mail-southcentralusazon11011028.outbound.protection.outlook.com [40.93.194.28]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 58BF644039 for ; Fri, 21 Nov 2025 21:21:05 -0500 (EST) Received: from PH7PR12MB6834.namprd12.prod.outlook.com (2603:10b6:510:1b4::18) by CY1PR12MB9559.namprd12.prod.outlook.com (2603:10b6:930:fd::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.11; Sat, 22 Nov 2025 02:21:02 +0000 Received: from PH7PR12MB6834.namprd12.prod.outlook.com ([fe80::f432:162b:b94e:d2cb]) by PH7PR12MB6834.namprd12.prod.outlook.com ([fe80::f432:162b:b94e:d2cb%6]) with mapi id 15.20.9343.011; Sat, 22 Nov 2025 02:21:02 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=SFVyobRriGKBDEHS8eS9dx13+PYp7RlRV4JAEW5sfH6tbUVizG50QtpVkjmW+nQO8lQtVr2azM3yvVA55c/sgI+AIr7i0+2oOn/qJAnCrgt6c28pVT+M2c7la0N+Pm8mZSMjnEPYuudMwntghDi1u9t1yZhfTxAGI02QxlPiCgP1VgktSYsvNh6rvRPSEyo+hfWBzMrvtHc2qj4/XCJYK/43HvFcgTAJJQyGX5te9V7lbGapF681jmSxH6lNLSOtkyptMPmx1brqlhxzycAcGx4wphtfK6Fa6JjdPBf044ibCjldBLvF3/EskF85/KDP4SsyFS+e9nidnhLkg0RTSA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=FODaVEbacfCtldfjGwnGbRnAk9BbHrc1xSxv4+fgdUc=; b=cfpYqqS0BN8KBW0XcvA7WxVtqpnCDSj6CdVy4PE+S5D5L21vjS7zLM2WpFNctkR2h8oR7PpNTmEM2UApGNI/LSW4SJP1QRDfuHjckdDT1djkzT9GCG0lnoZQHexzBYEc9uymNg46YawSHt14exbKIYDG4sca6xA/KrP+9VjYMVa3A9Lc0q2yGayIs+5nKFhCJ4qLWg//buvkfwYHRSVSiULzDlgPTfJkvmJS5wq7d4Tem5XIyL1oktSh7WOd6pXsHjLRgbXFOHVbNw8ymhijJYzSfswr2B3xTzYMv7hwvrBVPsngBrQFBrYdEsEKUnLWv9CWjf2qj4mbCkkTerHpcg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FODaVEbacfCtldfjGwnGbRnAk9BbHrc1xSxv4+fgdUc=; b=U0YW8NwkeUYaLYXm0QPqfiCCXzsBEmh4R2Wos1HaXlovSGdY5XmVg24vudPJJk57YyHTO6otsABaVWuPgBaw9iuuWZZ23UX4l+JLH1lbCgjVd8orDqFSKe0qorduQ47gaOfTKWljMWEF2iGg3oIJMq8SIpTA0OiOTgNwPvFF08Xh47spSn/CX7C7cWouonZF5I5sexT1Jy0QqN/zOuuN0x2p4hZtnb5be3eUxIr+F1BCqPopZksf8rfX5HzbKm6g71Sef3vlws152Hv9WyojqEdwTPUoT6C/dvfIYF7Y/69WmQH7/qa34awWLpWam3/lT50AXaU4SF/EXUqTbshfoQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; To: devel@lists.libvirt.org Subject: [PATCH v2 4/5] qemu: Update Cgroup, namespace, and seclabel for iommufd Date: Fri, 21 Nov 2025 18:20:56 -0800 Message-ID: <20251122022057.3440459-5-nathanc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251122022057.3440459-1-nathanc@nvidia.com> References: <20251122022057.3440459-1-nathanc@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SJ0PR03CA0374.namprd03.prod.outlook.com (2603:10b6:a03:3a1::19) To PH7PR12MB6834.namprd12.prod.outlook.com (2603:10b6:510:1b4::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: PH7PR12MB6834:EE_|CY1PR12MB9559:EE_ X-MS-Office365-Filtering-Correlation-Id: c2b1520e-a669-4e69-2148-08de296dc880 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?inaEQq1T/++XMe2RtSvtfq+FBzF6G0cp3lTymfI2jTBkxcQzZ9DEqjx+ND3I?= =?us-ascii?Q?qBw+mac+dGELT5y4mfb6ke6Dkn+hGaWkP2BJJvOIPbopEhjztB4bEtLzslGt?= =?us-ascii?Q?aYEvoTjo9yvw5ZUBv0ei1Y/BYJoqlfRTuK8ObhGi+RXnmu/7cs7zQ3UtA27x?= =?us-ascii?Q?5VNcJgE7bxRA196yQUMUiLhCRvHcChTkM5haU2UIPmtVWs+riaIVzXOl8u5Z?= =?us-ascii?Q?fCXhtMwYwAWIQrYCyb5IiFtg8V7oW7nHla1+HK4h4Qo49i1M36+FRcN/rq3T?= =?us-ascii?Q?2XT4m6rPgznMNlTA9v1bcVywqVitBKsqeAfC5F4hSm5sAt3dNnAdHQjjo5FE?= =?us-ascii?Q?hshMmJOq/2AJN+R+BwdW5JIPY1VUxcLM7vJvtCnGzXr/bjI7N4OnMIsy5f4K?= =?us-ascii?Q?XHxUb4g5fwlttbV7taYukJ0DEYgJ7IYwfGsHL8gGILud6dMN2EMgRDkbXNm7?= =?us-ascii?Q?usLv4J4efeA373sBbVM58REiA/B4U86haqawkr57900q6jd6ZC2zsU1PmrRN?= =?us-ascii?Q?z6AU18DC+whjDQWpvYKH6ggl7G8XuDT07mQXb86K5O3FmoztIgXFngxu5Jl9?= =?us-ascii?Q?UhoH1DAkxv78iv44EVr1dKVxxuG+IJJMhia0VbVOi9n2/qWF6yNsU68TCNXM?= =?us-ascii?Q?x8uSZTrMtERZx7klrtH9Tj345a6f+LqaGm4ioosJaN+ICWBYHLpkdAlFE0k7?= =?us-ascii?Q?Zx0p4AT1srFIpY3i5vyJFqAtRKjLgYU3Ew3AWls3RJfGNcD8xs+KQD0XJUgC?= =?us-ascii?Q?Dj0KCDWIZySsNXw/3/9Lzi68dRT7QJ8BCZki0gCoaGdbGVSOq2BgQWWYro+q?= =?us-ascii?Q?q5MfxwAVTbGxn3QEjmoiiK8fdmDHqBWn+IQ0Ug2REvKJ53cHH12KC9okDVxK?= =?us-ascii?Q?WVDfgrNhsui/iH18KdFjiJMDi+bDuirAQ5coNUOYQje2hVtAx75YrEOptuik?= =?us-ascii?Q?oqZCYPGmY29hVk2gvKoSVpUchIHlXbMSg6j55l0j1Lv9+hSJ3zuuhVzvXL8b?= =?us-ascii?Q?5+RKEZni/GREgxyaFrqXay5+1XDChe2f8Ced8YDtMfkF9Y7GDDLU+sqi9uOm?= =?us-ascii?Q?WKLYsbeXYKe33cJgmA0eAMumvzVFqUTDhTjQALqZsGaSsb+5dwNnyBYpHXGZ?= =?us-ascii?Q?K6b8Qq2w9vzLIb4nYVpnuDtaL/fb68Dyo7QId3efKtQFCBJHiwJPf7v4mDmj?= =?us-ascii?Q?cPJq3QdbXCsIypQH0Hfsl/9995VynwC0mODNGqrCV6U2OTZgM74UqftYppj3?= =?us-ascii?Q?GaQBqbGWXR5YwuC5lkrY7ejFsBud7DWH++pJu66NL/TCPVZz349xpY9mjYNx?= =?us-ascii?Q?dVr1+VQYSXaN02t0dpvoY7v6pNcr1xEbrEfPg0LTN+KKF41kxGWAbtOPOOTX?= =?us-ascii?Q?boAsrkwYgLGZawooEXGkFUvk78vSRIF9H2vyXduhrtxIBgx3u50wRA7V4Tri?= =?us-ascii?Q?jNmFCNmJniv4hZSkxPNZmwh0L9jIwznT?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:PH7PR12MB6834.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?Q5tc1H4X0SkeEMgSMgbgS8drEkbPxJlto+sQsFGCMAoqiwPtWigPMITXCLsu?= =?us-ascii?Q?rCClZpyRDD89h4NKvf1pNMadiGK2kiQOfYKxZKYkJZa/73bwGI9AGwLxDXjp?= =?us-ascii?Q?RUqBqMu66x6hUB+X11JT/GvwtWBkWlP2QHfQoT9UwGwebjMB5FwCra8DB6n7?= =?us-ascii?Q?k4O97FEu4uv+Pt34VlZRUCm1FVr2MsGKMsfT8vOsajFKD+29BtYRpOP+v2dK?= =?us-ascii?Q?0ctscymwWys1OlbZlxtp+xJ6Vni62om/u6XbW2AUo6WnuqYKAYFnK1tECPh2?= =?us-ascii?Q?8ONfItmbDC+s/2V/Vl7p+IyCKE027QyXVRU60AoiujLRMK6EmAW/PAQWxKUD?= =?us-ascii?Q?SB8nAwb0X7c8r6cnl2lyY/PTh5PrmQgooBHADmX6bD37dIvW4Z/WEDUnYis3?= =?us-ascii?Q?8CRYYbAkzcRig4ssQL8KYU33R8vA2ARCI3/PTAH6BAOVQfzwMzTnnui1qwm0?= =?us-ascii?Q?J5ZEPN68QAKJRaE5HLEhvAZlmboVDRoPTzaXlaQV2pjksL/gnjv2uDrCGVjP?= =?us-ascii?Q?JVjyuW02cFDMVfgqCXCsgtTolecULDwpACeHNwqW5TjCt1v7AOijVjAY/GLB?= =?us-ascii?Q?Jr/gTnaC6Hz8BP+OuJTg9Evigjo8pQFkdmqki0L+/OihtU3xrK76HF///X5d?= =?us-ascii?Q?bthwgPZ8uDRtrzUmBo6W/b/oqVZQtS8C1KJHsPn6u9xnGTotaWFhrDLopT7J?= =?us-ascii?Q?79z4EwFHW9VNS85rRa2QDPTtCVIq68/TdHH1qm2al8S0ygzvwuLWgKeCIHiw?= =?us-ascii?Q?UfiJZUHWp5QCTWEE6DPQBJ+qjzaMAVVCC3HfooyJ68px+xU0Raz8zeK2LyAk?= =?us-ascii?Q?LHkHem3Ykj16hBrWKOs/g76yjoZWpRsXK/gK1icdS1rCGRurZyHYfVq6Cemz?= =?us-ascii?Q?rng9VgUY52qyBVACRT7rdCza4+6C0mNbPQMUkVJujof3Q14XTBkfkT5kpFI+?= =?us-ascii?Q?PSTmMAQDtRTl66+DZzvm1XMGuSGA1WrCt5tFTqsYME81KHI8fspb/pMJ1xj1?= =?us-ascii?Q?s149H73dlIVrRfknDEgGzvx6UNLZRJUzYCP1lGsoD+mGfyrMAgw+wdubFUhl?= =?us-ascii?Q?o+z2POhcCTpNDcsNR+EktXL/UsSF4/8HzYm5RcPfdbLI5qeoktdBF1uOPjTg?= =?us-ascii?Q?S5J45JmfLuKyvIwEjtXoumct7gVh0/Ay0DJ2HbE8CRk/wG0glKUzKhAXOTff?= =?us-ascii?Q?FGCRof4xTnmACtoSjf4wQmMPBMddHeUBzTAIsHWpd9raFJVi/d8+jWxZnmqa?= =?us-ascii?Q?J4dFzdbLSzeZp+5TbHD9qq4jJZrrBrxXBBPm5YJ1Q7B59In8SOldf6eaMXUS?= =?us-ascii?Q?5Hq9WzUat/z47XQnBV9nHjCp6Z8HEANaT22qG2Fnk0Td1cAtBmVO+dae/zUf?= =?us-ascii?Q?RFMhUO79w8B5IQo9CMCl8w+RDFanDqSJYAg3dfN7sk4F7a7M8RiGmyl8OzQP?= =?us-ascii?Q?NaI4CVLjim06Wz+rZHGR6ub0cPGcm1SNC/Kd47vItMpztQVRk6jO8jJNtkWa?= =?us-ascii?Q?VWlVYJioytp2e1+BabNXsyD42SGfR5lC9WzchfM54aRUjfBPHiL7Y41XUIUU?= =?us-ascii?Q?PHZkGiUwAyo2wIviBQJk+hNnjthY2AbJPBemJbky?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: c2b1520e-a669-4e69-2148-08de296dc880 X-MS-Exchange-CrossTenant-AuthSource: PH7PR12MB6834.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 22 Nov 2025 02:21:02.6140 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: sXfzV1dpfRxt8DO3m//wK85VOq7mF5F5YlnwxX7W/QBnM/FGUWVysmtyAk0cxYeiuRFbeOrFyO+tZF6DYNTVHw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR12MB9559 Message-ID-Hash: IZPFODDZZYWOZ2EJN2P2ERUKWUJF44YT X-Message-ID-Hash: IZPFODDZZYWOZ2EJN2P2ERUKWUJF44YT X-MailFrom: nathanc@nvidia.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com, mochs@nvidia.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Nathan Chen via Devel Reply-To: Nathan Chen X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1763778534394018900 Content-Type: text/plain; charset="utf-8" When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow access to /dev/vfio/vfio and /dev/vfio/ used by VFIO without iommufd enabled - Allow access to /dev/iommu and /dev/vfio/devices/vfio* Signed-off-by: Nathan Chen --- src/qemu/qemu_cgroup.c | 26 ++++++++++++++------------ src/qemu/qemu_namespace.c | 16 +++++++++------- src/security/security_apparmor.c | 18 +++++++++++------- src/security/security_dac.c | 28 ++++++++++++++++++---------- src/security/security_selinux.c | 28 ++++++++++++++++++---------- src/security/virt-aa-helper.c | 11 +++++++++-- 6 files changed, 79 insertions(+), 48 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 46a7dc1d8b..b3610b31ca 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -479,21 +479,23 @@ qemuSetupHostdevCgroup(virDomainObj *vm, g_autofree char *path =3D NULL; int perms; =20 - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) - return 0; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL_YES= ) { + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DE= VICES)) + return 0; =20 - if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) - return -1; + if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) + return -1; =20 - if (path && - qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { - return -1; - } + if (path && + qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { + return -1; + } =20 - if (virHostdevNeedsVFIO(dev) && - qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, - VIR_CGROUP_DEVICE_RW, false) < 0) { - return -1; + if (virHostdevNeedsVFIO(dev) && + qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; + } } =20 return 0; diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 932777505b..489b13261b 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -343,15 +343,17 @@ qemuDomainSetupHostdev(virDomainObj *vm, { g_autofree char *path =3D NULL; =20 - if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) - return -1; + if (hostdev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL= _YES) { + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) + return -1; =20 - if (path) - *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); + if (path) + *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); =20 - if (virHostdevNeedsVFIO(hostdev) && - (!hotplug || !qemuDomainNeedsVFIO(vm->def))) - *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + if (virHostdevNeedsVFIO(hostdev) && + (!hotplug || !qemuDomainNeedsVFIO(vm->def))) + *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + } =20 return 0; } diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 68ac39611f..d66f035e52 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -848,14 +848,18 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *m= gr, goto done; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); - - if (!vfioGroupDev) { - virPCIDeviceFree(pci); - goto done; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); + + if (!vfioGroupDev) { + virPCIDeviceFree(pci); + goto done; + } + ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr= ); + VIR_FREE(vfioGroupDev); + } else { + ret =3D 0; } - ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); - VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILab= el, ptr); } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..93a9268389 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1282,14 +1282,18 @@ virSecurityDACSetHostdevLabel(virSecurityManager *m= gr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, - false, - &cbdata); + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); + } else { + ret =3D 0; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACSetPCILabel, @@ -1443,13 +1447,17 @@ virSecurityDACRestoreHostdevLabel(virSecurityManage= r *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfioGroupDev, fal= se); + } else { + ret =3D 0; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2f3cc274a5..af6b938641 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2256,14 +2256,18 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= Manager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, - false, - &data); + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupD= ev, + false, + &data); + } else { + ret =3D 0; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); } @@ -2491,12 +2495,16 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecu= rityManager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupD= ev, false, false); + } else { + ret =3D 0; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index de0a826063..ea05f2c5f7 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -878,7 +878,7 @@ get_files(vahControl * ctl) size_t i; g_autofree char *uuid =3D NULL; char uuidstr[VIR_UUID_STRING_BUFLEN]; - bool needsVfio =3D false, needsvhost =3D false, needsgl =3D false; + bool needsVfio =3D false, needsvhost =3D false, needsgl =3D false, nee= dsIommufd =3D false; =20 /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl->def->uuid, uuidstr); @@ -1119,6 +1119,9 @@ get_files(vahControl * ctl) needsVfio =3D true; } =20 + if (dev->source.subsys.u.pci.driver.iommufd =3D=3D VIR_TRISTAT= E_BOOL_YES) + needsIommufd =3D true; + if (pci =3D=3D NULL) continue; =20 @@ -1344,10 +1347,14 @@ get_files(vahControl * ctl) if (needsvhost) virBufferAddLit(&buf, " \"/dev/vhost-net\" rw,\n"); =20 - if (needsVfio) { + if (needsIommufd) { + virBufferAddLit(&buf, " \"/dev/iommu\" rwm,\n"); + virBufferAddLit(&buf, " \"/dev/vfio/devices/vfio[0-9]*\" rwm,\n"); + } else if (needsVfio) { virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { /* if using gl all sorts of further dri related paths will be need= ed */ virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); --=20 2.43.0