Implement proper isolation and access control for EGM memory devices:
- Add device to cgroup for access control
- Set up namespace mappings for device access
- Ensure proper permissions in containerized environments
- Allow EGM device path access to bypass SELinux, AppArmor,
and DAC permissions
Signed-off-by: Nathan Chen <nathanc@nvidia.com>
---
src/qemu/qemu_cgroup.c | 10 ++++++++++
src/qemu/qemu_namespace.c | 3 +++
src/security/apparmor/usr.sbin.libvirtd.in | 3 +++
src/security/security_apparmor.c | 2 ++
src/security/security_dac.c | 8 ++++++++
src/security/security_selinux.c | 6 ++++++
src/security/virt-aa-helper.c | 4 ++++
7 files changed, 36 insertions(+)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 7dadef0739..8b70740121 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -577,6 +577,11 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ if (qemuCgroupAllowDevicePath(vm, mem->source.egm.path,
+ VIR_CGROUP_DEVICE_RW, false) < 0)
+ return -1;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
@@ -615,6 +620,11 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ if (qemuCgroupDenyDevicePath(vm, mem->source.egm.path,
+ VIR_CGROUP_DEVICE_RWM, false) < 0)
+ return -1;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index c689cc3e40..f6404cb280 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -394,6 +394,9 @@ qemuDomainSetupMemory(virDomainMemoryDef *mem,
*paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_VEPVC));
*paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_PROVISION));
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ *paths = g_slist_prepend(*paths, g_strdup(mem->source.egm.path));
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
diff --git a/src/security/apparmor/usr.sbin.libvirtd.in b/src/security/apparmor/usr.sbin.libvirtd.in
index 6267e4f737..2a6a4b979c 100644
--- a/src/security/apparmor/usr.sbin.libvirtd.in
+++ b/src/security/apparmor/usr.sbin.libvirtd.in
@@ -47,6 +47,9 @@ profile libvirtd @sbindir@/libvirtd flags=(attach_disconnected) {
mount options=(rw, move) /{,var/}run/libvirt/qemu/*{,/} -> /dev/**,
umount /{,var/}run/libvirt/qemu/*{,/},
+ # Allow bind mounting EGM devices into qemu namespaces
+ mount options=(rw, bind) /dev/egm* -> /{,var/}run/libvirt/qemu/**,
+
network inet stream,
network inet dgram,
network inet6 stream,
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 68ac39611f..ea04e756d6 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -631,6 +631,8 @@ AppArmorSetMemoryLabel(virSecurityManager *mgr,
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ path = mem->source.egm.path;
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;
}
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 2f788b872a..2d79009ee9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1890,6 +1890,9 @@ virSecurityDACRestoreMemoryLabel(virSecurityManager *mgr,
* don't need to restore anything. */
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ return virSecurityDACRestoreFileLabel(mgr, mem->source.egm.path);
+
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
@@ -2121,6 +2124,11 @@ virSecurityDACSetMemoryLabel(virSecurityManager *mgr,
return -1;
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ return virSecurityDACSetOwnership(mgr, NULL,
+ mem->source.egm.path,
+ user, group, true);
+
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index 2f3cc274a5..b288778634 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1666,6 +1666,9 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
seclabel->imagelabel, true) < 0)
return -1;
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ path = mem->source.egm.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
@@ -1709,6 +1712,9 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager *mgr,
if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true, false) < 0)
ret = -1;
return ret;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ path = mem->source.egm.path;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index de0a826063..0e387dd4be 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1194,6 +1194,10 @@ get_files(vahControl * ctl)
return -1;
}
break;
+ case VIR_DOMAIN_MEMORY_MODEL_EGM:
+ if (vah_add_file(&buf, mem->source.egm.path, "rw") != 0)
+ return -1;
+ break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
--
2.43.0© 2016 - 2025 Red Hat, Inc.