From nobody Fri Jan 9 08:29:32 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1766111399532383.78675268341794; Thu, 18 Dec 2025 18:29:59 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id A93EC41962; Thu, 18 Dec 2025 21:29:58 -0500 (EST) Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id BA40843F05; Thu, 18 Dec 2025 21:20:11 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 07486418AC; Thu, 18 Dec 2025 21:19:47 -0500 (EST) Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11010018.outbound.protection.outlook.com [52.101.193.18]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 8DA5E41894 for ; Thu, 18 Dec 2025 21:19:36 -0500 (EST) Received: from SN7PR12MB6838.namprd12.prod.outlook.com (2603:10b6:806:266::18) by CH1PPFC908D89D1.namprd12.prod.outlook.com (2603:10b6:61f:fc00::623) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9434.8; Fri, 19 Dec 2025 02:19:33 +0000 Received: from SN7PR12MB6838.namprd12.prod.outlook.com ([fe80::69ae:2df4:372b:6fbc]) by SN7PR12MB6838.namprd12.prod.outlook.com ([fe80::69ae:2df4:372b:6fbc%7]) with mapi id 15.20.9434.001; Fri, 19 Dec 2025 02:19:33 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kNcB5ZJbQufAATOI4rk+5T+QGVFHk+Ro2OIkDOEScRmmCm1CPfS33kbjXFjIVXADSI22ZV/jzM8Ykd6bSL2TZ7uMxv+cVENWMLSOI2RYYakWhHwT4IHnVvEWNBNKP4+5cQcX5AZEFNnSDmir6D+ochixtcwyiuye3UDnfUmRQuW5wb5U/opAyE61186+wnge8npYb/qdeG6F5Boe7H4C2sTJ+j8FPF/MGCZfaLD5ECVr3ldIrnOX0mVf5CymH5qj4xlWt0N9P3FdJXhWWRA87Hq1e/ZLubiQX3tLzyWyGZCCxulqPAiKgae0aKN0gBE8+X0+pkdGQ4lvFuxB1EMSFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ulvFeu2vSrp6qD9gQck1nOehVb/6Mg/VJwrGws5OBnM=; b=iksqg0L8m9VGataOlV0axj6zgW8JTde5UsFqqotIo0cT+ikIXfYFNGvXGgCxl531rTN9vDq4T198JJidLj0emy4yrTetRv6ng71dY6pipPeVmQtARE//r82ljwrVEIZnxEBE71WYjwgagFh6s82zAaRQ+A18tz+oCB5HRTwvbPY7Ewt80AytGN15ZWPY1kaLiB94u9kr0zKjoG2qZDl4AAXfJt7MhtypwXpwGZ2dzAe5AQhdVKkLEzi9h1F5ZRcVCTiLnCU2cDa/5lNy248a+nyKysG/pyW14tNEsTGkhykn5TLzZbKuxEcDd/6iLYN9/2KzABZofioHFeUfbisQxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ulvFeu2vSrp6qD9gQck1nOehVb/6Mg/VJwrGws5OBnM=; b=tzGqVDaPs4Eqm82YKpNuy7Gh5o/PHWTyDGVJIU2nX7PsFQBZJ3bQ2D72uDmCvu0VLoVpznUzZMIMH6mlZheOCJM7C4QzM+tjYv1H1713bB6arZGtebLjZ/KD1dlQWiRIwEh0kXIRit/ZZwX/HNUeEY0jNmElt6XhjcZyp5lKmb5UeEpPdhjT8/2GbRDFzjnDPbbB3zjyQMnXCG8OlJbt/LWBHDkIQInFp60OiHPZ4trB8TOt7KGVtEscCaNVVLVznGYroxjFtVpExj3PstIhrksfqz9Ki2iwfOtKGAbNk3DonwMP1H2IJmricVlWemgfZ84PJhmoPT8bJO/5q8sSuw== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; To: devel@lists.libvirt.org Subject: [PATCH v3 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd Date: Thu, 18 Dec 2025 18:19:24 -0800 Message-ID: <20251219021925.1864433-7-nathanc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20251219021925.1864433-1-nathanc@nvidia.com> References: <20251219021925.1864433-1-nathanc@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: BY5PR16CA0022.namprd16.prod.outlook.com (2603:10b6:a03:1a0::35) To SN7PR12MB6838.namprd12.prod.outlook.com (2603:10b6:806:266::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN7PR12MB6838:EE_|CH1PPFC908D89D1:EE_ X-MS-Office365-Filtering-Correlation-Id: 61f30eb8-fdef-4657-fb34-08de3ea50c75 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|366016|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?RaX8m+nBb2RDCOQ5SAkuE4jxJMxI2EXdt3QA8M3RiswQu6MdK/cf/aag78X8?= =?us-ascii?Q?qN70ah4eYVOqAoQ/uNay2znKCnUNRTRTzyK/aGgolrY5TmDDcp40FTNYquPN?= =?us-ascii?Q?eAFTTu59IURkbHNUq+ON42QEyxZ0iQG3DXDroR0H5YsezGzWGE8AYivIk4Us?= =?us-ascii?Q?aJTmTRSQYj1x5THjj/r5Ur6mQ8GETNWj01+LVao1Xk2c7oQ1KRpJOZsRuA9j?= =?us-ascii?Q?zv9bduXT0J5Nez3dnyl0lVNGGhoL41yd+aSbn/0TysfCK1CJgV1lg+WKyMxc?= =?us-ascii?Q?cSmECLi48t6vMPKVEumr/Jl2kOUXAaA9wbrnOkCOKOy11BwDoaTBTO6JMbyW?= =?us-ascii?Q?uelmUeNdDFp2nUgbpryRFEILUv2LWzGChT26B+NrZN5JS2NVQhIr/7VvjhOt?= =?us-ascii?Q?zdo2s4dl74NpqM27TzJwByTsEHahoGSw4zDApAi8becnl0TsAe0YM3+DN/vv?= =?us-ascii?Q?NV99xT/tP0c2sfaaa8rGtXMjjDuAyYKRFIq5LS9gFHOIZKYkTHj0Joi638HC?= =?us-ascii?Q?9V6MhMjbwMf7tq3tRz/ZjDgxby4oN7SZEloIDcQHkmSD/TjgjScHgWDNieAz?= =?us-ascii?Q?eaT4xWKI3FWtQwYPKaP1/w4ojOcwk+OVofAbFqA46UUClIgyDUFbMWHZBjXH?= =?us-ascii?Q?GkymgPJFz1HMMwuLfvs44f/Xa2FnzQBKqEwggsMgzXLMit+3v4b+3PyFjMOB?= =?us-ascii?Q?gS2BfXKv82bGD0UfdzEpaE+nKuHDOoO6gV5xZy3wknZtxmxy3PVwTU28DLRZ?= =?us-ascii?Q?WotvLwtSTSWKiAX+bGDi+Y55i3lYiDp/nLn9C1hCOb4d/4WolNwcLS8y69Jx?= =?us-ascii?Q?ojpFhT1kIZJsmc6IOBO7sCDKPKJV66jpqM7LDAGGxZk1rZJsHmWQ7MVY1A7e?= =?us-ascii?Q?f+Lm9QZYhBgbpsVerthBtIPwfR1qF1K8YPCCYdeaPU6Gb8Mu3P6mUSVzEtrB?= =?us-ascii?Q?Bk/r1naWUF5d6E63YBq1SKtdSgzywA9KHxFGUa5tnoWjfaYEMS52hpb+ENlJ?= =?us-ascii?Q?XjtHvqtfyx6OvsFhKGszVcSxaooVrwhkgm2FT+t3gi/KA2fastF9DfBLAurU?= =?us-ascii?Q?M9Pwo94WFeEQ9kTHv9BhMjinFrAQMpIP3cUGfTcAU/2ZZFaiF+MkyPwmovmO?= =?us-ascii?Q?CuyoGmAu4uZ41z+36s5VB7iR/nOO/8AVATIB2eoRmDGqus5R7EK5JU4gRMSx?= =?us-ascii?Q?qgHX5DrErglVVAe3f2GvpNbGgBjtaZ2JxaQlJMOblHG7pULxr6teihSEPccm?= =?us-ascii?Q?MErNgxn77cDsZqzC1IOmroFnsR3CutuLpvk40HLYspsZ3uGqamLAu5YuMEKf?= =?us-ascii?Q?m9Mwbr+t8AbwMZimjen/MIrCCEt94x51lrIJt4Llup8W4KubvkOJ+zMhy0w0?= =?us-ascii?Q?xTDEgU5JdVtSWH3fq3DM9TDk+oXFZln+ijRfxQuiB1MODiRJKypTmpooS38t?= =?us-ascii?Q?YrAdsWD2WoQ1UJZ7GglplqZOX1mjbwT1?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN7PR12MB6838.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?CfbSpVmFTTzE8fC7JtPMR38l4ndaxmcaZauHnro5XEDPretD7B1g8UadaPnO?= =?us-ascii?Q?2wDcs+YJqFk5BgYD3O/Lhft7owdXN8NV+xa4dVkP79ONpSbi+c3Dptf7/HsN?= =?us-ascii?Q?V9iCYY4Xc0XeiVeI3IHR50IfzaaxP0ALb/Pvu5n16Ipxa2OUiAqWQcCAVbTk?= =?us-ascii?Q?yMDtiK2fvxRENsrCbeswBnwLgpTv7W5sFxlMtH9RAVWlMc9CSzheS30nHfX7?= =?us-ascii?Q?D7mh65+xMaFiyN1fRI811ye7KsDLEbQEaAlCVyQlhGCvX6CMwfLHIm20HOrG?= =?us-ascii?Q?dXQDFxyo4QRCIUNyIEghFsiLKTnTMhfNwj2PQ9SyHAcmejz5FgYWEJJ7WaZf?= =?us-ascii?Q?GYm13p/IpP2UMjzoFPjcsDy1uQpzXCN7cx9A9hdqNN4gkVkRNutmPUMuuXpL?= =?us-ascii?Q?1nEp8e3yAy/p5qUlltaNMeDQpPAKOvu+wgTP7C+f1/EFMuuDq8JBSgzuJTeX?= =?us-ascii?Q?AVuezToLVOOGzocof6ke05hk4v69ZJaVxw/mlVTIOv1on4M4LnsGkoLtOICa?= =?us-ascii?Q?Gmv6PaICV4a50o5Ej6yE7GrBH8Zrr5fkIjvtC4PEyiS17dZOXp6HrZ7g7L56?= =?us-ascii?Q?AiC4Nxd3KgWrbDTePdXzuUHBOPd0iASooOn76WlDCRXa0ky6kKbsvLd5OZ7X?= =?us-ascii?Q?yvKG9MfMERaUCmx5xBAfxcoUOBuidBHJR2EYtt2uMKZboDXEurI+65Z0bxFE?= =?us-ascii?Q?sKApbzYv1rPVS69R5wDU9+B3DKzqcG6X0mVIZnxcAWFy7PJydSdcWaCzCHl3?= =?us-ascii?Q?+yTkJ9TuUEixcTZcRRe3DWP0fAoJspOAY38K3Z7rTOfAnxFXhqyYymoaLIil?= =?us-ascii?Q?P0g0Gb7zSWakANqIM80goDbP+1iLsVNP1tVGdAOBHaFpirsgJYaNljC4q26M?= =?us-ascii?Q?rAaSL4pdjVBFdtqoUmjqgRvzbAH8ghkDjWHmZD63I1ueRSGfVTTXO6XqxvAC?= =?us-ascii?Q?iw/kE6n4emVW1X5br9/Y/S2OW5KAJmZxpRW7VDUOTgy7BUzIsVSy12i4Lxjw?= =?us-ascii?Q?XnkScjYU4cQ2UayuJsbf6r/mM/+BJ+v4dSaY9Ku7jbX+cdn1q1BAasXmVThO?= =?us-ascii?Q?Mv9FqhV0PD/w0gI5LfnOY9RicmJkLPwqEtVgsDw0YJVxFeri6XJgR97RPXdV?= =?us-ascii?Q?MmmAO76z/zlqHT/jnaZzH0396vp0AwIK7DeMquUcf36SP5/13q+158UjQeoU?= =?us-ascii?Q?uBIHeJSQwAT9i5nMJIap/Hzq+Apd18CGHRHF/5gSzj+dd7vlOfzymXtTb3/0?= =?us-ascii?Q?OzjTdvronuimVffks23Yax11QJ8TS7s408LycTNFWe0dOe560nPNm8POokPs?= =?us-ascii?Q?TQgOiU9lwYZkEYCfjFx9lTbGYcCElUEJi25gqQxbSqXDi54AGezb2h1XggwG?= =?us-ascii?Q?lgoOz6pxjtPUeFfwF7dplj7gcdYDyry1d8SnQVjCMSBkgApoeYHIZHQsx7Ta?= =?us-ascii?Q?AuUN5OQD1Puytx6dBgPO/jAUxvXaROEIbQVhZefl8gLZNUKFcymX/0DiaAi6?= =?us-ascii?Q?7cHKFdZHtt9gtZrJ64qPnlgqhzVw93FwiFkLsQYbGmRj6AWzxP0Ia7LdVVLW?= =?us-ascii?Q?9T9rdqAdxHG01xDnRF6VlqN4N0piHAebDFBQgbz+?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 61f30eb8-fdef-4657-fb34-08de3ea50c75 X-MS-Exchange-CrossTenant-AuthSource: SN7PR12MB6838.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Dec 2025 02:19:33.3743 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: g+BN3ZP/cQdpKDIJ3dFbj4K4juNcxSQ9p+GNzKznLNEkOQHbL5cXZchc/AS++IhQmnwC52i2P79CQoS28PTNDw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH1PPFC908D89D1 Message-ID-Hash: 7IBGPH4ZMWGWCGLIASW4DZVSIRJ6MRFJ X-Message-ID-Hash: 7IBGPH4ZMWGWCGLIASW4DZVSIRJ6MRFJ X-MailFrom: nathanc@nvidia.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com, mochs@nvidia.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Nathan Chen via Devel Reply-To: Nathan Chen X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1766111400321158500 Content-Type: text/plain; charset="utf-8" From: Nathan Chen When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow cgroup, namespace, and seclabel access to VFIO paths (/dev/vfio/vfio and /dev/vfio/) - Allow access to iommufd paths (/dev/iommu and /dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC Signed-off-by: Nathan Chen --- src/qemu/qemu_cgroup.c | 26 +++++++------- src/qemu/qemu_namespace.c | 16 +++++---- src/security/security_apparmor.c | 33 ++++++++++++++---- src/security/security_dac.c | 60 ++++++++++++++++++++++++++------ src/security/security_selinux.c | 58 ++++++++++++++++++++++++------ src/security/virt-aa-helper.c | 32 +++++++++++++---- 6 files changed, 172 insertions(+), 53 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7dadef0739..7190a4f80f 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -479,21 +479,23 @@ qemuSetupHostdevCgroup(virDomainObj *vm, g_autofree char *path =3D NULL; int perms; =20 - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) - return 0; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL_YES= ) { + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DE= VICES)) + return 0; =20 - if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) - return -1; + if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) + return -1; =20 - if (path && - qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { - return -1; - } + if (path && + qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { + return -1; + } =20 - if (virHostdevNeedsVFIO(dev) && - qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, - VIR_CGROUP_DEVICE_RW, false) < 0) { - return -1; + if (virHostdevNeedsVFIO(dev) && + qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; + } } =20 return 0; diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index c689cc3e40..907b2773cf 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -345,15 +345,17 @@ qemuDomainSetupHostdev(virDomainObj *vm, { g_autofree char *path =3D NULL; =20 - if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) - return -1; + if (hostdev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL= _YES) { + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) + return -1; =20 - if (path) - *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); + if (path) + *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); =20 - if (virHostdevNeedsVFIO(hostdev) && - (!hotplug || !qemuDomainNeedsVFIO(vm->def))) - *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + if (virHostdevNeedsVFIO(hostdev) && + (!hotplug || !qemuDomainNeedsVFIO(vm->def))) + *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + } =20 return 0; } diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 68ac39611f..999275dac1 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -848,14 +848,33 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *m= gr, goto done; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); - - if (!vfioGroupDev) { - virPCIDeviceFree(pci); - goto done; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); + + if (!vfioGroupDev) { + virPCIDeviceFree(pci); + goto done; + } + ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr= ); + VIR_FREE(vfioGroupDev); + } else { + g_autofree char *vfiofdDev =3D NULL; + const char *iommufdDir =3D "/dev/iommu"; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + if (!virFileExists(iommufdDir)) + return -1; + + ret =3D AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr); + if (ret) + return ret; + + ret =3D AppArmorSetSecurityPCILabel(pci, iommufdDir, ptr); + if (ret) + return ret; } - ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); - VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILab= el, ptr); } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..09e26033ac 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1282,14 +1282,33 @@ virSecurityDACSetHostdevLabel(virSecurityManager *m= gr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); + } else { + g_autofree char *vfiofdDev =3D NULL; + const char *iommufdDir =3D "/dev/iommu"; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, - false, - &cbdata); + if (!virFileExists(iommufdDir)) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfiofdDev, fal= se, &cbdata); + if (ret) + return ret; + + ret =3D virSecurityDACSetHostdevLabelHelper(iommufdDir, fa= lse, &cbdata); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACSetPCILabel, @@ -1443,13 +1462,34 @@ virSecurityDACRestoreHostdevLabel(virSecurityManage= r *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfioGroupDev, fal= se); + } else { + g_autofree char *vfiofdDev =3D NULL; + const char *iommufdDir =3D "/dev/iommu"; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + if (!virFileExists(iommufdDir)) + return -1; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + vfiofdDev, fa= lse); + if (ret) + return ret; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + iommufdDir, f= alse); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2f3cc274a5..1dd0a9706a 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2256,14 +2256,33 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= Manager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupD= ev, + false, + &data); + } else { + g_autofree char *vfiofdDev =3D NULL; + const char *iommufdDir =3D "/dev/iommu"; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, - false, - &data); + if (!virFileExists(iommufdDir)) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiofdDev,= false, &data); + if (ret) + return ret; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(iommufdDir= , false, &data); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); } @@ -2491,12 +2510,31 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecu= rityManager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupD= ev, false, false); + } else { + g_autofree char *vfiofdDev =3D NULL; + const char *iommufdDir =3D "/dev/iommu"; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false, false); + if (!virFileExists(iommufdDir)) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiofdDev,= false, false); + if (ret) + return ret; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, iommufdDir= , false, false); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index de0a826063..5b320fbc89 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1114,8 +1114,9 @@ get_files(vahControl * ctl) =20 virDeviceHostdevPCIDriverName driverName =3D dev->source.subsy= s.u.pci.driver.name; =20 - if (driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO = || - driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) { + if ((driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO= || + driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) && + dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { needsVfio =3D true; } =20 @@ -1348,6 +1349,7 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { /* if using gl all sorts of further dri related paths will be need= ed */ virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); @@ -1385,9 +1387,18 @@ get_files(vahControl * ctl) } } =20 - if (ctl->newfile && - vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) { - return -1; + if (ctl->newfile) { + const char *perms =3D "rwk"; + + /* VFIO and iommufd devices need mmap permission */ + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, "/dev/iommu")) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) { + return -1; + } } =20 ctl->files =3D virBufferContentAndReset(&buf); @@ -1561,8 +1572,15 @@ main(int argc, char **argv) } } if (ctl->append && ctl->newfile) { - if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) - goto cleanup; + const char *perms =3D "rwk"; + + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, "/dev/iommu")) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) + return -1; } else { if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_QEMU || ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KQEMU || --=20 2.43.0