From nobody Fri Jan 9 23:17:25 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1767754873459711.2035093940265; Tue, 6 Jan 2026 19:01:13 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 8ED6943E55; Tue, 6 Jan 2026 22:01:12 -0500 (EST) Received: from [172.19.199.83] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id BDB1D43E77; Tue, 6 Jan 2026 21:50:51 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 3BB4941B60; Tue, 6 Jan 2026 21:49:54 -0500 (EST) Received: from SN4PR0501CU005.outbound.protection.outlook.com (mail-southcentralusazon11011001.outbound.protection.outlook.com [40.93.194.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 3772541B4C for ; Tue, 6 Jan 2026 21:49:50 -0500 (EST) Received: from SN7PR12MB6838.namprd12.prod.outlook.com (2603:10b6:806:266::18) by MN2PR12MB4208.namprd12.prod.outlook.com (2603:10b6:208:1d0::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9478.4; Wed, 7 Jan 2026 02:49:46 +0000 Received: from SN7PR12MB6838.namprd12.prod.outlook.com ([fe80::69ae:2df4:372b:6fbc]) by SN7PR12MB6838.namprd12.prod.outlook.com ([fe80::69ae:2df4:372b:6fbc%7]) with mapi id 15.20.9499.002; Wed, 7 Jan 2026 02:49:45 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=ZNX4/DC4U7ey3E2fPoAXQ3OhjLDJELXYYj0KFd0A3rI9KVK3QQsSNLwES8QtQAv7p+2bbGgHHh5aqK4UbXUz6xM2d5KqOcEuGBoI91CNT0qCHXR2xUStdsBXeLvCnnkuYpTm+lFWNQxlcEt2NBxFayUY2sSkcDzZJ/d69pbIw4MDQ+sdipH2IglTkejFfuA1pGtS3oY74JfPXwtOkpUTHhK4/UTZKxT46QK1tWiM7aMxOmdOL88jSz00FnxZ+xMa53ekPnWFcU4pcIXNNcvP/1ecDGJl8A/PxLDl2DTUGs+os6UGbEgeAZBgAhhngzI+6xmKQc7h5SrqVgQlpXh5cw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NSKrL3GYNuQdxyQ1fOfV/PNtQKzUx72u0KP3IrFVGGY=; b=CJb/eq0yK4kx8bO5E+ULG5886WrObacMitnIbc2mpEp6QCTKBTw+G5a7gj2ECnC3dVVDKTAoD1YHd3pVaGO9qB/SKNXIPoo3e/RLYZ5sdckBGtbdn4b6cdAPdQ3S3NPiLXTH4KBB1+hdUkzffy9+b43lieSBf5IRH4mlJGRjNQ6rcxw30a85h5zf6R2M8hxHP2rRqgHv8JyLI8TyWyyVxIIMne1FX4YwJTY3aN1EwWCkT+m6dCBLL/GSe5DvfKT3SJIedr/562NQT7blkdCQcMmUiHHrXj9M3X5KOtis0sRZdFHYfojz3B8eou7NSB705xbO4+fNJ9sZWzYkB5hWWw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NSKrL3GYNuQdxyQ1fOfV/PNtQKzUx72u0KP3IrFVGGY=; b=Xs2QDqPOjG489dPV2od6mMCvgXGmQ6nmBof8+OwOD2n1eN6IFuXJ9juwBPLkAj1wDH5/lv/UI+cinDINzyYb9CnXGmn3cBtC3DJKbl3lMAOhcfLoFuXycvCd1s75kauJk1Rn67nUcUY8fm11I36peXHFiPFnZrEdnmErPcCaepP8nqUsVgBax1gKgEiqTo2YP2k/17UHMrbda0wmHwulrg21S3FGcDozGtoE4ZsAa2WQz7fIOKGpRtFGTKP6QpWU1im5DeyWgAndz1ai7lpIrybXkKnTGSFlPucq5cM1YJLaxRSWD9mCk8XmMEDreW3wmZdF5t7W4tuqOfSmyKkUDQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; To: devel@lists.libvirt.org Subject: [PATCH v4 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd Date: Tue, 6 Jan 2026 18:49:37 -0800 Message-ID: <20260107024938.461794-7-nathanc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260107024938.461794-1-nathanc@nvidia.com> References: <20260107024938.461794-1-nathanc@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: BYAPR11CA0048.namprd11.prod.outlook.com (2603:10b6:a03:80::25) To SN7PR12MB6838.namprd12.prod.outlook.com (2603:10b6:806:266::18) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: SN7PR12MB6838:EE_|MN2PR12MB4208:EE_ X-MS-Office365-Filtering-Correlation-Id: 2e563ecc-adb4-473a-ea6b-08de4d976a87 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?/tPwlLwdUpoEPx5W0Ig6lXxh/BNPW5Y4aLdtFGjveputcs5XwhhlX7bBotJb?= =?us-ascii?Q?7fPvLFkbY8/i6KKYJbZzR0WusxkvEVG8rFwPhwyzVB0OBM3GnY2zrKyHT4Li?= =?us-ascii?Q?2vF9FvBSQe+A+O0CLI4K8ZnV/tir34vCdn13x6+8qEJPiXmyfUzsziu8GZjX?= =?us-ascii?Q?u0Vz5o3BwFWdA9Ov2D9D1B8A6yQdZif/Ij0b5AeV/3hvqRS45YudWaFKvM2z?= =?us-ascii?Q?NDt0GvmVgGj+dqEOBAnqaElnwrtu6WIfnJ9Wp9m4TsXvkftSXIKH/hspLi3Q?= =?us-ascii?Q?O8P8QdMm/iP6tmza73/95oOTkrFVfaCgjyCtkUNRTCwrY1WedrhDI9sejFnd?= =?us-ascii?Q?ijO/JP4QTpXL5i02U7Oxl0OZh7ZRZrWMcR4XhHfQsrbuoV2TBL6u8SegpLPZ?= =?us-ascii?Q?vOTGNwWdjeygVhikJLqZEbT9Hl4ci++wUurRkwBvOHPoNskTEz7VtI171Gw7?= =?us-ascii?Q?FYgRgCly4UVmiu12nzXcMyiAYI/3RkR1/xyicxItCboiQpkx0N7JlVF/O/Pt?= =?us-ascii?Q?UfUoYZuNwilomI9WuXZlJAOBxea/ZfbK69z5LzEs2+VYrtdT1m235jpsWM/i?= =?us-ascii?Q?WQdHgj08gjIaW35OWIbd2iT/ltEBr0BnULYhIvYDPQ8YSpKRCqYAsZA+Ovt4?= =?us-ascii?Q?oklNxQ6gi/zkhxJjB1oKyLiFkYWAyhRvUvRgxEi2xAys4N0q6UO59m6Eul4+?= =?us-ascii?Q?knh0LXmCaqHCY+pHU1ZQOaD+ouQLN7AXfAgbufZ4+nbFCsOlw6T59E5m8Pm1?= =?us-ascii?Q?wB2wNeb8zdhu0Uq/UHGLvLg/Sm1kilDe6pRjLOUf+O7z6MJanuoSv32AQ7XA?= =?us-ascii?Q?PqvMJbEi5JkLG78Txq+8gG5lYMtqBhwSwnxg8jSkRNnd5dBqwBFlVrXtYQi8?= =?us-ascii?Q?URbaIpG1YOchhdkMpS3GWtgNjQ3iVyO/ZFJhmjigll+aMPPm/HTmzA5vVJAK?= =?us-ascii?Q?gU7I8yzGaANI2lVNutzQ+mzNgm2NUHG7i6mqYi9HerA8VNVGQ+aYHYcZFtD8?= =?us-ascii?Q?j5gWK+UKWu8bbcjdOh3XKYl53vK+NBeV0Ah1dzVciytHTTliAfamWHVSUJT2?= =?us-ascii?Q?K+kLXkZbCi7YeE0CtSrXptLCPw+uyiVGnO1C2U+9Xhh5BaLZg+odtUVXTfMK?= =?us-ascii?Q?v4PXYk8QU3EFxv7wJ2vorV4ko/eZ8fpyQ673vP6MvPyvC6p+HDzb49TsGXFI?= =?us-ascii?Q?7x+WvOCkGSStobkthDbcwBn4EYGsyx71D8yiem/toUIkDXKq9QwKgoY6dsSZ?= =?us-ascii?Q?S+fcuUFB1d1C3eyGtJwQhG20OXg6C0u7bDteBqSeq2kBgdrK+CwBif4YJUqi?= =?us-ascii?Q?gfjGSJHadQfGTWPxtoxGJRWogTfcMWOycW/cDwAqWijnIh3udwM+R4pPSf2D?= =?us-ascii?Q?IR7oEzifusxxsT19dvXZPIh0zBaZCYuVlfoFt9D3oV2vCWaVH1MZdABqfGNZ?= =?us-ascii?Q?rXSdy7ujTIl1e/I0DsDbaOhRxuB2Yio7?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SN7PR12MB6838.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?0youKLwOG6ejk3axXYzkJ0tnE4A054cJHP9WrZ1omuVvpyrZyoabuAVFzNO3?= =?us-ascii?Q?ZUhqNh9dc6yDSeo5B6lKYTqpK+CuZqmoNCP6ScnT8OpHVwY0a/qfSexIEIrD?= =?us-ascii?Q?BDhuMofWOiPGlua+sDOPqOZ7WmHwGxVNtRaJjNKJNc0iK6gvLdrbejbzIoNe?= =?us-ascii?Q?AFrpSLXKvxPgcTvknnHlUmutS14JtZD9EJT1m6IM8XQr5auFRw8wCR0eRw4D?= =?us-ascii?Q?a1YD7vTa1/RaduJnqK9ky39pzrITbJkG3H8TroucjEUTbDglSPk+q3oEHj2W?= =?us-ascii?Q?vG1a46pdganpJi846s6NceaAiifVqp1hMP5vdEe9TXfmKaAwPyYfTU0W3PWv?= =?us-ascii?Q?6fNNCDbJ0YePMpa0JtRQdWjux2edUcca9462YgRfyPIw2EN/2vLt9wKFRwi+?= =?us-ascii?Q?4RIrwCnqw7gNOXev5eo0AK+NpUkTyage7k/pBo+fHNHIptzVgVStuK9w4/hh?= =?us-ascii?Q?rKuQaanh+/dIyyprgqenoRUettdJ3StdBnAxo0mL8JhOUyfMkGU/QLXyOqWO?= =?us-ascii?Q?k98DsWcHOWGZGxTxqPYjtYxBFHfH6nB6SBpIiYgnueNqvdE7gvG1JIY+uf4v?= =?us-ascii?Q?bnV24wDXx2zlZe2LoLZMciWmupAwTz/o7afkG83cQlcvDjySbTYsxQjuDzZc?= =?us-ascii?Q?mA1CcjeFJKLNjnNj7QD81Xs8PZl3LG2nNC1+l/cuVITDVt0i/fR4O5oNTWon?= =?us-ascii?Q?xgdUkUxTQYe0n0pfDovqepJlqmv4AmQLxNpdLg0SOTI4gIlWL93Qw+K+Rs7I?= =?us-ascii?Q?YQCiCGbDOmx4Wx6hwPNgCp1Q55E+MVXKJH+Vpz9/DnYUZKL1wAEA7dne4AqT?= =?us-ascii?Q?a8Z9UR7/NTfyLVXQ98JdfT52SP5OQ3bm/yue6AZHleJ8ntEzlZC1Y3oD3vCg?= =?us-ascii?Q?CRbWqCNypLS8dWVoEqfqVWB90sMlcVf7oWPiVEw84DmH/INCN+cas1VfrUQp?= =?us-ascii?Q?cLPryGg3dZhpY3klI7Cq6udX1v94gajMPH2Gqo3UypTpQDEO4bBblHD0WeOt?= =?us-ascii?Q?1HlhvGzIj/aXrZmuEXEqidet5D1LbmokPRCdp2lKJN7LO08gMBkkNFRFwplF?= =?us-ascii?Q?Jxin8aAi5ZRFTifwxvVwYgWjR4+EYcN1P/L53SnjX5LfZM+gdDWFsaipPv2u?= =?us-ascii?Q?x3jkt7LVzxJQ9phW+oMpqpufIgyuX5xgJccOGcAq8xc1uMH8yY9gZCirVozP?= =?us-ascii?Q?OnKCH37a7Rx8Xbq9TANaS3g27bhQUuKZs3HRzNgnU4+rPMLKFfT441C0xzj7?= =?us-ascii?Q?evxBjZKNMH/HaCovA5kRfhYJ0UW2/XNtUVh9cZqUZoy8/ZpN8JWxSd5/0LmY?= =?us-ascii?Q?Ny8lqW0HMTV1HS5yNqIpHkRY3zgciN+rpriHUP7Rzq7ezGTr44gE2UW3B7lp?= =?us-ascii?Q?Q2nLNp+1fR1xZ4bAx+BMi6psCcZqrhLPfIH2uILF4Xtbgsm71AVFWY8Aqtjg?= =?us-ascii?Q?Cv4DlohTOOzfwxD9VpI4DRXQfZqV0CNe/louSTtLupykaZ44Y1STyhs+i9K+?= =?us-ascii?Q?PDACZFoDxc2k7TKbi7N/MuQCAyOflv3/QrrquiYE+1b9U0tFA49KhJqauuAE?= =?us-ascii?Q?gOSI2BI/9JtVV/U+eSHDOT1Hl8wPVwOw6wE1J9z51as9G9XWF9iTEVH+k4qZ?= =?us-ascii?Q?Vfhwe7VoOrRHpGdUeUX5KiWGXMx019pwjCrVDe6S+R8QSKz/aUQ9bEAFAZ9j?= =?us-ascii?Q?3M7qv+mQw/ukGi2G2rhFjRAy2mxssRbbBOdOUvxVltAa0fdxvZz9gArJ0T/O?= =?us-ascii?Q?slJgjgBDAg=3D=3D?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2e563ecc-adb4-473a-ea6b-08de4d976a87 X-MS-Exchange-CrossTenant-AuthSource: SN7PR12MB6838.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Jan 2026 02:49:45.6630 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: hIghcs+fet2a6YHwnsgck9C5kc9wUHRy7yIXRIeie4zJJceWsNJmm/sgxv1YhEh4oeusgfKOHfo10mPeFNDyFQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR12MB4208 Message-ID-Hash: MIMYJTFI5UDLKWLREKR53EW7I3U7YOG2 X-Message-ID-Hash: MIMYJTFI5UDLKWLREKR53EW7I3U7YOG2 X-MailFrom: nathanc@nvidia.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com, mochs@nvidia.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Nathan Chen via Devel Reply-To: Nathan Chen X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1767754875315158500 Content-Type: text/plain; charset="utf-8" From: Nathan Chen When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow cgroup, namespace, and seclabel access to VFIO paths (/dev/vfio/vfio and /dev/vfio/) - Allow access to iommufd paths (/dev/iommu and /dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC Signed-off-by: Nathan Chen --- src/qemu/qemu_cgroup.c | 26 +++++++------- src/qemu/qemu_namespace.c | 16 +++++---- src/security/security_apparmor.c | 32 +++++++++++++---- src/security/security_dac.c | 59 ++++++++++++++++++++++++++------ src/security/security_selinux.c | 57 ++++++++++++++++++++++++------ src/security/virt-aa-helper.c | 33 ++++++++++++++---- 6 files changed, 170 insertions(+), 53 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7dadef0739..7190a4f80f 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -479,21 +479,23 @@ qemuSetupHostdevCgroup(virDomainObj *vm, g_autofree char *path =3D NULL; int perms; =20 - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) - return 0; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL_YES= ) { + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DE= VICES)) + return 0; =20 - if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) - return -1; + if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) + return -1; =20 - if (path && - qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { - return -1; - } + if (path && + qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { + return -1; + } =20 - if (virHostdevNeedsVFIO(dev) && - qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, - VIR_CGROUP_DEVICE_RW, false) < 0) { - return -1; + if (virHostdevNeedsVFIO(dev) && + qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; + } } =20 return 0; diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index c689cc3e40..907b2773cf 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -345,15 +345,17 @@ qemuDomainSetupHostdev(virDomainObj *vm, { g_autofree char *path =3D NULL; =20 - if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) - return -1; + if (hostdev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_BOOL= _YES) { + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) + return -1; =20 - if (path) - *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); + if (path) + *paths =3D g_slist_prepend(*paths, g_steal_pointer(&path)); =20 - if (virHostdevNeedsVFIO(hostdev) && - (!hotplug || !qemuDomainNeedsVFIO(vm->def))) - *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + if (virHostdevNeedsVFIO(hostdev) && + (!hotplug || !qemuDomainNeedsVFIO(vm->def))) + *paths =3D g_slist_prepend(*paths, g_strdup(QEMU_DEV_VFIO)); + } =20 return 0; } diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 68ac39611f..362ca09562 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -848,14 +848,32 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *m= gr, goto done; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); - - if (!vfioGroupDev) { - virPCIDeviceFree(pci); - goto done; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); + + if (!vfioGroupDev) { + virPCIDeviceFree(pci); + goto done; + } + ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr= ); + VIR_FREE(vfioGroupDev); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + if (!virIOMMUFDSupported()) + return -1; + + ret =3D AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr); + if (ret) + return ret; + + ret =3D AppArmorSetSecurityPCILabel(pci, VIR_IOMMU_DEV_PAT= H, ptr); + if (ret) + return ret; } - ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); - VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILab= el, ptr); } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..fbe216637f 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -41,6 +41,7 @@ #include "virscsivhost.h" #include "virstring.h" #include "virutil.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1282,14 +1283,32 @@ virSecurityDACSetHostdevLabel(virSecurityManager *m= gr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, - false, - &cbdata); + if (!virIOMMUFDSupported()) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfiofdDev, fal= se, &cbdata); + if (ret) + return ret; + + ret =3D virSecurityDACSetHostdevLabelHelper(VIR_IOMMU_DEV_= PATH, false, &cbdata); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACSetPCILabel, @@ -1443,13 +1462,33 @@ virSecurityDACRestoreHostdevLabel(virSecurityManage= r *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfioGroupDev, fal= se); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + if (!virIOMMUFDSupported()) + return -1; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + vfiofdDev, fa= lse); + if (ret) + return ret; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + VIR_IOMMU_DEV= _PATH, false); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2f3cc274a5..05086ad9e1 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -41,6 +41,7 @@ #include "virconf.h" #include "virtpm.h" #include "virstring.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -2256,14 +2257,32 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= Manager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupD= ev, + false, + &data); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, - false, - &data); + if (!virIOMMUFDSupported()) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiofdDev,= false, &data); + if (ret) + return ret; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(VIR_IOMMU_= DEV_PATH, false, &data); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); } @@ -2491,12 +2510,30 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecu= rityManager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupD= ev, false, false); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false, false); + if (!virIOMMUFDSupported()) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiofdDev,= false, false); + if (ret) + return ret; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, VIR_IOMMU_= DEV_PATH, false, false); + if (ret) + return ret; + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index de0a826063..43046ab831 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -50,6 +50,7 @@ #include "virstring.h" #include "virgettext.h" #include "virhostdev.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1114,8 +1115,9 @@ get_files(vahControl * ctl) =20 virDeviceHostdevPCIDriverName driverName =3D dev->source.subsy= s.u.pci.driver.name; =20 - if (driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO = || - driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) { + if ((driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO= || + driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) && + dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { needsVfio =3D true; } =20 @@ -1348,6 +1350,7 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { /* if using gl all sorts of further dri related paths will be need= ed */ virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); @@ -1385,9 +1388,18 @@ get_files(vahControl * ctl) } } =20 - if (ctl->newfile && - vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) { - return -1; + if (ctl->newfile) { + const char *perms =3D "rwk"; + + /* VFIO and iommufd devices need mmap permission */ + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) { + return -1; + } } =20 ctl->files =3D virBufferContentAndReset(&buf); @@ -1561,8 +1573,15 @@ main(int argc, char **argv) } } if (ctl->append && ctl->newfile) { - if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) - goto cleanup; + const char *perms =3D "rwk"; + + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) + return -1; } else { if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_QEMU || ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KQEMU || --=20 2.43.0