From nobody Mon Feb 2 07:29:08 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1768614422046118.435899053929; Fri, 16 Jan 2026 17:47:02 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 33D3141C9A; Fri, 16 Jan 2026 20:47:01 -0500 (EST) Received: from [172.19.199.3] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 831954404E; Fri, 16 Jan 2026 20:40:06 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 439C743E69; Fri, 16 Jan 2026 20:39:55 -0500 (EST) Received: from CH1PR05CU001.outbound.protection.outlook.com (mail-northcentralusazon11010004.outbound.protection.outlook.com [52.101.193.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 75E0C41B81 for ; Fri, 16 Jan 2026 20:39:49 -0500 (EST) Received: from DS2PR12MB9567.namprd12.prod.outlook.com (2603:10b6:8:27c::8) by LV2PR12MB999097.namprd12.prod.outlook.com (2603:10b6:408:353::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9520.6; Sat, 17 Jan 2026 01:39:47 +0000 Received: from DS2PR12MB9567.namprd12.prod.outlook.com ([fe80::636:1b52:24ca:d7e5]) by DS2PR12MB9567.namprd12.prod.outlook.com ([fe80::636:1b52:24ca:d7e5%3]) with mapi id 15.20.9520.005; Sat, 17 Jan 2026 01:39:47 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_LOW, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=zEEAjextGWUXDBxpgsJLlB6Sb5G1zpnyYcE4GyqCGQ8r71B3/5t92H3I2VBAoEDENLchyn6SzOyZRitGf3S6urQ4XwoqwZMxHP5IXMFXm58+FLjgEBgSG/1/U4xnwrCSgZUMEQhJTIEdj305zqZ59LRZpvdS745U9zS5NkfDzu+FTc868D1opi3ExqWbCqZBoGrwecRReEDBlCvSt1sBPSeOLydWBtB35eJ/gA/awzxcSdRro4/1uuttOwpCrQwKSGy7OJ43UdnvCU61V8GH0hUNYHFciWTsL37OE5SWstNtxrHA7rxpUTiNRoJJ9mjf2yR7NLc8QpjFjJV5wqu4uA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=KldDjpMVf57tYMiWw2YRyh6Sh9VTjITtBiBx0Sb3hZQ=; b=UwfWiKbSTB+rIKHK/NWJibvZFAs/fSJ8qkWGTWcICZ8jkana/G9CiG/3TbcRZkk01T6iLajPmov8yK6i/pQkcEA98G5eOI8KxFxu3WhjhAxJLoaR12wMmwD0vaMHiXNe7sPHBxGSIuCQT0c8gLkPb22xkuDJhxunfA7nZbZNC0yz8MRNLrNfnOGOtRo/AxuKoXnUvJfsPcw2fuYQhNMudjtu+vfU1yiGyZ8yq6kc7FaKQbqYwNY1Ym6xh4wFMeNO3DK5wZV6qJpJnGsyrRcKTw/4wlv3TyL//poN6hsQoNSUup4kFNT3CZhLOBRpB9Q3c0IUGsCFw1bWg00iALUb7A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KldDjpMVf57tYMiWw2YRyh6Sh9VTjITtBiBx0Sb3hZQ=; b=HRhWBp4H7/cs+iCeRrMF9X2ngrefIkEPNxvbKC/pB6GCHopTPC0XoemYDSNxB0y6oDbR3eQnkv6PZV0XwHMxASIRlUEUMyo266oolWOaJSOo6FL0hSOdZrSJ9eyBvAX7Y1mGYqSaxkhB22G0ufD0dORkp8tDFac+711kWo4n7J6TWWNGXQtnHwpSHAQj8jusT6My2vo+2Oe2jbEKyrsC4Ko1c1YEFQceuJxU+ebanjl4zkTYh83MaEgo3LZ8Urf8RVZ/UpK9Qtr3B6+EgzSl0f/sVZsVrDpxdrfFAB6V1zgha8GbIM+IgDO0uZ8TN8wbBQlo4HKImNn/v5cLEEgMTQ== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; To: devel@lists.libvirt.org Subject: [PATCH v5 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd Date: Fri, 16 Jan 2026 17:39:36 -0800 Message-ID: <20260117013937.3803457-7-nathanc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260117013937.3803457-1-nathanc@nvidia.com> References: <20260117013937.3803457-1-nathanc@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SJ0PR03CA0066.namprd03.prod.outlook.com (2603:10b6:a03:331::11) To DS2PR12MB9567.namprd12.prod.outlook.com (2603:10b6:8:27c::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS2PR12MB9567:EE_|LV2PR12MB999097:EE_ X-MS-Office365-Filtering-Correlation-Id: 915df2f5-e090-47f4-a8e9-08de55694c07 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|366016; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?voOOjWTImgk0lWFVbVhwBz7M09OQphs8S5hzXCioRSlZH/8zN5h51DxxSlID?= =?us-ascii?Q?yW8ervqS56a7vDQusVJn5za3UtI/816X7eZs2vWeIPxfVk/QkWov03QIGmYW?= =?us-ascii?Q?f9THWzx1zN+JiQ/I8TDHekvP2AvN6Y1AnKBrnYRrmPomfSoThfQLonpSb2Bp?= =?us-ascii?Q?t8bvj3JygZ5JwXS+NCrdPcEYo9gvrK8ytGuNA6BOcqT06sfCDnleE924EBXC?= =?us-ascii?Q?WXkuJv6fqE9vGEHpXYbkDseGvNCjB2sRxbymghx4yHPOEOEXR8fwFkeWAz40?= =?us-ascii?Q?toIK76V0vOHAnN7sqrsFk08Roz055DCN4FWBK02un8F/kIv7AAZjb/FH09N8?= =?us-ascii?Q?OlJ4gwjoZh72vNkME5tMqSRQ9ZKU/+YFrmbK9euQFNJiW2ZMmDU+3hxqJdVo?= =?us-ascii?Q?RqRxiLAsyJMQmNnnhvZqkl75MPmCaJgqk6oiaOZv/1S8SaiI0LtcRnkgYzqN?= =?us-ascii?Q?R3pvoSdnoMV6pqrx6mcjIcQhzCAj7BoXyJK4Ho892p0Drn2B3S2ml+she7IF?= =?us-ascii?Q?d4143OI6aMCIBvESSLzKROR403s45aiJBgUbfql/oT4xn7MlIiSd3pU64iql?= =?us-ascii?Q?3uIAf+/eB0nZGsLVHSgZUqJALT423lMYPTHhnIuNI4KioKSU6HMjRcr9N3XJ?= =?us-ascii?Q?zHkLmscdhZ7+X0T6dmbiSnpGwFcLKGgM2OacxqUYivENpJCbBGHmwuNpEO68?= =?us-ascii?Q?+9iIFkjTzstZbvdOAMOuEFIjoQqKjVa+EXPFTCRb64+U209qY+WvLhikKwcf?= =?us-ascii?Q?H3yNUrt3RUuxZQVutoj4QSpscirZ3+7+btSmcogbFhyWGW6ZDX3s6/02GUCK?= =?us-ascii?Q?D+6yiW1rD1QUSVt9EGTFes4tHKqQ3fdnBKGt9cSJRoQ9viZ4xUu6JW6fZwLF?= =?us-ascii?Q?h40F/u9nphmlTku0Djs6dsx+jxuWhmA93PGXd74SnV9gKJiMJZO+GL//v8UX?= =?us-ascii?Q?YqWiNqpVgKTaI5K9E9CXjC9gjn/1lJGEgy+OAFrpz+5ViMH5Hj9Owktax5ka?= =?us-ascii?Q?ZPdt1e/9etXmpSZcSpPY/ZXaMbm1w87HP9AAJmU0WPUM4ytTIWJR2lYy9qWd?= =?us-ascii?Q?gi5AqUoKlHiOg9NWA6Y54IeOkC5S1xy68Vbv4qEMIpq6RGDO6D9XaIsy6LVG?= =?us-ascii?Q?qzggGoM08gtOndYmyfYkRc/tttAqkrbaXcSjbUhLQioPbvQXLtpyaLHnMaOs?= =?us-ascii?Q?Y/cuB7KnjHlIUUUjUTaC3ytvu8BvTWTqfk14dccrfjtfGNlfyNDyWAGrLhH3?= =?us-ascii?Q?u1tqHtza/K6JxaRnH141Wb5TSfqCNv4kwMTIb8mZfrpByW+hNvmwksHR0CAl?= =?us-ascii?Q?bRM0XFEei8DZaTmfaewzJgtyrwx3lStRndY2cSYVkXTUMX3Pcr76mqHzlElF?= =?us-ascii?Q?Bl+nM1DyUDvqcSy3X0hi9y0cLa9rHntSCg81VRN4ExG5iMVy+0u6YdUvaqDT?= =?us-ascii?Q?FNemmFRrSbxwBZLv0pnc6w/SdmsS4lUPi54ddoG/ZlM44bRl/ub3y8X/pn+P?= =?us-ascii?Q?EwfTknO8+cZ6rWVQxroghOgYJkAlZfClpvjNB0WdrSGEQ4aXQeLuf+ESpR5V?= =?us-ascii?Q?gZNXlwJe1XwLGSlpmQM=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS2PR12MB9567.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(1800799024)(366016);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?pC+wwwmOWG5XlrpFoW1X9Fysr8sM2NljNiiASP8WQq2gFo7M67gmj5tjyLCj?= =?us-ascii?Q?jniMikwpVJPeZIUu1eedQfG2qkiNq66vuiROX9Z3gZ65U5Cr1OAdcqe4IGoB?= =?us-ascii?Q?ku5ty0JdLIbIUrXhHwpp0cJh6KDhyP0EnsrgAZ2yxvKWkNMgg7/O3pZs4vjO?= =?us-ascii?Q?dkhV7f9bMf6IukfmHABUsrC4rz57rYLP9SgDfD18z/tNIgR+Ky5NEQIV5H79?= =?us-ascii?Q?zHA4aFo25sn+xnH+f9+pKTmNVQY01GbP+VrtRy7WgrWoB7eIDm83eqqWG/lV?= =?us-ascii?Q?GnAsZfiNs8bnzfNd74X8f5UhSohJzH4fVatO3Igy99KefgUXiXJbVClGCAm3?= =?us-ascii?Q?MMZbo1C8raJKB42yvDu1VPk2Gj7edRGS9Vc6Ei/eWkf3XZnpl1iueajPDZTO?= =?us-ascii?Q?ztlW67Q3jl/Nh5BAWN4n1NQIOwX7Pws4PbTua3QYnWwRneWn9Nwe+obhG5v8?= =?us-ascii?Q?p+bz2LY9amCkSToFL0ilGmXTkXIZRDNcA09YrkXow0exWIx7WWco1RPDO8fO?= =?us-ascii?Q?x4gC3JcSuG7ydC8KUC6QE9fpbB+xeTsMYVDsDbsLH1YNa8IRENaZYtSSnyH3?= =?us-ascii?Q?ybHkL0V8JchXm/KHe/RhCeeJfM72h94j3+K1QddyjgD/jxHr38xYr7s4cTXd?= =?us-ascii?Q?S70+pJDA3wkHcDdMC8gRar9UFhWRvJf+khsnHrIH7FTzRBcUrI03bQUFa5Xp?= =?us-ascii?Q?LTi3lKtIRtxb+nG6OhaI2N5L1KZ2qATVbxwQ9CbCnSQwDVBop8GxYScL8XES?= =?us-ascii?Q?HT37L89jtBBXctbGsat/qhU7u+frNE0syNBYvzuiQU/MbB1D8V5e9T0ooJMa?= =?us-ascii?Q?SvQ6mpGJ+M1wVVeArd/EbRB5UX0txiPnQfqtvEDSUJdNEE9pI0o2yLSkZP2R?= =?us-ascii?Q?WqkKaPH6VgvkwgZJYT2HQ+4TwKb/scuFqDTrUdf76CrE9F+R/48VNtjlT2UI?= =?us-ascii?Q?21nofalbO+azAX8YK2Uydohk/hBK3vF5SFCP9nXCfD4Ox5+QOBIjI594EfZv?= =?us-ascii?Q?QC+cu+iluMnm0ujBi6p3hOCeXYtjs3naahwYJeJlAudu5UbMhQqCM6MZrjm9?= =?us-ascii?Q?8BhZqfz1ArhqWiRqfGtgeYE5r7We6yZHGa97zY5zT4sDOziFuMYnSwn6LvNH?= =?us-ascii?Q?jUqrIfdy/OU1+y4sxsqzfMfbqrvrZDzZu1QzaT4/T/yJOm+zdCELW6x1cE+o?= =?us-ascii?Q?63APra74wCnhTdcE33Gjn7IALp6KYII/dbeeK9+h1cYM2CU4FZTIF0xNkRNE?= =?us-ascii?Q?Y7G1PDXEzcv/IOpCQU72C8E6kVwTy+PH24+e+d1C8/R4jpCbLG36wcJdD8do?= =?us-ascii?Q?kYJmd3I5G0bOwe14duG6FuIibqXzttjkgIVdsNzOoZNJuN09XRyP7tKfwxN+?= =?us-ascii?Q?azI7qAPSB5xP9UkFvTs9/ox2pLw3wVXxnfl8a9SOy6kZlUVkoEEK/wAfZTTJ?= =?us-ascii?Q?5j4mHG50g893Nmq1afN12fGo0FGV1k9TZ6imwerNOnp2jabP+Xa/4dEMd1w2?= =?us-ascii?Q?G3AqlN21EhambbNPXgkfDEA7aF6nlrdeMzX5hS5hKoS6L/E9QvzCtbUC6gK0?= =?us-ascii?Q?RkL8VoBbpMT722auL6Im7YSrhSySGEZ4BNWH7/UxsEG+ZJVhnIsym4aZVWrS?= =?us-ascii?Q?od08hRjlGnl0jEhZFX9PPHZlfLf55GhhfHWNHSdO9U09509EmpyKPVUnQH+l?= =?us-ascii?Q?Ea6OnutigdzOZ48WPLgVK/yoEg7issaJ33NUeMQmJy4i8jAv40ueI4b5ZdiW?= =?us-ascii?Q?hGoSBp6E2Q=3D=3D?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: 915df2f5-e090-47f4-a8e9-08de55694c07 X-MS-Exchange-CrossTenant-AuthSource: DS2PR12MB9567.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Jan 2026 01:39:47.0895 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FFlMHeDiq3ud+m4fi0pwpkE87RUPkg7Hcgv/FIt3YH07uL18w8GhJq7OgBXeTjsgdD94SwqfnHNs4aixIU+CbQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: LV2PR12MB999097 Message-ID-Hash: IWH6RVDWBK3PCTDHMMUGV7HIMKOBLZMU X-Message-ID-Hash: IWH6RVDWBK3PCTDHMMUGV7HIMKOBLZMU X-MailFrom: nathanc@nvidia.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com, mochs@nvidia.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Nathan Chen via Devel Reply-To: Nathan Chen X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1768614423786158500 Content-Type: text/plain; charset="utf-8" From: Nathan Chen When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow cgroup, namespace, and seclabel access to VFIO paths (/dev/vfio/vfio and /dev/vfio/) - Allow access to iommufd paths (/dev/iommu and /dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC Signed-off-by: Nathan Chen --- src/qemu/qemu_cgroup.c | 3 ++ src/qemu/qemu_namespace.c | 3 ++ src/security/security_apparmor.c | 31 ++++++++++++++------ src/security/security_dac.c | 49 +++++++++++++++++++++++++------- src/security/security_selinux.c | 47 +++++++++++++++++++++++------- src/security/virt-aa-helper.c | 33 ++++++++++++++++----- 6 files changed, 130 insertions(+), 36 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7dadef0739..6148990f19 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -479,6 +479,9 @@ qemuSetupHostdevCgroup(virDomainObj *vm, g_autofree char *path =3D NULL; int perms; =20 + if (dev->source.subsys.u.pci.driver.iommufd =3D=3D VIR_TRISTATE_BOOL_Y= ES) + return 0; + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index c689cc3e40..fb0734193d 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -345,6 +345,9 @@ qemuDomainSetupHostdev(virDomainObj *vm, { g_autofree char *path =3D NULL; =20 + if (hostdev->source.subsys.u.pci.driver.iommufd =3D=3D VIR_TRISTATE_BO= OL_YES) + return 0; + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) return -1; =20 diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 68ac39611f..e7987b54b4 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -45,6 +45,7 @@ #include "virstring.h" #include "virscsi.h" #include "virmdev.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -841,25 +842,37 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *m= gr, } =20 case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: { - virPCIDevice *pci =3D + g_autoptr(virPCIDevice) pci =3D virPCIDeviceNew(&pcisrc->addr); =20 if (!pci) goto done; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); - - if (!vfioGroupDev) { - virPCIDeviceFree(pci); - goto done; + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); + + if (!vfioGroupDev) { + virPCIDeviceFree(pci); + goto done; + } + ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr= ); + VIR_FREE(vfioGroupDev); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + goto done; + + ret =3D AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr); + if (ret < 0) + goto done; + + ret =3D AppArmorSetSecurityPCILabel(pci, VIR_IOMMU_DEV_PAT= H, ptr); } - ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); - VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILab= el, ptr); } - virPCIDeviceFree(pci); break; } =20 diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..d0ed22db2d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -41,6 +41,7 @@ #include "virscsivhost.h" #include "virstring.h" #include "virutil.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1282,14 +1283,27 @@ virSecurityDACSetHostdevLabel(virSecurityManager *m= gr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, - false, - &cbdata); + ret =3D virSecurityDACSetHostdevLabelHelper(vfiofdDev, fal= se, &cbdata); + if (ret < 0) + break; + + ret =3D virSecurityDACSetHostdevLabelHelper(VIR_IOMMU_DEV_= PATH, false, &cbdata); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACSetPCILabel, @@ -1443,13 +1457,28 @@ virSecurityDACRestoreHostdevLabel(virSecurityManage= r *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfioGroupDev, fal= se); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + vfiofdDev, fa= lse); + if (ret < 0) + break; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + VIR_IOMMU_DEV= _PATH, false); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2f3cc274a5..834383a7de 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -41,6 +41,7 @@ #include "virconf.h" #include "virtpm.h" #include "virstring.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -2256,14 +2257,27 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= Manager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupD= ev, + false, + &data); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, - false, - &data); + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiofdDev,= false, &data); + if (ret) + break; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(VIR_IOMMU_= DEV_PATH, false, &data); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); } @@ -2491,12 +2505,25 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecu= rityManager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupD= ev, false, false); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiofdDev,= false, false); + if (ret < 0) + break; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, VIR_IOMMU_= DEV_PATH, false, false); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index e365d02af4..82dfb3d3af 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -50,6 +50,7 @@ #include "virstring.h" #include "virgettext.h" #include "virhostdev.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1114,8 +1115,9 @@ get_files(vahControl * ctl) =20 virDeviceHostdevPCIDriverName driverName =3D dev->source.subsy= s.u.pci.driver.name; =20 - if (driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO = || - driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) { + if ((driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO= || + driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) && + dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { needsVfio =3D true; } =20 @@ -1348,6 +1350,7 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { /* if using gl all sorts of further dri related paths will be need= ed */ virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); @@ -1385,9 +1388,18 @@ get_files(vahControl * ctl) } } =20 - if (ctl->newfile && - vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) { - return -1; + if (ctl->newfile) { + const char *perms =3D "rwk"; + + /* VFIO and iommufd devices need mmap permission */ + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) { + return -1; + } } =20 ctl->files =3D virBufferContentAndReset(&buf); @@ -1561,8 +1573,15 @@ main(int argc, char **argv) } } if (ctl->append && ctl->newfile) { - if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) - goto cleanup; + const char *perms =3D "rwk"; + + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) + return -1; } else { if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_QEMU || ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KQEMU || --=20 2.43.0