From nobody Mon Feb 2 07:28:47 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=fail; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; arc=fail (Bad Signature); dmarc=pass(p=reject dis=none) header.from=lists.libvirt.org Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1769800024667662.2066963824325; Fri, 30 Jan 2026 11:07:04 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 993) id 7E38D3F8B4; Fri, 30 Jan 2026 14:07:04 -0500 (EST) Received: from [172.19.199.6] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id 2756143ECE; Fri, 30 Jan 2026 14:00:18 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 993) id 61D4543DBB; Fri, 30 Jan 2026 14:00:13 -0500 (EST) Received: from MW6PR02CU001.outbound.protection.outlook.com (mail-westus2azon11012006.outbound.protection.outlook.com [52.101.48.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (prime256v1) server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id BB59A418E4 for ; Fri, 30 Jan 2026 13:59:31 -0500 (EST) Received: from DS2PR12MB9567.namprd12.prod.outlook.com (2603:10b6:8:27c::8) by SN7PR12MB7106.namprd12.prod.outlook.com (2603:10b6:806:2a1::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9564.7; Fri, 30 Jan 2026 18:59:27 +0000 Received: from DS2PR12MB9567.namprd12.prod.outlook.com ([fe80::636:1b52:24ca:d7e5]) by DS2PR12MB9567.namprd12.prod.outlook.com ([fe80::636:1b52:24ca:d7e5%3]) with mapi id 15.20.9564.008; Fri, 30 Jan 2026 18:59:27 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-5.0 required=5.0 tests=ARC_SIGNED,ARC_VALID,BAYES_00, DKIM_INVALID,DKIM_SIGNED,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=hgNoWwNUNLRehGToE2KQYIRyBDsQorzaQ/GDAGKHoKpOyDYPyeRd/luCMllKsIgQmfnr5+SMCQn/TLSB+WtyP5nA56xh3kotXqHZyC6lpRsSsUBJ3W9nAUqNB/sT9EO4itZR2T/0OfzRA+UkQqsRW3dBE8LKpFEMBS/mpC7KwfiFU60/Y9FXYtUqLak5nvgm+7PRF+9HuC+q0GQSv4nF0xihaupJO4PtqhgsC8WzPZGDFAVuvxwgFDKmB+bm+t3/Q9iNkQ+6hdpua6upORN1mi+dN8Nwrs0YtULAXRpN7SCtMVGCTZsu0GjQ593lpJLVvyLH0LItldBlEMsX/hl8hQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CKVwJ1/E1wuBgciFuaoMNog0L2aVFnp9ol1/iLgaAKg=; b=LqsZsA6MGwNCWkt2H7E6wtdNV5XpzKkmuqqqDSHa+AdzMrSaOPugRGoSFY2vH0/8mZI6XDTvsgRftAGR3byNOaL6t47G439d2n+MzTmBA2xRMYaV1f/hMBTyDWXdo5zqTc8YMqtMrQG9uqvuVcs7DRWMjDV3G+OGg8HAUUGqji0BuFM38YvHfhffZ+wWAOUfOcmiCHh1INinSMrjYNiLScW9nGb2C0XZVgPMBKcC8RR3KqlSF+5baP5bn3PVKEbaPkLF4J+Xy9TgoV3gN8CXJIie8ciuTVycUOJJQyTDfaCONu/lelBSvXkYG1dx67mm91y9+ALXTAm77IDIW0uMgg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=nvidia.com; dmarc=pass action=none header.from=nvidia.com; dkim=pass header.d=nvidia.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CKVwJ1/E1wuBgciFuaoMNog0L2aVFnp9ol1/iLgaAKg=; b=rlwmZD/KRTBAMMwNOznIXmiTCc3Bt93HCkNY3FQ124nJJt3LOo6lHNNOwcnrbm6s4E+XuHbJwFnwJFloa968NwOUo/XSAlr3eua6G3xjnS7ASlla7fRPAV3T56jtzDRd5gSfrVA/2Uk4b5I/DpoSFVuaPnyhvLnau/GRHQ/x8GuJCuXgadEv26ZG9NejdjPksM8ZOJuCeke1CJEAHq/KmK3e9OH7iN5g+aYxuNZ/DtqNTfYfc9bqzwOaPxgGeYCovtHCxNspcdh3ct1bkxfB4BdkZZpJdmRQKTeoEWeytLU/LeUK+4V/VnNuYQKYmjpzitLxUiLccdNdtuOX38qS9A== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=nvidia.com; To: devel@lists.libvirt.org Subject: [PATCH v6 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd Date: Fri, 30 Jan 2026 10:59:17 -0800 Message-ID: <20260130185918.4154310-7-nathanc@nvidia.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20260130185918.4154310-1-nathanc@nvidia.com> References: <20260130185918.4154310-1-nathanc@nvidia.com> Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: SJ0PR03CA0189.namprd03.prod.outlook.com (2603:10b6:a03:2ef::14) To DS2PR12MB9567.namprd12.prod.outlook.com (2603:10b6:8:27c::8) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DS2PR12MB9567:EE_|SN7PR12MB7106:EE_ X-MS-Office365-Filtering-Correlation-Id: f9f99283-56d6-427f-6292-08de6031b11d X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?2JOWLGPFHLzIkXq1Xl/+fGcEhLVexUIbEU/IuH0kGIB733dUALzf2Q9c5LG7?= =?us-ascii?Q?5vv1HFmlWPyyDkrOb/5lXZBd5weeNirktTs4LJQOu8QUVjJD+iveSwsNfFdt?= =?us-ascii?Q?qx3iI9wBOF4v6DbFzl4eXkTooXfXQIFG5M8jM2hK+W1GGnr+F00e32qeMM+9?= =?us-ascii?Q?6DNtmX27FE5DVM51kV+jqoEyXnxHOkEhQDKIF1gzjqd3JYKZoErGkDAfmqAd?= =?us-ascii?Q?U6xJnuoCNNgwZjL3FduBVFnIIbrvttj7V49m6EpRUQxUr3fSz7BnWbZl88KK?= =?us-ascii?Q?Qwj27vWtR7lmmwZbDlBEInQvBzANWhSrn8NkFFAg1kSNkvr3yeYm2kojtrmu?= =?us-ascii?Q?AcVW67UlQj+alJMbUxptqEDcnZAXG9wJFtj71uqbjTqXAvecAcrKjyW5sUCz?= =?us-ascii?Q?shSNhY7WLP1eGP9lPOGAHILM6tdRl80+50t4W7BDcZNyr9i9klndxKXYDQyp?= =?us-ascii?Q?inrdDwkAyDfTmO+nV5/WJtvwOgQrl1YJH6wNLNCpty6io54HyfnTyDaLgXez?= =?us-ascii?Q?vzrZFFc/mHqTF6NjZ7DXtRZx2jI/di5z0GQPyZMqeRNkNcVXj9htac8EnkTt?= =?us-ascii?Q?aed6Q+2MF8UXfbyDf5B+jYOd48F0j2as+xiMMgCRUG9BHgL83ibRmLz9UpcZ?= =?us-ascii?Q?sBjg7u+3GiuFhIPb0wjo5gg6fylO7C1CyDZOrBWG61T1+HHJNvJyqYivTStX?= =?us-ascii?Q?WQJHiUj/WHKF4ex8mZYGZBYUhQFHmqJ6D2S8bbT9vjoO+z4BQHiKHgkOoLLr?= =?us-ascii?Q?wZGXWcJSt2p9QfpSp0uIy2BzBC8g6Owpuh7VJDW/CIxrltdb+Xa5w3LQFt/V?= =?us-ascii?Q?M5UYxGP02IZ0GpkzVJC3UI9+Ccjr3kTlsaqxkKKJCqeGJ0dUp/9hUEjTpsBn?= =?us-ascii?Q?ARz0YCkr7eIZ4kQ30kkS+hGwQYY0SFY29CP8U3yt0NcoqCqNhCPYFOEK/S03?= =?us-ascii?Q?nImX69ehOzQf6/GqFP3wBfwlFPoHS93PiUD2raAZcvklINrmyWUmmqt1vSVk?= =?us-ascii?Q?Qnxj+mUPg4OWB1PauUbWb5b4kP9UtSv35uApQQMpShlKQPjRR+0/QmYxQ1Qa?= =?us-ascii?Q?igGsRbLneDsRWXJ3Kfgrs+gBelMeNrEijBb4ZUveKbqPx3slwFCTe0LDTdX/?= =?us-ascii?Q?SgRh3PysfUI6Ojo7FsTE17kKIl+bNwNpGXnynFAyUDGCYgr6EtO/mkubtSHw?= =?us-ascii?Q?0KvW0bvVTJQ0ScxUdZakYO1wJWn8KhYvCRbYvRlLvHg04B7WaFDMmeUmuvxO?= =?us-ascii?Q?waXkpbilo9IRkvmSI+fJrrYs1GxBDEiQMDYjXO0yn2r6Nd7eJHmPxQ6xBdol?= =?us-ascii?Q?gubqFuPkQpNfBGpt7kIuNg5VBCJ5ZzVnT6zps04SXhIX0uszkPb/+bX1Wj+8?= =?us-ascii?Q?Cz2fXpHQMlDOoF2RIjURRqpMubtpwgheNzVucm54xzdh3sRQb/iNMRmGaykz?= =?us-ascii?Q?/aLeubbZQndOpG1RlSOD0GggtY3oKpGMKSR95OCXsoHdDnQT1XSLDAfhVECD?= =?us-ascii?Q?RUnL1m5PXcDSpRKS29ghu3f1jciLFNCSOvR3ZZsqu/eIo6AZTfzvaFkHGJsf?= =?us-ascii?Q?PAohZjh0NmQug4jp9SQ=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DS2PR12MB9567.namprd12.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?VoWTrMws9DEOKvZjjQSf0pPf7DHyO9cp9eucd3WZbmI+B7qwASpWaQFy5+GD?= =?us-ascii?Q?NcNTzKtqQBk4XD/+NxXJXOaQkgVTU59udpuCKguffYSlfpgVDEJKNhkANPgs?= =?us-ascii?Q?ZzhvIEmaECSIPkoBCdmfROI7kowBCL5r8HyvtPhsGfpeoJdo9lVW8fw3a5ei?= =?us-ascii?Q?2lenQwawYMWGcc0UI+XHISv1O0yHAi/yh9yBURlEMcu38l1IAfse4KrWiiES?= =?us-ascii?Q?g8Em8ZnBlXQ1uv8OlhmnKPg6NoL7dWWNk8QK6ANSydqm05qOpUR0+FQGE5xK?= =?us-ascii?Q?4Yy8LUSLuIgH292omr7MqzDOHuBXFWgbZQzXRI2MBh9M48u09yPNPVf5vbdU?= =?us-ascii?Q?j/DG/Eng6ay11djXG20tTS5k2I4sbmU7VFwq5bpvjIKoGftZFGp0Zn5VvOei?= =?us-ascii?Q?2gfQ1eoZjJp+XIJbsJQSWsNugs6kaic/GWlDAbUl44inaaKiPUzgC+hc7bcw?= =?us-ascii?Q?Yg63hvx/6+q1BMgok/wAKFNtPrP/ofhYQZFSA/cLzezXmOJfSQ0+rYtnF2Yu?= =?us-ascii?Q?+AVPHBQTuTMM4+umNVDmbtgkJ4iWLkuZkI5kA4BIQ7lCo2tU8wCIc2VBbz5R?= =?us-ascii?Q?+BcP8H3i7C9a52uOM7nFBKm19ePfmmDSrKhJj1KHv8KpvIyx+iGVSle2ea25?= =?us-ascii?Q?VB/s+eICRkIwUTtWNVjmJOTVzN64z+cpOg/9DWqlL9dt1qZ/yYtXGsNyTyeX?= =?us-ascii?Q?JROfEE+bpgZcXHxFWvrflr/o783MtJ4ubaYOIwhHQY3PL1koQFCS+zQpq8zi?= =?us-ascii?Q?8v6nZcOTgQO5vlM7wjgeu/Ove8NzMvP8D5DGhXbDsgvAmNAqmdBdPMqF11IE?= =?us-ascii?Q?f81nMrgKgKMDJ2LSRZK8fS3DlG1DMKfrOl2/9JCkLeZEaZ6UEWgbMR6/VgUQ?= =?us-ascii?Q?rgiSP74NPYl7D8/8kZwimmKILG02Vciy5NwddiI0nMdBk2vdx3RiFCV7NTwv?= =?us-ascii?Q?WiAQyEoiJLxsQgdFsr9vu9PO1dkBmPReBbA0f7JYK//fkX/CYx/9Jj6iTgd9?= =?us-ascii?Q?Z3ceM/YfgQkoJSfRaJIB8MzMHYPIPe/1tQfaXjaf05QmQ8Ia9NsUCX9ourER?= =?us-ascii?Q?yT5xGMn/jYRsMMy7lyRRRdTA+eWGWTSHba6w49mc7tSJZ9YoAE7f7OKLgPTM?= =?us-ascii?Q?ExEMDEN+Vh9KAqD3s1TbEiW9AElhRcnfU+rSuP0hQnFA6LUpVhQBl2WudT+u?= =?us-ascii?Q?GU7IbLhQBDFRrnyu+f+IO2x7AkfwxdrsxWI/I94LvYy5z3Ual5+Ys+loZ7dI?= =?us-ascii?Q?C/fA7Pg726ke7qa+0M3c+uWo0AoENuGFQIfmz0+6qxuOFPCh+7Iyps7mvcgL?= =?us-ascii?Q?WTJ0SCvNs3evHPHGHbUXbtjVAUEANJ5PUnxyw+WGKOp+ndtNDrApBhYmrqKg?= =?us-ascii?Q?Sy6jI5zNOY/u3YvjSzWXmVVvRLmUeB5lgfh6c1hLIQSGwtwvLM+mmm6V3RYU?= =?us-ascii?Q?77RVE8Yt/eGU2R2ZkRGQCuYuNui/zkhOQ74HkMSnwk+hr6HCKPDgLLsCI7Ts?= =?us-ascii?Q?Z/V97vaO3tb3NBOQGTkQTZQixey/AK/wHMN1qwYTlwM9tdFwA7BOhnNkYA5f?= =?us-ascii?Q?QtnbRIJnVw/9UMffzlOh7m4cM2RzAqnwtp+5dwwJl2arAPUmLhfDvrs1sJF1?= =?us-ascii?Q?hR2hhAVtDarFcXPwu3cPs+ilxDqJ8SzCntZkkGS2JmuMPEjFsQNCXI60GR0f?= =?us-ascii?Q?PfbiSF+Hmxb9n4BJqu/Cdr6T7SHZp6dM5lZy9ciYUBfk66vCaFMf1ZJ7/NZ0?= =?us-ascii?Q?zldcRQjyIQ=3D=3D?= X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-Network-Message-Id: f9f99283-56d6-427f-6292-08de6031b11d X-MS-Exchange-CrossTenant-AuthSource: DS2PR12MB9567.namprd12.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2026 18:59:27.6071 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: JNJ/RUbstSmWg3Rs61OsLp5BEJ6Ml3v/cqcJIjgeUlpUhdG4ITBXTbbFg5VkFidVa1ILhq9uxlKXuM6Fjg64hw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN7PR12MB7106 Message-ID-Hash: KWLENJIU7KX2VUGZKDTGDKFT26SF2QV4 X-Message-ID-Hash: KWLENJIU7KX2VUGZKDTGDKFT26SF2QV4 X-MailFrom: nathanc@nvidia.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: skolothumtho@nvidia.com, nicolinc@nvidia.com, nathanc@nvidia.com, mochs@nvidia.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: From: Nathan Chen via Devel Reply-To: Nathan Chen X-ZohoMail-DKIM: fail (Header signature does not verify) X-ZM-MESSAGEID: 1769800030373158500 Content-Type: text/plain; charset="utf-8" From: Nathan Chen When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow cgroup, namespace, and seclabel access to VFIO paths (/dev/vfio/vfio and /dev/vfio/) - Allow access to iommufd paths (/dev/iommu and /dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC Signed-off-by: Nathan Chen --- src/qemu/qemu_cgroup.c | 3 ++ src/qemu/qemu_namespace.c | 3 ++ src/security/security_apparmor.c | 28 ++++++++++++------ src/security/security_dac.c | 49 +++++++++++++++++++++++++------- src/security/security_selinux.c | 47 +++++++++++++++++++++++------- src/security/virt-aa-helper.c | 33 ++++++++++++++++----- 6 files changed, 128 insertions(+), 35 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7dadef0739..6148990f19 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -479,6 +479,9 @@ qemuSetupHostdevCgroup(virDomainObj *vm, g_autofree char *path =3D NULL; int perms; =20 + if (dev->source.subsys.u.pci.driver.iommufd =3D=3D VIR_TRISTATE_BOOL_Y= ES) + return 0; + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index c689cc3e40..fb0734193d 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -345,6 +345,9 @@ qemuDomainSetupHostdev(virDomainObj *vm, { g_autofree char *path =3D NULL; =20 + if (hostdev->source.subsys.u.pci.driver.iommufd =3D=3D VIR_TRISTATE_BO= OL_YES) + return 0; + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) return -1; =20 diff --git a/src/security/security_apparmor.c b/src/security/security_appar= mor.c index 68ac39611f..934acfb461 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -45,6 +45,7 @@ #include "virstring.h" #include "virscsi.h" #include "virmdev.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -841,25 +842,36 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *m= gr, } =20 case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: { - virPCIDevice *pci =3D + g_autoptr(virPCIDevice) pci =3D virPCIDeviceNew(&pcisrc->addr); =20 if (!pci) goto done; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev(pci); =20 - if (!vfioGroupDev) { - virPCIDeviceFree(pci); - goto done; + if (!vfioGroupDev) { + goto done; + } + ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr= ); + VIR_FREE(vfioGroupDev); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + goto done; + + ret =3D AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr); + if (ret < 0) + goto done; + + ret =3D AppArmorSetSecurityPCILabel(pci, VIR_IOMMU_DEV_PAT= H, ptr); } - ret =3D AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); - VIR_FREE(vfioGroupDev); } else { ret =3D virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILab= el, ptr); } - virPCIDeviceFree(pci); break; } =20 diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 2f788b872a..d0ed22db2d 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -41,6 +41,7 @@ #include "virscsivhost.h" #include "virstring.h" #include "virutil.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1282,14 +1283,27 @@ virSecurityDACSetHostdevLabel(virSecurityManager *m= gr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, + false, + &cbdata); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecurityDACSetHostdevLabelHelper(vfioGroupDev, - false, - &cbdata); + ret =3D virSecurityDACSetHostdevLabelHelper(vfiofdDev, fal= se, &cbdata); + if (ret < 0) + break; + + ret =3D virSecurityDACSetHostdevLabelHelper(VIR_IOMMU_DEV_= PATH, false, &cbdata); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACSetPCILabel, @@ -1443,13 +1457,28 @@ virSecurityDACRestoreHostdevLabel(virSecurityManage= r *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; =20 - ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfioGroupDev, fal= se); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + vfiofdDev, fa= lse); + if (ret < 0) + break; + + ret =3D virSecurityDACRestoreFileLabelInternal(mgr, NULL, + VIR_IOMMU_DEV= _PATH, false); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecurityDACRestorePCIL= abel, mgr); } diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index 2f3cc274a5..834383a7de 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -41,6 +41,7 @@ #include "virconf.h" #include "virtpm.h" #include "virstring.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -2256,14 +2257,27 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= Manager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupD= ev, + false, + &data); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfioGroupDev, - false, - &data); + ret =3D virSecuritySELinuxSetHostdevLabelHelper(vfiofdDev,= false, &data); + if (ret) + break; + + ret =3D virSecuritySELinuxSetHostdevLabelHelper(VIR_IOMMU_= DEV_PATH, false, &data); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCIL= abel, &data); } @@ -2491,12 +2505,25 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecu= rityManager *mgr, return -1; =20 if (pcisrc->driver.name =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_= VFIO) { - g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGroupDev= (pci); + if (dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { + g_autofree char *vfioGroupDev =3D virPCIDeviceGetIOMMUGrou= pDev(pci); =20 - if (!vfioGroupDev) - return -1; + if (!vfioGroupDev) + return -1; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupD= ev, false, false); + } else { + g_autofree char *vfiofdDev =3D NULL; + + if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr= , &vfiofdDev) < 0) + return -1; =20 - ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, = false, false); + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, vfiofdDev,= false, false); + if (ret < 0) + break; + + ret =3D virSecuritySELinuxRestoreFileLabel(mgr, VIR_IOMMU_= DEV_PATH, false, false); + } } else { ret =3D virPCIDeviceFileIterate(pci, virSecuritySELinuxRestore= PCILabel, mgr); } diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 211c34f926..155dcb4039 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -50,6 +50,7 @@ #include "virstring.h" #include "virgettext.h" #include "virhostdev.h" +#include "viriommufd.h" =20 #define VIR_FROM_THIS VIR_FROM_SECURITY =20 @@ -1114,8 +1115,9 @@ get_files(vahControl * ctl) =20 virDeviceHostdevPCIDriverName driverName =3D dev->source.subsy= s.u.pci.driver.name; =20 - if (driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO = || - driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) { + if ((driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO= || + driverName =3D=3D VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_DEFAU= LT) && + dev->source.subsys.u.pci.driver.iommufd !=3D VIR_TRISTATE_= BOOL_YES) { needsVfio =3D true; } =20 @@ -1348,6 +1350,7 @@ get_files(vahControl * ctl) virBufferAddLit(&buf, " \"/dev/vfio/vfio\" rw,\n"); virBufferAddLit(&buf, " \"/dev/vfio/[0-9]*\" rw,\n"); } + if (needsgl) { /* if using gl all sorts of further dri related paths will be need= ed */ virBufferAddLit(&buf, " # DRI/Mesa/(e)GL config and driver paths\= n"); @@ -1385,9 +1388,18 @@ get_files(vahControl * ctl) } } =20 - if (ctl->newfile && - vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) { - return -1; + if (ctl->newfile) { + const char *perms =3D "rwk"; + + /* VFIO and iommufd devices need mmap permission */ + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) { + return -1; + } } =20 ctl->files =3D virBufferContentAndReset(&buf); @@ -1561,8 +1573,15 @@ main(int argc, char **argv) } } if (ctl->append && ctl->newfile) { - if (vah_add_file(&buf, ctl->newfile, "rwk") !=3D 0) - goto cleanup; + const char *perms =3D "rwk"; + + if (STRPREFIX(ctl->newfile, "/dev/vfio/devices/vfio") || + STREQ(ctl->newfile, VIR_IOMMU_DEV_PATH)) { + perms =3D "rwm"; + } + + if (vah_add_file(&buf, ctl->newfile, perms) !=3D 0) + return -1; } else { if (ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_QEMU || ctl->def->virtType =3D=3D VIR_DOMAIN_VIRT_KQEMU || --=20 2.43.0