From nobody Mon Feb 9 16:21:57 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 1486384110193375.8764990775196; Mon, 6 Feb 2017 04:28:30 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v16CLcTX013382; Mon, 6 Feb 2017 07:21:38 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v16CLE9m017472 for ; Mon, 6 Feb 2017 07:21:14 -0500 Received: from beluga.usersys.redhat.com (dhcp129-94.brq.redhat.com [10.34.129.94]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v16CL6xB013739; Mon, 6 Feb 2017 07:21:14 -0500 From: Erik Skultety To: libvir-list@redhat.com Date: Mon, 6 Feb 2017 13:19:49 +0100 Message-Id: <7dd64a45c4290073dc9f3303594a1a121374d093.1486383339.git.eskultet@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [PATCH 07/16] security: selinux: Enable labeling of vfio mediated devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Label the VFIO IOMMU devices under /dev/vfio/ referenced by the symlinks in the sysfs (e.g. /sys/class/mdev_bus//iommu_group) which what qemu actually gets formatted on the command line. Signed-off-by: Erik Skultety --- src/security/security_selinux.c | 57 +++++++++++++++++++++++++++++++++++++= ++-- 1 file changed, 55 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index e152c72..4f6b098 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -36,6 +36,7 @@ #include "virerror.h" #include "viralloc.h" #include "virlog.h" +#include "virmdev.h" #include "virpci.h" #include "virusb.h" #include "virscsi.h" @@ -1686,6 +1687,13 @@ virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr= dev ATTRIBUTE_UNUSED, } =20 static int +virSecuritySELinuxSetMediatedDevLabel(virMediatedDevicePtr dev ATTRIBUTE_U= NUSED, + const char *file, void *opaque) +{ + return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); +} + +static int virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, @@ -1696,7 +1704,9 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityMa= nagerPtr mgr, virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; + virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->source.subsys.u= .mdev; virSecuritySELinuxCallbackData data =3D {.mgr =3D mgr, .def =3D def}; + virMediatedDevicePtr mdev =3D NULL; =20 int ret =3D -1; =20 @@ -1782,13 +1792,26 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= ManagerPtr mgr, break; } =20 - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: { + char *vfio_dev =3D NULL; + if (!(mdev =3D virMediatedDeviceNew(&mdevsrc->addr, mdevsrc->uuids= tr))) + goto done; + + if (!(vfio_dev =3D virMediatedDeviceGetIOMMUGroupDev(mdev))) + goto done; + + ret =3D virSecuritySELinuxSetMediatedDevLabel(mdev, vfio_dev, &dat= a); + VIR_FREE(vfio_dev); + break; + } + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: ret =3D 0; break; } =20 done: + virMediatedDeviceFree(mdev); return ret; } =20 @@ -1918,6 +1941,16 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevic= ePtr dev ATTRIBUTE_UNUSED, } =20 static int +virSecuritySELinuxRestoreMediatedDevLabel(virMediatedDevicePtr dev ATTRIBU= TE_UNUSED, + const char *file, + void *opaque) +{ + virSecurityManagerPtr mgr =3D opaque; + + return virSecuritySELinuxRestoreFileLabel(mgr, file); +} + +static int virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr, virDomainHostdevDefPtr dev, const char *vroot) @@ -1927,6 +1960,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecuri= tyManagerPtr mgr, virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; + virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->source.subsys.u= .mdev; int ret =3D -1; =20 /* Like virSecuritySELinuxRestoreImageLabelInt() for a networked @@ -2010,7 +2044,26 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecur= ityManagerPtr mgr, break; } =20 - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: { + char *vfiodev =3D NULL; + virMediatedDevicePtr mdev =3D virMediatedDeviceNew(&mdevsrc->addr, + mdevsrc->uuidstr); + + if (!mdev) + goto done; + + if (!(vfiodev =3D virMediatedDeviceGetIOMMUGroupDev(mdev))) { + virMediatedDeviceFree(mdev); + goto done; + } + + ret =3D virSecuritySELinuxRestoreMediatedDevLabel(mdev, vfiodev, m= gr); + + VIR_FREE(vfiodev); + virMediatedDeviceFree(mdev); + break; + } + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: ret =3D 0; break; --=20 2.10.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list