From nobody Sat Feb 7 08:00:54 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1487194615320324.49765082898864; Wed, 15 Feb 2017 13:36:55 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1FLXIxZ004833; Wed, 15 Feb 2017 16:33:18 -0500 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1FLWwqW004709 for ; Wed, 15 Feb 2017 16:32:58 -0500 Received: from beluga.usersys.redhat.com (dhcp129-94.brq.redhat.com [10.34.129.94]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1FLWmiZ021192; Wed, 15 Feb 2017 16:32:57 -0500 From: Erik Skultety To: libvir-list@redhat.com Date: Wed, 15 Feb 2017 22:32:25 +0100 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-loop: libvir-list@redhat.com Cc: Erik Skultety Subject: [libvirt] [RFC PATCH v2 08/18] security: selinux: Enable labeling of vfio mediated devices X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Label the VFIO IOMMU devices under /dev/vfio/ referenced by the symlinks in the sysfs (e.g. /sys/class/mdev_bus//iommu_group) which what qemu actually gets formatted on the command line. Signed-off-by: Erik Skultety --- src/security/security_selinux.c | 56 +++++++++++++++++++++++++++++++++++++= ++-- 1 file changed, 54 insertions(+), 2 deletions(-) diff --git a/src/security/security_selinux.c b/src/security/security_selinu= x.c index e152c72..60bdb1c 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -36,6 +36,7 @@ #include "virerror.h" #include "viralloc.h" #include "virlog.h" +#include "virmdev.h" #include "virpci.h" #include "virusb.h" #include "virscsi.h" @@ -1686,6 +1687,13 @@ virSecuritySELinuxSetHostLabel(virSCSIVHostDevicePtr= dev ATTRIBUTE_UNUSED, } =20 static int +virSecuritySELinuxSetMediatedDevLabel(virMediatedDevicePtr dev ATTRIBUTE_U= NUSED, + const char *file, void *opaque) +{ + return virSecuritySELinuxSetHostdevLabelHelper(file, opaque); +} + +static int virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManagerPtr mgr, virDomainDefPtr def, virDomainHostdevDefPtr dev, @@ -1696,7 +1704,9 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityMa= nagerPtr mgr, virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; + virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->source.subsys.u= .mdev; virSecuritySELinuxCallbackData data =3D {.mgr =3D mgr, .def =3D def}; + virMediatedDevicePtr mdev =3D NULL; =20 int ret =3D -1; =20 @@ -1782,13 +1792,26 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurity= ManagerPtr mgr, break; } =20 - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: { + char *vfio_dev =3D NULL; + if (!(mdev =3D virMediatedDeviceNew(mdevsrc->uuidstr))) + goto done; + + if (!(vfio_dev =3D virMediatedDeviceGetIOMMUGroupDev(mdev))) + goto done; + + ret =3D virSecuritySELinuxSetMediatedDevLabel(mdev, vfio_dev, &dat= a); + VIR_FREE(vfio_dev); + break; + } + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: ret =3D 0; break; } =20 done: + virMediatedDeviceFree(mdev); return ret; } =20 @@ -1918,6 +1941,16 @@ virSecuritySELinuxRestoreHostLabel(virSCSIVHostDevic= ePtr dev ATTRIBUTE_UNUSED, } =20 static int +virSecuritySELinuxRestoreMediatedDevLabel(virMediatedDevicePtr dev ATTRIBU= TE_UNUSED, + const char *file, + void *opaque) +{ + virSecurityManagerPtr mgr =3D opaque; + + return virSecuritySELinuxRestoreFileLabel(mgr, file); +} + +static int virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManagerPtr mgr, virDomainHostdevDefPtr dev, const char *vroot) @@ -1927,6 +1960,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecuri= tyManagerPtr mgr, virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; + virDomainHostdevSubsysMediatedDevPtr mdevsrc =3D &dev->source.subsys.u= .mdev; int ret =3D -1; =20 /* Like virSecuritySELinuxRestoreImageLabelInt() for a networked @@ -2010,7 +2044,25 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecur= ityManagerPtr mgr, break; } =20 - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: { + char *vfiodev =3D NULL; + virMediatedDevicePtr mdev =3D virMediatedDeviceNew(mdevsrc->uuidst= r); + + if (!mdev) + goto done; + + if (!(vfiodev =3D virMediatedDeviceGetIOMMUGroupDev(mdev))) { + virMediatedDeviceFree(mdev); + goto done; + } + + ret =3D virSecuritySELinuxRestoreMediatedDevLabel(mdev, vfiodev, m= gr); + + VIR_FREE(vfiodev); + virMediatedDeviceFree(mdev); + break; + } + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: ret =3D 0; break; --=20 2.10.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list