[libvirt] [PATCH 2/8] security: update hostdev labelling functions for VFIO
Laine Stump
laine at laine.org
Thu Apr 25 17:57:52 UTC 2013
Legacy kvm style pci device assignment requires changes to the
labelling of several sysfs files for each device, but for vfio device
assignment, the only thing that needs to be relabelled/chowned is the
"group" device for the group that contains the device to be assigned.
---
src/security/security_apparmor.c | 12 +++++++++++-
src/security/security_dac.c | 27 ++++++++++++++++++++++++---
src/security/security_selinux.c | 24 ++++++++++++++++++++++--
3 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 122edd4..0aff794 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+ }
virPCIDeviceFree(pci);
break;
}
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 8576081..5e00112 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
- params);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
+ params);
+ }
+
virPCIDeviceFree(pci);
break;
@@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
+ }
virPCIDeviceFree(pci);
break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a8b74ee..a5b54cb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
+ }
virPCIDeviceFree(pci);
break;
@@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
+ }
virPCIDeviceFree(pci);
break;
--
1.7.11.7
More information about the libvir-list
mailing list