[libvirt] [PATCH 1/1] virt-aa-helper: allow access to /dev/vhost-net if needed
Serge Hallyn
serge.hallyn at ubuntu.com
Wed Jun 18 03:20:59 UTC 2014
Only allow the access if it is a KVM domain which has a NIC which wants
non-userspace networking.
This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
src/security/virt-aa-helper.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1d246c7..e54f73f 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -929,7 +929,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
- bool needsVfio = false;
+ bool needsVfio = false, needsvhost = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1105,6 +1105,21 @@ get_files(vahControl * ctl)
}
}
+ if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+ for (i = 0; i < ctl->def->nnets; i++) {
+ virDomainNetDefPtr net = ctl->def->nets[i];
+ if (net && net->model) {
+ if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
+ continue;
+ if (STRNEQ(net->model, "virtio"))
+ continue;
+ }
+ needsvhost = true;
+ }
+ }
+ if (needsvhost)
+ virBufferAddLit(&buf, " /dev/vhost-net rw,\n");
+
if (needsVfio) {
virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n");
virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n");
--
1.9.1
More information about the libvir-list
mailing list