[libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work
Cedric Bosdonnat
cbosdonnat at suse.com
Tue Mar 25 08:37:34 UTC 2014
Hello Serge,
On Mon, 2014-03-24 at 22:21 -0500, Serge Hallyn wrote:
> Quoting Cédric Bosdonnat (cbosdonnat at suse.com):
> > See lp#1276719 for the bug description. As virt-aa-helper doesn't know
>
> Great, thanks for addressing this.
>
> > the VFIO groups to use for the guest,
>
> Is there really no way for it to know that (based on xml)? If not then
> I guess this is the way to go - though even in that case could we at
> least have virt-aa-helper only allow access to all vfio* only when vfio
> pci is required?
Sadly the vfio group is handled on the qemu side, there is nothing on
the xml side. But I surely can change the patch to add the vfio rule to
the *.files part of the profile and only when vfio is needed by the
guest: that would restrain the access a bit.
--
Cedric
More information about the libvir-list
mailing list