[libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
Serge Hallyn
serge.hallyn at ubuntu.com
Tue Mar 25 15:40:31 UTC 2014
Quoting Cédric Bosdonnat (cbosdonnat at suse.com):
> See lp#1276719 for the bug description. As virt-aa-helper doesn't know
> the VFIO groups to use for the guest, allow access to all
> /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
> for vfio
> ---
Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you
(I assume), but
Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>
> examples/apparmor/libvirt-qemu | 1 +
> examples/apparmor/usr.sbin.libvirtd | 3 +++
> src/security/virt-aa-helper.c | 12 ++++++++++++
> 3 files changed, 16 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index e1980b7..83814ec 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -110,6 +110,7 @@
> /usr/bin/qemu-sparc32plus rmix,
> /usr/bin/qemu-sparc64 rmix,
> /usr/bin/qemu-x86_64 rmix,
> + /usr/lib/qemu/block-curl.so mr,
>
> # for save and resume
> /bin/dash rmix,
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index fd6def1..3011eff 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -25,6 +25,9 @@
> capability fsetid,
> capability audit_write,
>
> + # Needed for vfio
> + capability sys_resource,
> +
> network inet stream,
> network inet dgram,
> network inet6 stream,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 59de517..998dc53 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -927,6 +927,7 @@ get_files(vahControl * ctl)
> size_t i;
> char *uuid;
> char uuidstr[VIR_UUID_STRING_BUFLEN];
> + bool needsVfio = false;
>
> /* verify uuid is same as what we were given on the command line */
> virUUIDFormat(ctl->def->uuid, uuidstr);
> @@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
> dev->source.subsys.u.pci.addr.slot,
> dev->source.subsys.u.pci.addr.function);
>
> + virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
> + if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
> + backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
> + needsVfio = true;
> + }
> +
> if (pci == NULL)
> continue;
>
> @@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
> }
> }
>
> + if (needsVfio) {
> + virBufferAsprintf(&buf, " /dev/vfio/vfio rw,\n");
> + virBufferAsprintf(&buf, " /dev/vfio/[0-9]* rw,\n");
> + }
> +
> if (ctl->newfile)
> if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
> goto cleanup;
> --
> 1.9.0
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
More information about the libvir-list
mailing list