[libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work

Serge Hallyn serge.hallyn at ubuntu.com
Tue Mar 25 15:40:31 UTC 2014


Quoting Cédric Bosdonnat (cbosdonnat at suse.com):
> See lp#1276719 for the bug description. As virt-aa-helper doesn't know
> the VFIO groups to use for the guest, allow access to all
> /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
> for vfio
> ---

Thanks, Cédric!  Looks good to me.  Still needs a signed-off-by from you
(I assume), but

Acked-by: Serge E. Hallyn <serge.hallyn at ubuntu.com>

>  examples/apparmor/libvirt-qemu      |  1 +
>  examples/apparmor/usr.sbin.libvirtd |  3 +++
>  src/security/virt-aa-helper.c       | 12 ++++++++++++
>  3 files changed, 16 insertions(+)
> 
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index e1980b7..83814ec 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -110,6 +110,7 @@
>    /usr/bin/qemu-sparc32plus rmix,
>    /usr/bin/qemu-sparc64 rmix,
>    /usr/bin/qemu-x86_64 rmix,
> +  /usr/lib/qemu/block-curl.so mr,
>  
>    # for save and resume
>    /bin/dash rmix,
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index fd6def1..3011eff 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -25,6 +25,9 @@
>    capability fsetid,
>    capability audit_write,
>  
> +  # Needed for vfio
> +  capability sys_resource,
> +
>    network inet stream,
>    network inet dgram,
>    network inet6 stream,
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 59de517..998dc53 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -927,6 +927,7 @@ get_files(vahControl * ctl)
>      size_t i;
>      char *uuid;
>      char uuidstr[VIR_UUID_STRING_BUFLEN];
> +    bool needsVfio = false;
>  
>      /* verify uuid is same as what we were given on the command line */
>      virUUIDFormat(ctl->def->uuid, uuidstr);
> @@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
>                             dev->source.subsys.u.pci.addr.slot,
>                             dev->source.subsys.u.pci.addr.function);
>  
> +                virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
> +                if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
> +                        backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
> +                    needsVfio = true;
> +                }
> +
>                  if (pci == NULL)
>                      continue;
>  
> @@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
>          }
>      }
>  
> +    if (needsVfio) {
> +        virBufferAsprintf(&buf, "  /dev/vfio/vfio rw,\n");
> +        virBufferAsprintf(&buf, "  /dev/vfio/[0-9]* rw,\n");
> +    }
> +
>      if (ctl->newfile)
>          if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
>              goto cleanup;
> -- 
> 1.9.0
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list




More information about the libvir-list mailing list