[libvirt] [RFC PATCH v2 REBASE 07/18] security: dac: Enable labeling of vfio mediated devices
Pavel Hrdina
phrdina at redhat.com
Tue Feb 28 12:45:26 UTC 2017
On Mon, Feb 20, 2017 at 03:28:20PM +0100, Erik Skultety wrote:
> Label the VFIO IOMMU devices under /dev/vfio/ referenced by the symlinks
> in the sysfs (e.g. /sys/class/mdev_bus/<uuid>/iommu_group) which what
> qemu actually gets formatted on the command line.
>
> Signed-off-by: Erik Skultety <eskultet at redhat.com>
> ---
> src/security/security_dac.c | 57 +++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 55 insertions(+), 2 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index ecce1d3..45bd24e 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -33,6 +33,7 @@
> #include "virfile.h"
> #include "viralloc.h"
> #include "virlog.h"
> +#include "virmdev.h"
> #include "virpci.h"
> #include "virusb.h"
> #include "virscsi.h"
> @@ -856,6 +857,15 @@ virSecurityDACSetHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
>
>
> static int
> +virSecurityDACSetMediatedDevLabel(virMediatedDevicePtr dev ATTRIBUTE_UNUSED,
> + const char *file,
> + void *opaque)
> +{
> + return virSecurityDACSetHostdevLabelHelper(file, opaque);
> +}
This wrapper is not required, mediated devices don't have an *Iterate()
function (which is in most cases only yet another wrapper for a simple
function call).
> +
> +
> +static int
> virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
> virDomainDefPtr def,
> virDomainHostdevDefPtr dev,
> @@ -867,7 +877,9 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
> virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
> virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
> + virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
> int ret = -1;
> + virMediatedDevicePtr mdev = NULL;
>
> if (!priv->dynamicOwnership)
> return 0;
> @@ -964,13 +976,26 @@ virSecurityDACSetHostdevLabel(virSecurityManagerPtr mgr,
> break;
> }
>
> - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV:
> + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
> + char *vfio_dev = NULL;
> + if (!(mdev = virMediatedDeviceNew(mdevsrc->uuidstr)))
> + goto done;
> +
> + if (!(vfio_dev = virMediatedDeviceGetIOMMUGroupDev(mdev)))
> + goto done;
> +
> + ret = virSecurityDACSetMediatedDevLabel(mdev, vfio_dev, &cbdata);
You can use virSecurityDACSetHostdevLabelHelper directly.
> + VIR_FREE(vfio_dev);
> + break;
> + }
> +
> case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> ret = 0;
> break;
> }
>
> done:
> + virMediatedDeviceFree(mdev);
> return ret;
> }
>
> @@ -1018,6 +1043,15 @@ virSecurityDACRestoreHostLabel(virSCSIVHostDevicePtr dev ATTRIBUTE_UNUSED,
> return virSecurityDACRestoreFileLabel(priv, file);
> }
>
> +static int
> +virSecurityDACRestoreMediatedDevLabel(virMediatedDevicePtr dev ATTRIBUTE_UNUSED,
> + const char *file,
> + void *opaque)
> +{
> + virSecurityManagerPtr mgr = opaque;
> + virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
> + return virSecurityDACRestoreFileLabel(priv, file);
> +}
>
> static int
> virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
> @@ -1032,6 +1066,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
> virDomainHostdevSubsysPCIPtr pcisrc = &dev->source.subsys.u.pci;
> virDomainHostdevSubsysSCSIPtr scsisrc = &dev->source.subsys.u.scsi;
> virDomainHostdevSubsysSCSIVHostPtr hostsrc = &dev->source.subsys.u.scsi_host;
> + virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
> int ret = -1;
>
> secdef = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
> @@ -1120,7 +1155,25 @@ virSecurityDACRestoreHostdevLabel(virSecurityManagerPtr mgr,
> break;
> }
>
> - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV:
> + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
> + char *vfiodev = NULL;
> + virMediatedDevicePtr mdev = virMediatedDeviceNew(mdevsrc->uuidstr);
> +
> + if (!mdev)
> + goto done;
> +
> + if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdev))) {
> + virMediatedDeviceFree(mdev);
> + goto done;
> + }
> +
> + ret = virSecurityDACRestoreMediatedDevLabel(mdev, vfiodev, mgr);
Same here, you don't have to use this wrapper, use
virSecurityDACRestoreFileLabel directly.
This applies to security_selinux as well and I think that you should merge
the security_dac and security_selinux patches together and you are missing
security_apparmor patch.
Pavel
> +
> + VIR_FREE(vfiodev);
> + virMediatedDeviceFree(mdev);
> + break;
> + }
> +
> case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST:
> ret = 0;
> break;
> --
> 2.10.2
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20170228/42367d13/attachment-0001.sig>
More information about the libvir-list
mailing list