[PATCH] security: do not remember/recall labels for VFIO MDEVs
Eric Farman
farman at linux.ibm.com
Thu Apr 13 13:22:39 UTC 2023
On Sat, 2023-04-01 at 02:42 +0200, Eric Farman wrote:
> Commit dbf1f68410 ("security: do not remember/recall labels for
> VFIO")
> rightly changed the DAC and SELinux labeling parameters to fix a
> problem
> with "VFIO hostdevs" but really only addressed the PCI codepaths.
> As a result, we can still encounter this with VFIO MDEVs such as
> vfio-ccw and vfio-ap, which can fail on a hotplug:
>
> [test at host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
> [test at host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-
> eff72715c4f0
> [test at host ~]# cat disk.xml
> <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
> <source>
> <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
> </source>
> <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
> </hostdev>
> [test at host ~]# virsh attach-device guest ~/disk.xml
> error: Failed to attach device from /home/test/disk.xml
> error: Requested operation is not valid: Setting different SELinux
> label on /dev/vfio/3 which is already in use
>
> Make the same changes as reported in commit dbf1f68410, for the mdev
> paths.
>
> Reported-by: Matthew Rosato <mjrosato at linux.ibm.com>
> Signed-off-by: Eric Farman <farman at linux.ibm.com>
Ping? I'm hoping this just got lost between the release and the
holiday, but if there's some changes needed here I'm happy to work
through that. Thank you!
> ---
> src/security/security_dac.c | 4 ++--
> src/security/security_selinux.c | 4 ++--
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/src/security/security_dac.c
> b/src/security/security_dac.c
> index 9be8f458d1..bceb6a5c24 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -1310,7 +1310,7 @@
> virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
> if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
> return -1;
>
> - ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true,
> &cbdata);
> + ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false,
> &cbdata);
> break;
> }
>
> @@ -1466,7 +1466,7 @@
> virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
> if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
> return -1;
>
> - ret = virSecurityDACRestoreFileLabel(mgr, vfiodev);
> + ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL,
> vfiodev, false);
> break;
> }
>
> diff --git a/src/security/security_selinux.c
> b/src/security/security_selinux.c
> index e43962435f..9c23735aa3 100644
> --- a/src/security/security_selinux.c
> +++ b/src/security/security_selinux.c
> @@ -2217,7 +2217,7 @@
> virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
> if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
> return ret;
>
> - ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true,
> &data);
> + ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev,
> false, &data);
> break;
> }
>
> @@ -2445,7 +2445,7 @@
> virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
> if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc-
> >uuidstr)))
> return -1;
>
> - ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev,
> true);
> + ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev,
> false);
> break;
> }
>
More information about the libvir-list
mailing list