NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

Fix apparmor profile to make vfio pci passthrough work

Browse Source 
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio

Signed-off-by: Eric Blake <eblake@redhat.com>
This commit is contained in:
Cédric Bosdonnat 2014-03-25 12:48:26 +01:00 committed by Eric Blake
parent 0500fbd4b6
commit 74e86b6b25
3 changed files with 17 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
examples/apparmor/libvirt-qemu
View File

@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix, /usr/bin/qemu-x86_64 rmix,
/usr/lib/qemu/block-curl.so mr,
# for save and resume # for save and resume
/bin/dash rmix, /bin/dash rmix,

3
examples/apparmor/usr.sbin.libvirtd
View File

@ -25,6 +25,9 @@
capability fsetid, capability fsetid,
capability audit_write, capability audit_write,
# Needed for vfio
capability sys_resource,
network inet stream, network inet stream,
network inet dgram, network inet dgram,
network inet6 stream, network inet6 stream,

14
src/security/virt-aa-helper.c
View File

@ -1,7 +1,7 @@
/* /*
* virt-aa-helper: wrapper program used by AppArmor security driver. * virt-aa-helper: wrapper program used by AppArmor security driver.
* *
* Copyright (C) 2010-2013 Red Hat, Inc. * Copyright (C) 2010-2014 Red Hat, Inc.
* Copyright (C) 2009-2011 Canonical Ltd. * Copyright (C) 2009-2011 Canonical Ltd.
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
@ -927,6 +927,7 @@ get_files(vahControl * ctl)
size_t i; size_t i;
char *uuid; char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */ /* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr); virUUIDFormat(ctl->def->uuid, uuidstr);
@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
dev->source.subsys.u.pci.addr.slot, dev->source.subsys.u.pci.addr.slot,
dev->source.subsys.u.pci.addr.function); dev->source.subsys.u.pci.addr.function);
virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
needsVfio = true;
}
if (pci == NULL) if (pci == NULL)
continue; continue;
@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
} }
} }
if (needsVfio) {
virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n");
virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n");
}
if (ctl->newfile) if (ctl->newfile)
if (vah_add_file(&buf, ctl->newfile, "rw") != 0) if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
goto cleanup; goto cleanup;