virt-aa-helper: add rules for shmem devices

Shared memory devices need qemu to be able to access certain paths either for the shared memory directly (mostly ivshmem-plain) or for a socket (mostly ivshmem-doorbell). Add logic to virt-aa-helper to render those apparmor rules based on the domain configuration. https://bugzilla.redhat.com/show_bug.cgi?id=1761645Reviewed-by: N Cole Robinson <crobinso@redhat.com> Acked-by: N Jamie Strandboge <jamie@canonical.com> Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>

virt-aa-helper: add rules for shmem devices
Shared memory devices need qemu to be able to access certain paths either for the shared memory directly (mostly ivshmem-plain) or for a socket (mostly ivshmem-doorbell). Add logic to virt-aa-helper to render those apparmor rules based on the domain configuration. https://bugzilla.redhat.com/show_bug.cgi?id=1761645Reviewed-by: N Cole Robinson <crobinso@redhat.com> Acked-by: N Jamie Strandboge <jamie@canonical.com> Signed-off-by: N Christian Ehrhardt <christian.ehrhardt@canonical.com>
36afd1a7 · Christian Ehrhardt · d53f4d02 · 36afd1a7
隐藏空白更改
内联并排

Showing with 33 addition and 0 deletion

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +33 -0

未找到文件。
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -931,6 +931,7 @@ get_files(vahControl * ctl)
    int rc = -1;
    size_t i;
    char *uuid;
+    char *mem_path = NULL;
    char uuidstr[VIR_UUID_STRING_BUFLEN];
    bool needsVfio = false, needsvhost = false, needsgl = false;

@@ -1194,6 +1195,37 @@ get_files(vahControl * ctl)
        }
    }

+    for (i = 0; i < ctl->def->nshmems; i++) {
+        virDomainShmemDef *shmem = ctl->def->shmems[i];
+        /* explicit server paths can be on any model to overwrites defaults.
+         * When the server path is enabled, use it - otherwise fallback to
+         * model dependent defaults. */
+        if (shmem->server.enabled &&
+            shmem->server.chr.data.nix.path) {
+                if (vah_add_file(&buf, shmem->server.chr.data.nix.path,
+                        "rw") != 0)
+                    goto cleanup;
+        } else {
+            switch (shmem->model) {
+            case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_PLAIN:
+                /* until exposed, recreate qemuBuildShmemBackendMemProps */
+                mem_path = g_strdup_printf("/dev/shm/%s", shmem->name);
+                break;
+            case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_DOORBELL:
+            case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM:
+                 /* until exposed, recreate qemuDomainPrepareShmemChardev */
+                mem_path = g_strdup_printf("/var/lib/libvirt/shmem-%s-sock",
+                               shmem->name);
+                break;
+            }
+            if (mem_path != NULL) {
+                if (vah_add_file(&buf, mem_path, "rw") != 0)
+                    goto cleanup;
+            }
+        }
+    }
+
+
    if (ctl->def->tpm) {
        char *shortName = NULL;
        const char *tpmpath = NULL;
@@ -1288,6 +1320,7 @@ get_files(vahControl * ctl)
    ctl->files = virBufferContentAndReset(&buf);

 cleanup:
+    VIR_FREE(mem_path);
    VIR_FREE(uuid);
    return rc;
 }