Fix apparmor profile to make vfio pci passthrough work

See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio Signed-off-by: N Eric Blake <eblake@redhat.com>

Fix apparmor profile to make vfio pci passthrough work
See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio Signed-off-by: N Eric Blake <eblake@redhat.com>
74e86b6b · Cédric Bosdonnat · Eric Blake · 0500fbd4 · 74e86b6b · 74e86b6b
Showing with 17 addition and 1 deletion

examples/apparmor/libvirt-qemu examples/apparmor/libvirt-qemu +1 -0

examples/apparmor/usr.sbin.libvirtd examples/apparmor/usr.sbin.libvirtd +3 -0

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +13 -1

未找到文件。
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
  /usr/bin/qemu-sparc32plus rmix,
  /usr/bin/qemu-sparc64 rmix,
  /usr/bin/qemu-x86_64 rmix,
+  /usr/lib/qemu/block-curl.so mr,

  # for save and resume
  /bin/dash rmix,

--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
  capability fsetid,
  capability audit_write,

+  # Needed for vfio
+  capability sys_resource,
+
  network inet stream,
  network inet dgram,
  network inet6 stream,

--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
 /*
 * virt-aa-helper: wrapper program used by AppArmor security driver.
 *
- * Copyright (C) 2010-2013 Red Hat, Inc.
+ * Copyright (C) 2010-2014 Red Hat, Inc.
 * Copyright (C) 2009-2011 Canonical Ltd.
 *
 * This library is free software; you can redistribute it and/or
@@ -927,6 +927,7 @@ get_files(vahControl * ctl)
    size_t i;
    char *uuid;
    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    bool needsVfio = false;

    /* verify uuid is same as what we were given on the command line */
    virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
                           dev->source.subsys.u.pci.addr.slot,
                           dev->source.subsys.u.pci.addr.function);

+                virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
+                if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+                        backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+                    needsVfio = true;
+                }
+
                if (pci == NULL)
                    continue;

@@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
        }
    }

+    if (needsVfio) {
+        virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
+        virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");
+    }
+
    if (ctl->newfile)
        if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
            goto cleanup;