qemu: cgroup: Expose /dev/sev/ only to domains that require SEV

SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: N Erik Skultety <eskultet@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>

qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: N Erik Skultety <eskultet@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com>
a404ac34 · Erik Skultety · b6440119 · a404ac34
隐藏空白更改
内联并排

Showing with 19 addition and 0 deletion

src/qemu/qemu_cgroup.c src/qemu/qemu_cgroup.c +19 -0

未找到文件。
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
 }


+static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+                                   VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+                             "rw", ret);
+    return ret;
+}
+
 static int
 qemuSetupDevicesCgroup(virDomainObjPtr vm)
 {
@@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
            goto cleanup;
    }

+    if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+        goto cleanup;
+
    ret = 0;
 cleanup:
    virObjectUnref(cfg);