security: aa-helper: Fix static defined vfio MDEVs

virt-aa-helper needs to grant QEMU access to VFIO MDEV devices.

This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
assignment by now also covering vfio MDEVs.
It has still the same limitations regarding the device lifecycle, IOW we're
unable to predict the actual VFIO device being created, thus we need
wildcards.

Also note that the hotplug case, where apparmor is able to detect the actual
VFIO device during runtime, is already covered by commit 606afafb.
Signed-off-by: NChristian Ehrhardt <christian.ehrhardt@canonical.com>
Reviewed-by: NErik Skultety <eskultet@redhat.com>
Reviewed-by: NBoris Fiuczynski <fiuczy@linux.ibm.com>

src/security/virt-aa-helper.c

@@ -1105,6 +1105,23 @@ get_files(vahControl * ctl)
                 break;
             }
 
+            case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_MDEV: {
+                virDomainHostdevSubsysMediatedDevPtr mdevsrc = &dev->source.subsys.u.mdev;
+                switch ((virMediatedDeviceModelType) mdevsrc->model) {
+                    case VIR_MDEV_MODEL_TYPE_VFIO_PCI:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_AP:
+                    case VIR_MDEV_MODEL_TYPE_VFIO_CCW:
+                        needsVfio = true;
+                        break;
+                    case VIR_MDEV_MODEL_TYPE_LAST:
+                    default:
+                        virReportEnumRangeError(virMediatedDeviceModelType,
+                                                mdevsrc->model);
+                        break;
+                }
+                break;
+            }
+
             case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
                 virPCIDevicePtr pci = virPCIDeviceNew(
                            dev->source.subsys.u.pci.addr.domain,