Fix apparmor profile to make vfio pci passthrough work

author Cédric Bosdonnat <cbosdonnat@suse.com>

Tue, 25 Mar 2014 11:48:26 +0000 (12:48 +0100)

committer Eric Blake <eblake@redhat.com>

Thu, 27 Mar 2014 15:09:23 +0000 (09:09 -0600)
author Cédric Bosdonnat <cbosdonnat@suse.com>
Tue, 25 Mar 2014 11:48:26 +0000 (12:48 +0100)
committer Eric Blake <eblake@redhat.com>
Thu, 27 Mar 2014 15:09:23 +0000 (09:09 -0600)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu

index e1980b7cb710529a435bb6f21782eaeaa7ccde96..83814ecf565c97ff1588828d75a9051deb527d9e 100644 (file)
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
    /usr/bin/qemu-sparc32plus rmix,
    /usr/bin/qemu-sparc64 rmix,
    /usr/bin/qemu-x86_64 rmix,
+  /usr/lib/qemu/block-curl.so mr,
  
    # for save and resume
    /bin/dash rmix,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd

index fd6def1d859127f5871de9fd7819d2240892b920..3011eff3f9b1b9948403b26f150039d527a99287 100644 (file)
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
    capability fsetid,
    capability audit_write,
  
+  # Needed for vfio
+  capability sys_resource,
+
    network inet stream,
    network inet dgram,
    network inet6 stream,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c

index 506707f02a641c2506bfce85ed6449e49ee54568..64a382c1027d4e3f11151d3976a9528349edb41b 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1,7 +1,7 @@
  /*
   * virt-aa-helper: wrapper program used by AppArmor security driver.
   *
- * Copyright (C) 2010-2013 Red Hat, Inc.
+ * Copyright (C) 2010-2014 Red Hat, Inc.
   * Copyright (C) 2009-2011 Canonical Ltd.
   *
   * This library is free software; you can redistribute it and/or
@@ -927,6 +927,7 @@ get_files(vahControl * ctl)
      size_t i;
      char *uuid;
      char uuidstr[VIR_UUID_STRING_BUFLEN];
+    bool needsVfio = false;
  
      /* verify uuid is same as what we were given on the command line */
      virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
                             dev->source.subsys.u.pci.addr.slot,
                             dev->source.subsys.u.pci.addr.function);
  
+                virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
+                if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+                        backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+                    needsVfio = true;
+                }
+
                  if (pci == NULL)
                      continue;
  
@@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
          }
      }
  
+    if (needsVfio) {
+        virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
+        virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");
+    }
+
      if (ctl->newfile)
          if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
              goto cleanup;
author	Cédric Bosdonnat <cbosdonnat@suse.com>
	Tue, 25 Mar 2014 11:48:26 +0000 (12:48 +0100)
committer	Eric Blake <eblake@redhat.com>
	Thu, 27 Mar 2014 15:09:23 +0000 (09:09 -0600)
examples/apparmor/libvirt-qemu		patch \| blob \| blame \| history
examples/apparmor/usr.sbin.libvirtd		patch \| blob \| blame \| history
src/security/virt-aa-helper.c		patch \| blob \| blame \| history