virt-aa-helper: allow access to /dev/vhost-net if needed

Only allow the access if it is a KVM domain which has a NIC which wants
non-userspace networking.

This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 1d246c7795afc4918336f24a893d0a6349179ce3..e54f73f6282ab67ac97d0cccc5d362b1f0113a8e 100644 (file)
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -929,7 +929,7 @@ get_files(vahControl * ctl)
     size_t i;
     char *uuid;
     char uuidstr[VIR_UUID_STRING_BUFLEN];
-    bool needsVfio = false;
+    bool needsVfio = false, needsvhost = false;
 
     /* verify uuid is same as what we were given on the command line */
     virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1105,6 +1105,21 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+        for (i = 0; i < ctl->def->nnets; i++) {
+            virDomainNetDefPtr net = ctl->def->nets[i];
+            if (net && net->model) {
+                if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
+                    continue;
+                if (STRNEQ(net->model, "virtio"))
+                    continue;
+            }
+            needsvhost = true;
+        }
+    }
+    if (needsvhost)
+        virBufferAddLit(&buf, "  /dev/vhost-net rw,\n");
+
     if (needsVfio) {
         virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
         virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");