[libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio
---
examples/apparmor/libvirt-qemu | 1 +
examples/apparmor/usr.sbin.libvirtd | 3 +++
src/security/virt-aa-helper.c | 12 ++++++++++++
3 files changed, 16 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7..83814ec 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
+ /usr/lib/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fd6def1..3011eff 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
capability fsetid,
capability audit_write,
+ # Needed for vfio
+ capability sys_resource,
+
network inet stream,
network inet dgram,
network inet6 stream,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 59de517..998dc53 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -927,6 +927,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
+ bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
dev->source.subsys.u.pci.addr.slot,
dev->source.subsys.u.pci.addr.function);
+ virDomainHostdevSubsysPciBackendType backend =
dev->source.subsys.u.pci.backend;
+ if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+ backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+ needsVfio = true;
+ }
+
if (pci == NULL)
continue;
@@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
}
}
+ if (needsVfio) {
+ virBufferAsprintf(&buf, " /dev/vfio/vfio rw,\n");
+ virBufferAsprintf(&buf, " /dev/vfio/[0-9]* rw,\n");
+ }
+
if (ctl->newfile)
if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
goto cleanup;
--
1.9.0