[PATCH v2 2/2] virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks
Add check for <forward type='hostdev'> networks which were previously
neglected (as opposed to explicit PCI hostdev devices), so that they can
be granted the necessary permissions for PCI device access. The network
type lookup in-turn requires the helper to read libvirt.conf
See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993856
Signed-off-by: Tim Small <tim(a)seoss.co.uk>
---
.../usr.lib.libvirt.virt-aa-helper.in | 4 ++++
src/security/virt-aa-helper.c | 20 +++++++++++++++++++
2 files changed, 24 insertions(+)
diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
index e209a8bff7..4cbad6986d 100644
--- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
+++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in
@@ -49,6 +49,10 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper {
@sysconfdir(a)/apparmor.d/libvirt/* r,
@sysconfdir@/apparmor.d/libvirt/libvirt-(a){UUID}* rw,
+ # The helper may read libvirt.conf in the course of connecting to a running
+ # libvirt deamon e.g. to resolve network configuration for a given domain
+ @sysconfdir(a)/libvirt/libvirt.conf r,
+
# for backingstore -- allow access to non-hidden files in @{HOME} as well
# as storage pools
audit deny @{HOME}/.* mrwkl,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 6481e9cfd7..f1d8feee11 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1143,6 +1143,16 @@ get_files(vahControl * ctl)
vhu->type) != 0)
goto cleanup;
}
+ /*
+ * Grant vfio for SR-IOV PCI VFs shared via <forward
type='hostdev'>
+ * networks. Calling virDomainNetResolveActualType() results in IPC.
+ */
+ if (!needsVfio &&
+ net &&
+ net->type == VIR_DOMAIN_NET_TYPE_NETWORK &&
+ virDomainNetResolveActualType(net) == VIR_DOMAIN_NET_TYPE_HOSTDEV) {
+ needsVfio = true;
+ }
}
for (i = 0; i < ctl->def->nmems; i++) {
@@ -1301,12 +1311,22 @@ get_files(vahControl * ctl)
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDef *net = ctl->def->nets[i];
+
if (net && virDomainNetGetModelString(net)) {
if (net->driver.virtio.name == VIR_DOMAIN_NET_DRIVER_TYPE_QEMU)
continue;
if (!virDomainNetIsVirtioModel(net))
continue;
}
+
+ /* n.b. Calling virDomainNetResolveActualType() results in IPC. */
+ if (!needsvhost &&
+ net &&
+ net->type == VIR_DOMAIN_NET_TYPE_NETWORK &&
+ virDomainNetResolveActualType(net) == VIR_DOMAIN_NET_TYPE_HOSTDEV) {
+ continue;
+ }
+
needsvhost = true;
}
}
--
2.47.2