[libvirt] [PATCH 2/5] qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
SEV has a limit on number of concurrent guests. From security POV we
should only expose resources (any resources for that matter) to domains
that truly need them.
Signed-off-by: Erik Skultety <eskultet(a)redhat.com>
---
src/qemu/qemu_cgroup.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 7b7cd4258b..e88cb8c45f 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
}
+static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+ qemuDomainObjPrivatePtr priv = vm->privateData;
+ int ret;
+
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+ return 0;
+
+ ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+ VIR_CGROUP_DEVICE_RW, false);
+ virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
"/dev/sev",
+ "rw", ret);
+ return ret;
+}
+
static int
qemuSetupDevicesCgroup(virDomainObjPtr vm)
{
@@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
goto cleanup;
}
+ if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+ goto cleanup;
+
ret = 0;
cleanup:
virObjectUnref(cfg);
--
2.20.1