On 12/8/2025 10:22 AM, Ján Tomko wrote:
On a Friday in 2025, Nathan Chen via Devel wrote:
When launching a qemu VM with the iommufd feature enabled for VFIO hostdevs: - Do not allow access to /dev/vfio/vfio and /dev/vfio/<iommugroup> used by VFIO without iommufd enabled - Allow access to /dev/iommu and /dev/vfio/devices/vfio*
The commit summary mentions cgroups, namespaces and seclabels, however I can only see this patch not allowing stuff needed for legacy VFIO, but I don't see it allowing the new paths.
I see you add the paths to apparmor - presumably you're using a Debian-based distro that doesn't have SELinux.
But are cgroups not used either?
Possibly namespaces aren't necessary if we're passing the FDs and I'll look into the SELinux stuff.
From my testing, allowing the iommufd paths in cgroups and namespaces is no longer necessary since we are passing the FDs. I will update the commit description to be more specific, i.e. - Do not allow cgroup, namespace, and seclabel access to VFIO paths (/dev/vfio/vfio and /dev/vfio/<iommugroup>) if iommufd is enabled - Allow access to iommufd paths (/dev/iommu and /dev/vfio/devices/vfio*) in AppArmor and SELinux if iommufd is enabled Thanks, Nathan