On Wed, May 15, 2019 at 04:11:34PM +0200, Christian Ehrhardt wrote:
When a vhost scsi device is hotplugged virt-aa-helper is called to add the respective path. For example the config: <hostdev mode='subsystem' type='scsi_host' managed='no'> <source protocol='vhost' wwpn='naa.50014059de6fba4f'/> </hostdev> Will call it to add: /sys/kernel/config/target/vhost//naa.50014059de6fba4f
But in general /sys paths are filtered in virt-aa-helper.c:valid_path To allow the path used for vhost-scsi we need to add it to the list of known and accepted overrides.
Fixes: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1829223
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com> --- src/security/virt-aa-helper.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index d0fe86cefc..ad9a7dda94 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -510,8 +510,9 @@ valid_path(const char *path, const bool readonly) }; /* override the above with these */ const char * const override[] = { - "/sys/devices/pci", /* for hostdev pci devices */ - "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */ + "/sys/devices/pci", /* for hostdev pci devices */ + "/sys/kernel/config/target/vhost", /* for hostdev vhost_scsi devices */ + "/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
FYI for a future patch you can purge this directory as I killed the libvirt sandbox services concept, as it is a failed experiment. For this specific patch though Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|