Re: [PATCH] security: do not remember/recall labels for VFIO MDEVs

Commit dbf1f68410 ("security: do not remember/recall labels for VFIO") rightly changed the DAC and SELinux labeling parameters to fix a problem with "VFIO hostdevs" but really only addressed the PCI codepaths. As a result, we can still encounter this with VFIO MDEVs such as vfio-ccw and vfio-ap, which can fail on a hotplug:   [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0   [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023- eff72715c4f0   [test@host ~]# cat disk.xml     <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>       <source>         <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>       </source>       <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>     </hostdev>   [test@host ~]# virsh attach-device guest ~/disk.xml   error: Failed to attach device from /home/test/disk.xml   error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use Make the same changes as reported in commit dbf1f68410, for the mdev paths. Reported-by: Matthew Rosato <mjrosato(a)linux.ibm.com&gt; Signed-off-by: Eric Farman <farman(a)linux.ibm.com&gt;

---  src/security/security_dac.c     | 4 ++--  src/security/security_selinux.c | 4 ++--  2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 9be8f458d1..bceb6a5c24 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -1310,7 +1310,7 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr,          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc- >uuidstr)))              return -1;   -        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata); +        ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false, &cbdata);          break;      }   @@ -1466,7 +1466,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc- >uuidstr)))              return -1;   -        ret = virSecurityDACRestoreFileLabel(mgr, vfiodev); +        ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfiodev, false);          break;      }   diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index e43962435f..9c23735aa3 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -2217,7 +2217,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc- >uuidstr)))              return ret;   -        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data); +        ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, false, &data);          break;      }   @@ -2445,7 +2445,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,          if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc- >uuidstr)))              return -1;   -        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true); +        ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false);          break;      }