Re: [PATCH] security: do not remember/recall labels for VFIO MDEVs

On 4/1/23 02:42, Eric Farman wrote: > Commit dbf1f68410 ("security: do not remember/recall labels for > VFIO") > rightly changed the DAC and SELinux labeling parameters to fix a > problem > with "VFIO hostdevs" but really only addressed the PCI codepaths. > As a result, we can still encounter this with VFIO MDEVs such as > vfio-ccw and vfio-ap, which can fail on a hotplug: > >   [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023- > eff72715c4f0 >   [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023- > eff72715c4f0 >   [test@host ~]# cat disk.xml >     <hostdev mode='subsystem' type='mdev' model='vfio-ccw'> >       <source> >         <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/> >       </source> >       <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/> >     </hostdev> >   [test@host ~]# virsh attach-device guest ~/disk.xml >   error: Failed to attach device from /home/test/disk.xml >   error: Requested operation is not valid: Setting different > SELinux label on /dev/vfio/3 which is already in use > > Make the same changes as reported in commit dbf1f68410, for the > mdev paths. > > Reported-by: Matthew Rosato <mjrosato(a)linux.ibm.com&gt; > Signed-off-by: Eric Farman <farman(a)linux.ibm.com&gt; > --- >  src/security/security_dac.c     | 4 ++-- >  src/security/security_selinux.c | 4 ++-- >  2 files changed, 4 insertions(+), 4 deletions(-) Oops, sorry for the delay. I marked for review when I saw this patch, but then got side tracked and forgot about it.

Reviewed-by: Michal Privoznik <mprivozn(a)redhat.com&gt; and pushed. Michal