Legacy kvm style pci device assignment requires changes to the
labelling of several sysfs files for each device, but for vfio device
assignment, the only thing that needs to be relabelled/chowned is the
"group" device for the group that contains the device to be assigned.
---
src/security/security_apparmor.c | 12 +++++++++++-
src/security/security_dac.c | 27 ++++++++++++++++++++++++---
src/security/security_selinux.c | 24 ++++++++++++++++++++++--
3 files changed, 57 insertions(+), 6 deletions(-)
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 122edd4..0aff794 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+ }
virPCIDeviceFree(pci);
break;
}
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 8576081..5e00112 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
- params);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
+ params);
+ }
+
virPCIDeviceFree(pci);
break;
@@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel,
mgr);
+ }
virPCIDeviceFree(pci);
break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a8b74ee..a5b54cb 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr
def,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel,
def);
+ }
virPCIDeviceFree(pci);
break;
@@ -1504,7 +1514,17 @@
virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
- ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel,
mgr);
+ if (dev->source.subsys.u.pci.backend
+ == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+ char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+ if (!vfioGroupDev)
+ goto done;
+ ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+ VIR_FREE(vfioGroupDev);
+ } else {
+ ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel,
mgr);
+ }
virPCIDeviceFree(pci);
break;
--
1.7.11.7