Re: [PATCH v3 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd

6 Jan 2026

On 1/5/2026 8:21 AM, Daniel P. Berrangé wrote:
...
On Thu, Dec 18, 2025 at 06:19:24PM -0800, Nathan Chen via Devel wrote:
...
From: Nathan Chen<nathanc@nvidia.com>
When launching a qemu VM with the iommufd feature enabled for VFIO
hostdevs:
- Do not allow cgroup, namespace, and seclabel access to VFIO
paths (/dev/vfio/vfio and /dev/vfio/<iommugroup>)
- Allow access to iommufd paths (/dev/iommu and
/dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC
Signed-off-by: Nathan Chen<nathanc@nvidia.com>
---
  src/qemu/qemu_cgroup.c           | 26 +++++++-------
  src/qemu/qemu_namespace.c        | 16 +++++----
  src/security/security_apparmor.c | 33 ++++++++++++++----
  src/security/security_dac.c      | 60 ++++++++++++++++++++++++++------
  src/security/security_selinux.c  | 58 ++++++++++++++++++++++++------
  src/security/virt-aa-helper.c    | 32 +++++++++++++----
  6 files changed, 172 insertions(+), 53 deletions(-)
snip
...

diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 68ac39611f..999275dac1 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -848,14 +848,33 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *mgr,
              goto done;
if (pcisrc->driver.name == VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO) {
-            char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
-
-            if (!vfioGroupDev) {
-                virPCIDeviceFree(pci);
-                goto done;
+            if (dev->source.subsys.u.pci.driver.iommufd != VIR_TRISTATE_BOOL_YES) {
+                char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
+
+                if (!vfioGroupDev) {
+                    virPCIDeviceFree(pci);
+                    goto done;
+                }
+                ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
+                VIR_FREE(vfioGroupDev);
+            } else {
+                g_autofree char *vfiofdDev = NULL;
+                const char *iommufdDir = "/dev/iommu";
So we declare / use this path 11 times by the end of this series
$ git grep/dev/iommu src/
src/qemu/qemu_process.c: * Opens /dev/iommu file descriptor for the VM.
src/qemu/qemu_process.c:    if ((fd = open("/dev/iommu", O_RDWR | O_CLOEXEC)) < 0) {
src/qemu/qemu_process.c:                           _("IOMMU FD support requires /dev/iommu device"));
src/qemu/qemu_process.c:                                 _("cannot open /dev/iommu"));
src/security/security_apparmor.c:                const char *iommufdDir = "/dev/iommu";
src/security/security_dac.c:                const char *iommufdDir = "/dev/iommu";
src/security/security_dac.c:                const char *iommufdDir = "/dev/iommu";
src/security/security_selinux.c:                const char *iommufdDir = "/dev/iommu";
src/security/security_selinux.c:                const char *iommufdDir = "/dev/iommu";
src/security/virt-aa-helper.c:            STREQ(ctl->newfile, "/dev/iommu")) {
src/security/virt-aa-helper.c:                STREQ(ctl->newfile, "/dev/iommu")) {
how about we declare  VIR_IOMMU_DEV_PATH in src/util/viriommu.h and
use that throughout.
Yes, that would be cleaner - I will include this in the next revision.
...
...
+
+                if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr, &vfiofdDev) < 0)
+                    return -1;
+
+                if (!virFileExists(iommufdDir))
+                    return -1;
...and even add   'bool virIOMMUFDSupported(void)' that does this
virFileExists check.
That makes sense, I will implement this function in the next revision.

Thanks,
Nathan

    