[PATCH v3 0/2] Fix forward type=hostdev nets for apparmor

Monday, 9 June 2025

Fixes a bug whereby apparmor permissions aren't granted to allow a PCI
SR-IOV virtual function to be used in a kvm guest when the VF is defined
via a forward type='hostdev' network (as per the 'hostdev' option
documented here: https://libvirt.org/formatnetwork.html#connectivity ).

Downstream bug here:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993856

qemu accesses these PCI virtual functions using the vfio API, so no
additional permissions to access to the PCI device resources etc. via
/sys/devices/pci[...]/resource et al. are necessary.

This is a resend with fixed From in body for the patch emails, and
change notes in patch emails.

Thanks,

Tim.

Tim Small (2):
  virt-aa-helper: refactor for readability
  virt-aa-helper: Allow SR-IOV VF PCI for hostdev networks

 .../usr.lib.libvirt.virt-aa-helper.in         |  4 +++
 src/security/virt-aa-helper.c                 | 28 ++++++++++++++++---
 2 files changed, 28 insertions(+), 4 deletions(-)

-- 
2.47.2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH v3 0/2] Fix forward type=hostdev nets for apparmor