Only allow the access if it is a KVM domain which has a NIC which wants non-userspace networking. This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> --- src/security/virt-aa-helper.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 1d246c7..e54f73f 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -929,7 +929,7 @@ get_files(vahControl * ctl) size_t i; char *uuid; char uuidstr[VIR_UUID_STRING_BUFLEN]; - bool needsVfio = false; + bool needsVfio = false, needsvhost = false; /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl->def->uuid, uuidstr); @@ -1105,6 +1105,21 @@ get_files(vahControl * ctl) } } + if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { + for (i = 0; i < ctl->def->nnets; i++) { + virDomainNetDefPtr net = ctl->def->nets[i]; + if (net && net->model) { + if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU) + continue; + if (STRNEQ(net->model, "virtio")) + continue; + } + needsvhost = true; + } + } + if (needsvhost) + virBufferAddLit(&buf, " /dev/vhost-net rw,\n"); + if (needsVfio) { virBufferAddLit(&buf, " /dev/vfio/vfio rw,\n"); virBufferAddLit(&buf, " /dev/vfio/[0-9]* rw,\n"); -- 1.9.1