12:20 p.m.
Fixes a regression I brough in virt-aa-helper with the lxc apparmor profiles.
And makes vfio work even with apparmor enforced on libvirtd
Cédric Bosdonnat (2):
Fixed regression in apparmor profiles for qemu brought by 43c030f
Fix apparmor profile to make vfio pci passthrough work
examples/apparmor/libvirt-qemu | 5 +++++
examples/apparmor/usr.sbin.libvirtd | 3 +++
src/security/virt-aa-helper.c | 4 +++-
3 files changed, 11 insertions(+), 1 deletion(-)
--
1.9.0
12:20 p.m.
New subject: [libvirt] [PATCH 1/2] Fixed regression in apparmor profiles for qemu brought by 43c030f
---
src/security/virt-aa-helper.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index b8b0610..59de517 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1281,7 +1281,9 @@ main(int argc, char **argv)
if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
goto cleanup;
} else {
- if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU) {
+ if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU ||
+ ctl->def->virtType == VIR_DOMAIN_VIRT_KQEMU ||
+ ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
virBufferAsprintf(&buf, "
\"%s/log/libvirt/**/%s.log\" w,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, "
\"%s/lib/libvirt/**/%s.monitor\" rw,\n",
--
1.9.0
10:05 a.m.
New subject: [libvirt] [PATCH 1/2] Fixed regression in apparmor profiles for qemu brought by 43c030f
On 03/24/2014 11:20 AM, Cédric Bosdonnat wrote:
---
src/security/virt-aa-helper.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
ACK and pushed.
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index b8b0610..59de517 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1281,7 +1281,9 @@ main(int argc, char **argv)
if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
goto cleanup;
} else {
- if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU) {
+ if (ctl->def->virtType == VIR_DOMAIN_VIRT_QEMU ||
+ ctl->def->virtType == VIR_DOMAIN_VIRT_KQEMU ||
+ ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
virBufferAsprintf(&buf, "
\"%s/log/libvirt/**/%s.log\" w,\n",
LOCALSTATEDIR, ctl->def->name);
virBufferAsprintf(&buf, "
\"%s/lib/libvirt/**/%s.monitor\" rw,\n",
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
12:20 p.m.
New subject: [libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files.
---
examples/apparmor/libvirt-qemu | 5 +++++
examples/apparmor/usr.sbin.libvirtd | 3 +++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7..c3dfa57 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
+ /usr/lib/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
@@ -122,6 +123,10 @@
/sys/bus/ r,
/sys/class/ r,
+ # for vfio access
+ /dev/vfio/vfio rw,
+ /dev/vfio/[0-9]* rw,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fd6def1..3011eff 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
capability fsetid,
capability audit_write,
+ # Needed for vfio
+ capability sys_resource,
+
network inet stream,
network inet dgram,
network inet6 stream,
--
1.9.0
10:21 p.m.
New subject: [libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work
Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
See lp#1276719 for the bug description. As virt-aa-helper doesn't
know
Great, thanks for addressing this.
the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then
I guess this is the way to go - though even in that case could we at
least have virt-aa-helper only allow access to all vfio* only when vfio
pci is required?
allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files.
---
(Note - there is no signed-off-by on these patches)
examples/apparmor/libvirt-qemu | 5 +++++
examples/apparmor/usr.sbin.libvirtd | 3 +++
2 files changed, 8 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7..c3dfa57 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
+ /usr/lib/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
@@ -122,6 +123,10 @@
/sys/bus/ r,
/sys/class/ r,
+ # for vfio access
+ /dev/vfio/vfio rw,
+ /dev/vfio/[0-9]* rw,
+
/usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
# child profile for bridge helper process
profile qemu_bridge_helper {
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fd6def1..3011eff 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
capability fsetid,
capability audit_write,
+ # Needed for vfio
+ capability sys_resource,
+
network inet stream,
network inet dgram,
network inet6 stream,
--
1.9.0
--
libvir-list mailing list
libvir-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
3:37 a.m.
New subject: [libvirt] [PATCH 2/2] Fix apparmor profile to make vfio pci passthrough work
Hello Serge,
On Mon, 2014-03-24 at 22:21 -0500, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdonnat(a)suse.com):
> See lp#1276719 for the bug description. As virt-aa-helper doesn't know
Great, thanks for addressing this.
> the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then
I guess this is the way to go - though even in that case could we at
least have virt-aa-helper only allow access to all vfio* only when vfio
pci is required?
Sadly the vfio group is handled on the qemu side, there is nothing on
the xml side. But I surely can change the patch to add the vfio rule to
the *.files part of the profile and only when vfio is needed by the
guest: that would restrain the access a bit.
--
Cedric
3893
days inactive
3896
days old
5 comments
4 participants
participants (4)
-
Cedric Bosdonnat -
Cédric Bosdonnat
-
Eric Blake -
Serge Hallyn