Add check for <forward type='hostdev'> networks which were previously neglected (as opposed to explicit PCI hostdev devices), so that they can be granted the necessary permissions for PCI device access. The network type lookup in-turn requires the helper to read libvirt.conf
Downstream bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=993856 Signed-off-by: Tim Small <t...@seoss.co.uk> --- .../apparmor/usr.lib.libvirt.virt-aa-helper.in | 3 +++ src/security/virt-aa-helper.c | 11 +++++++++++ 2 files changed, 14 insertions(+) diff --git a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in index e209a8bff7..3b3d733b5e 100644 --- a/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in +++ b/src/security/apparmor/usr.lib.libvirt.virt-aa-helper.in @@ -49,6 +49,9 @@ profile virt-aa-helper @libexecdir@/virt-aa-helper { @sysconfdir@/apparmor.d/libvirt/* r, @sysconfdir@/apparmor.d/libvirt/libvirt-@{UUID}* rw, + # allow network type lookup to check for forward type=hostdev networks + @sysconfdir@/libvirt/libvirt.conf r, + # for backingstore -- allow access to non-hidden files in @{HOME} as well # as storage pools audit deny @{HOME}/.* mrwkl, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index fa69245324..7228292358 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -1142,6 +1142,12 @@ get_files(vahControl * ctl) vhu->type) != 0) goto cleanup; } + /* Grant vfio for SR-IOV PCI VFs shared via <forward type='hostdev'> networks */ + if (net && + net->type == VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) == VIR_DOMAIN_NET_TYPE_HOSTDEV) { + needsVfio = true; + } } for (i = 0; i < ctl->def->nmems; i++) { @@ -1306,6 +1312,11 @@ get_files(vahControl * ctl) if (!virDomainNetIsVirtioModel(net)) continue; } + if (net && + net->type == VIR_DOMAIN_NET_TYPE_NETWORK && + virDomainNetResolveActualType(net) == VIR_DOMAIN_NET_TYPE_HOSTDEV) { + continue; + } needsvhost = true; } } -- 2.47.2
