[RFC PATCH v2 2/4] qemu: Add cgroup, namespace, and seclabel setup for EGM memory device model

Thu, 06 Nov 2025 17:47:08 -0800 

Implement proper isolation and access control for EGM memory devices:

- Add device to cgroup for access control
- Set up namespace mappings for device access
- Ensure proper permissions in containerized environments
- Allow EGM device path access to bypass SELinux, AppArmor,
  and DAC permissions

Signed-off-by: Nathan Chen <[email protected]>
---
 src/qemu/qemu_cgroup.c           | 10 ++++++++++
 src/qemu/qemu_namespace.c        |  3 +++
 src/security/security_apparmor.c |  2 ++
 src/security/security_dac.c      |  8 ++++++++
 src/security/security_selinux.c  |  6 ++++++
 src/security/virt-aa-helper.c    |  4 ++++
 6 files changed, 33 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f10976c2b0..1526af8a87 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -578,6 +578,11 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
                                         VIR_CGROUP_DEVICE_RW, false) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        if (qemuCgroupAllowDevicePath(vm, mem->source.egm.path,
+                                      VIR_CGROUP_DEVICE_RW, false) < 0)
+            return -1;
+        break;
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
@@ -616,6 +621,11 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
                                        VIR_CGROUP_DEVICE_RW, false) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        if (qemuCgroupDenyDevicePath(vm, mem->source.egm.path,
+                                     VIR_CGROUP_DEVICE_RWM, false) < 0)
+            return -1;
+        break;
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index f72da83929..ef193a8399 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -386,6 +386,9 @@ qemuDomainSetupMemory(virDomainMemoryDef *mem,
         *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_VEPVC));
         *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_SGX_PROVISION));
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        *paths = g_slist_prepend(*paths, g_strdup(mem->source.egm.path));
+        break;
 
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 68ac39611f..ea04e756d6 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -631,6 +631,8 @@ AppArmorSetMemoryLabel(virSecurityManager *mgr,
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path = mem->source.egm.path;
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
         break;
     }
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 2f788b872a..2d79009ee9 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1890,6 +1890,9 @@ virSecurityDACRestoreMemoryLabel(virSecurityManager *mgr,
          * don't need to restore anything. */
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        return virSecurityDACRestoreFileLabel(mgr, mem->source.egm.path);
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
@@ -2121,6 +2124,11 @@ virSecurityDACSetMemoryLabel(virSecurityManager *mgr,
             return -1;
         break;
 
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        return virSecurityDACSetOwnership(mgr, NULL,
+                                          mem->source.egm.path,
+                                          user, group, true);
+
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
     case VIR_DOMAIN_MEMORY_MODEL_LAST:
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index fa5d1568eb..33b8f65767 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1650,6 +1650,9 @@ virSecuritySELinuxSetMemoryLabel(virSecurityManager *mgr,
                                          seclabel->imagelabel, true) < 0)
             return -1;
         break;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path = mem->source.egm.path;
+        break;
 
     case VIR_DOMAIN_MEMORY_MODEL_NONE:
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
@@ -1693,6 +1696,9 @@ virSecuritySELinuxRestoreMemoryLabel(virSecurityManager 
*mgr,
         if (virSecuritySELinuxRestoreFileLabel(mgr, DEV_SGX_PROVISION, true) < 
0)
             ret = -1;
         return ret;
+    case VIR_DOMAIN_MEMORY_MODEL_EGM:
+        path = mem->source.egm.path;
+        break;
 
     case VIR_DOMAIN_MEMORY_MODEL_DIMM:
     case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 8a297d4b54..b7f3fa2c5b 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1194,6 +1194,10 @@ get_files(vahControl * ctl)
                 return -1;
             }
             break;
+        case VIR_DOMAIN_MEMORY_MODEL_EGM:
+            if (vah_add_file(&buf, mem->source.egm.path, "rw") != 0)
+                return -1;
+            break;
 
         case VIR_DOMAIN_MEMORY_MODEL_DIMM:
         case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
-- 
2.43.0

Reply via email to