Re: [PATCH v5 6/7] qemu: Update Cgroup, namespace, and seclabel for iommufd

Mon, 19 Jan 2026 05:53:24 -0800 

On Fri, Jan 16, 2026 at 05:39:36PM -0800, Nathan Chen via Devel wrote:
> From: Nathan Chen <[email protected]>
> 
> When launching a qemu VM with the iommufd feature enabled for VFIO
> hostdevs:
> - Do not allow cgroup, namespace, and seclabel access to VFIO
> paths (/dev/vfio/vfio and /dev/vfio/<iommugroup>)
> - Allow access to iommufd paths (/dev/iommu and
> /dev/vfio/devices/vfio*) for AppArmor, SELinux, and DAC
> 
> Signed-off-by: Nathan Chen <[email protected]>
> ---
>  src/qemu/qemu_cgroup.c           |  3 ++
>  src/qemu/qemu_namespace.c        |  3 ++
>  src/security/security_apparmor.c | 31 ++++++++++++++------
>  src/security/security_dac.c      | 49 +++++++++++++++++++++++++-------
>  src/security/security_selinux.c  | 47 +++++++++++++++++++++++-------
>  src/security/virt-aa-helper.c    | 33 ++++++++++++++++-----
>  6 files changed, 130 insertions(+), 36 deletions(-)

[...]

> diff --git a/src/security/security_apparmor.c 
> b/src/security/security_apparmor.c
> index 68ac39611f..e7987b54b4 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -45,6 +45,7 @@
>  #include "virstring.h"
>  #include "virscsi.h"
>  #include "virmdev.h"
> +#include "viriommufd.h"
>  
>  #define VIR_FROM_THIS VIR_FROM_SECURITY
>  
> @@ -841,25 +842,37 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *mgr,
>      }
>  
>      case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
> -        virPCIDevice *pci =
> +        g_autoptr(virPCIDevice) pci =
>              virPCIDeviceNew(&pcisrc->addr);
>  
>          if (!pci)
>              goto done;
>  
>          if (pcisrc->driver.name == VIR_DEVICE_HOSTDEV_PCI_DRIVER_NAME_VFIO) {
> -            char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
> -
> -            if (!vfioGroupDev) {
> -                virPCIDeviceFree(pci);
> -                goto done;
> +            if (dev->source.subsys.u.pci.driver.iommufd != 
> VIR_TRISTATE_BOOL_YES) {
> +                char *vfioGroupDev = virPCIDeviceGetIOMMUGroupDev(pci);
> +
> +                if (!vfioGroupDev) {
> +                    virPCIDeviceFree(pci);

This virPCIDeviceFree should be removed as the pci was converted to
g_autoptr().

> +                    goto done;
> +                }
> +                ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
> +                VIR_FREE(vfioGroupDev);
> +            } else {
> +                g_autofree char *vfiofdDev = NULL;
> +
> +                if (virPCIDeviceGetVfioPath(&dev->source.subsys.u.pci.addr, 
> &vfiofdDev) < 0)
> +                    goto done;
> +
> +                ret = AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr);
> +                if (ret < 0)
> +                    goto done;
> +
> +                ret = AppArmorSetSecurityPCILabel(pci, VIR_IOMMU_DEV_PATH, 
> ptr);
>              }
> -            ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
> -            VIR_FREE(vfioGroupDev);
>          } else {
>              ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, 
> ptr);
>          }
> -        virPCIDeviceFree(pci);
>          break;
>      }

Pavel

Attachment: signature.asc
Description: PGP signature

Reply via email to