Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
On 03/25/2014 03:27 PM, Serge Hallyn wrote:
Quoting Cedric Bosdonnat (cbosdon...@suse.com):
On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote:
Quoting Cédric Bosdonnat (cbosdon...@suse.com):
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio
---
Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you
(I assume), but
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
I wasn't aware I needed to sign-off my patches, but I can resubmit with
it ;)
Actually it looks like I'm wrong, libvirt doesn't require them:
http://libvirt.org/hacking.html (point 3)
I've pushed this patch to ppa:ubuntu-virt/candidate, which is meant to
go into trusty when qemu 2.0 is released.
+if (needsVfio) {
+virBufferAsprintf(buf, /dev/vfio/vfio rw,\n);
+virBufferAsprintf(buf, /dev/vfio/[0-9]* rw,\n);
virBufferAsprintf should only be used with % format strings. This fails
'make syntax-check':
prohibit_virBufferAsprintf_with_string_literal
src/security/virt-aa-helper.c:1107:virBufferAsprintf(buf,
/dev/vfio/vfio rw,\n);
src/security/virt-aa-helper.c:1108:virBufferAsprintf(buf,
/dev/vfio/[0-9]* rw,\n);
maint.mk: use virBufferAddLit, not virBufferAsprintf, with a string literal
I made the obvious change, and pushed in time for 1.2.3.
--
Eric Blake eblake redhat com+1-919-301-3266
Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
Quoting Cédric Bosdonnat (cbosdon...@suse.com):
See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio
---
Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you
(I assume), but
Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com
examples/apparmor/libvirt-qemu | 1 +
examples/apparmor/usr.sbin.libvirtd | 3 +++
src/security/virt-aa-helper.c | 12
3 files changed, 16 insertions(+)
diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7..83814ec 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
/usr/bin/qemu-sparc32plus rmix,
/usr/bin/qemu-sparc64 rmix,
/usr/bin/qemu-x86_64 rmix,
+ /usr/lib/qemu/block-curl.so mr,
# for save and resume
/bin/dash rmix,
diff --git a/examples/apparmor/usr.sbin.libvirtd
b/examples/apparmor/usr.sbin.libvirtd
index fd6def1..3011eff 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
capability fsetid,
capability audit_write,
+ # Needed for vfio
+ capability sys_resource,
+
network inet stream,
network inet dgram,
network inet6 stream,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 59de517..998dc53 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -927,6 +927,7 @@ get_files(vahControl * ctl)
size_t i;
char *uuid;
char uuidstr[VIR_UUID_STRING_BUFLEN];
+bool needsVfio = false;
/* verify uuid is same as what we were given on the command line */
virUUIDFormat(ctl-def-uuid, uuidstr);
@@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
dev-source.subsys.u.pci.addr.slot,
dev-source.subsys.u.pci.addr.function);
+virDomainHostdevSubsysPciBackendType backend =
dev-source.subsys.u.pci.backend;
+if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+needsVfio = true;
+}
+
if (pci == NULL)
continue;
@@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
}
}
+if (needsVfio) {
+virBufferAsprintf(buf, /dev/vfio/vfio rw,\n);
+virBufferAsprintf(buf, /dev/vfio/[0-9]* rw,\n);
+}
+
if (ctl-newfile)
if (vah_add_file(buf, ctl-newfile, rw) != 0)
goto cleanup;
--
1.9.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I wasn't aware I needed to sign-off my patches, but I can resubmit with it ;) -- Cedric -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
Quoting Cedric Bosdonnat (cbosdon...@suse.com): On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I wasn't aware I needed to sign-off my patches, but I can resubmit with it ;) Actually it looks like I'm wrong, libvirt doesn't require them: http://libvirt.org/hacking.html (point 3) I've pushed this patch to ppa:ubuntu-virt/candidate, which is meant to go into trusty when qemu 2.0 is released. thanks, -serge -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
