Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
On 03/25/2014 03:27 PM, Serge Hallyn wrote: Quoting Cedric Bosdonnat (cbosdon...@suse.com): On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I wasn't aware I needed to sign-off my patches, but I can resubmit with it ;) Actually it looks like I'm wrong, libvirt doesn't require them: http://libvirt.org/hacking.html (point 3) I've pushed this patch to ppa:ubuntu-virt/candidate, which is meant to go into trusty when qemu 2.0 is released. +if (needsVfio) { +virBufferAsprintf(buf, /dev/vfio/vfio rw,\n); +virBufferAsprintf(buf, /dev/vfio/[0-9]* rw,\n); virBufferAsprintf should only be used with % format strings. This fails 'make syntax-check': prohibit_virBufferAsprintf_with_string_literal src/security/virt-aa-helper.c:1107:virBufferAsprintf(buf, /dev/vfio/vfio rw,\n); src/security/virt-aa-helper.c:1108:virBufferAsprintf(buf, /dev/vfio/[0-9]* rw,\n); maint.mk: use virBufferAddLit, not virBufferAsprintf, with a string literal I made the obvious change, and pushed in time for 1.2.3. -- Eric Blake eblake redhat com+1-919-301-3266 Libvirt virtualization library http://libvirt.org signature.asc Description: OpenPGP digital signature -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com examples/apparmor/libvirt-qemu | 1 + examples/apparmor/usr.sbin.libvirtd | 3 +++ src/security/virt-aa-helper.c | 12 3 files changed, 16 insertions(+) diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu index e1980b7..83814ec 100644 --- a/examples/apparmor/libvirt-qemu +++ b/examples/apparmor/libvirt-qemu @@ -110,6 +110,7 @@ /usr/bin/qemu-sparc32plus rmix, /usr/bin/qemu-sparc64 rmix, /usr/bin/qemu-x86_64 rmix, + /usr/lib/qemu/block-curl.so mr, # for save and resume /bin/dash rmix, diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd index fd6def1..3011eff 100644 --- a/examples/apparmor/usr.sbin.libvirtd +++ b/examples/apparmor/usr.sbin.libvirtd @@ -25,6 +25,9 @@ capability fsetid, capability audit_write, + # Needed for vfio + capability sys_resource, + network inet stream, network inet dgram, network inet6 stream, diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 59de517..998dc53 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -927,6 +927,7 @@ get_files(vahControl * ctl) size_t i; char *uuid; char uuidstr[VIR_UUID_STRING_BUFLEN]; +bool needsVfio = false; /* verify uuid is same as what we were given on the command line */ virUUIDFormat(ctl-def-uuid, uuidstr); @@ -1068,6 +1069,12 @@ get_files(vahControl * ctl) dev-source.subsys.u.pci.addr.slot, dev-source.subsys.u.pci.addr.function); +virDomainHostdevSubsysPciBackendType backend = dev-source.subsys.u.pci.backend; +if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO || +backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) { +needsVfio = true; +} + if (pci == NULL) continue; @@ -1096,6 +1103,11 @@ get_files(vahControl * ctl) } } +if (needsVfio) { +virBufferAsprintf(buf, /dev/vfio/vfio rw,\n); +virBufferAsprintf(buf, /dev/vfio/[0-9]* rw,\n); +} + if (ctl-newfile) if (vah_add_file(buf, ctl-newfile, rw) != 0) goto cleanup; -- 1.9.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I wasn't aware I needed to sign-off my patches, but I can resubmit with it ;) -- Cedric -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [PATCH v2] Fix apparmor profile to make vfio pci passthrough work
Quoting Cedric Bosdonnat (cbosdon...@suse.com): On Tue, 2014-03-25 at 10:40 -0500, Serge Hallyn wrote: Quoting Cédric Bosdonnat (cbosdon...@suse.com): See lp#1276719 for the bug description. As virt-aa-helper doesn't know the VFIO groups to use for the guest, allow access to all /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need for vfio --- Thanks, Cédric! Looks good to me. Still needs a signed-off-by from you (I assume), but Acked-by: Serge E. Hallyn serge.hal...@ubuntu.com I wasn't aware I needed to sign-off my patches, but I can resubmit with it ;) Actually it looks like I'm wrong, libvirt doesn't require them: http://libvirt.org/hacking.html (point 3) I've pushed this patch to ppa:ubuntu-virt/candidate, which is meant to go into trusty when qemu 2.0 is released. thanks, -serge -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list