From 74e86b6b2521881808bb93290bcebcb469ab7820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=A9dric=20Bosdonnat?= <cbosdonnat@suse.com>
Date: Tue, 25 Mar 2014 12:48:26 +0100
Subject: [PATCH] Fix apparmor profile to make vfio pci passthrough work

See lp#1276719 for the bug description. As virt-aa-helper doesn't know
the VFIO groups to use for the guest, allow access to all
/dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
for vfio

Signed-off-by: Eric Blake <eblake@redhat.com>
---
 examples/apparmor/libvirt-qemu      |  1 +
 examples/apparmor/usr.sbin.libvirtd |  3 +++
 src/security/virt-aa-helper.c       | 14 +++++++++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
index e1980b7cb7..83814ecf56 100644
--- a/examples/apparmor/libvirt-qemu
+++ b/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
   /usr/bin/qemu-sparc32plus rmix,
   /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-x86_64 rmix,
+  /usr/lib/qemu/block-curl.so mr,
 
   # for save and resume
   /bin/dash rmix,
diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
index fd6def1d85..3011eff3f9 100644
--- a/examples/apparmor/usr.sbin.libvirtd
+++ b/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
   capability fsetid,
   capability audit_write,
 
+  # Needed for vfio
+  capability sys_resource,
+
   network inet stream,
   network inet dgram,
   network inet6 stream,
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 506707f02a..64a382c102 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1,7 +1,7 @@
 /*
  * virt-aa-helper: wrapper program used by AppArmor security driver.
  *
- * Copyright (C) 2010-2013 Red Hat, Inc.
+ * Copyright (C) 2010-2014 Red Hat, Inc.
  * Copyright (C) 2009-2011 Canonical Ltd.
  *
  * This library is free software; you can redistribute it and/or
@@ -927,6 +927,7 @@ get_files(vahControl * ctl)
     size_t i;
     char *uuid;
     char uuidstr[VIR_UUID_STRING_BUFLEN];
+    bool needsVfio = false;
 
     /* verify uuid is same as what we were given on the command line */
     virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1068,6 +1069,12 @@ get_files(vahControl * ctl)
                            dev->source.subsys.u.pci.addr.slot,
                            dev->source.subsys.u.pci.addr.function);
 
+                virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
+                if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+                        backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+                    needsVfio = true;
+                }
+
                 if (pci == NULL)
                     continue;
 
@@ -1096,6 +1103,11 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (needsVfio) {
+        virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
+        virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");
+    }
+
     if (ctl->newfile)
         if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
             goto cleanup;