add security hook for permitting hugetlbfs access

When a qemu domain is backed by huge pages, apparmor needs to grant the domain rw access to files under the hugetlbfs mount point. Add a hook, called in qemu_process.c, which ends up adding the read-write access through virt-aa-helper. Qemu will be creating a randomly named file under the mountpoint and unlinking it as soon as it has mmap()d it, therefore we cannot predict the full pathname, but for the same reason it is generally safe to provide access to $path/**. Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2025-01-22 04:25:18 +00:00 · 2012-12-11 20:20:29 +00:00 · 2012-12-11 20:20:29 +00:00 · 88bd1a644b
commit 88bd1a644b
parent cdf1a372c6
7 changed files with 49 additions and 0 deletions
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -1074,6 +1074,7 @@ virSecurityManagerSetTapFDLabel;
 virSecurityManagerStackAddNested;
 virSecurityManagerVerify;
 virSecurityManagerGetMountOptions;
+virSecurityManagerSetHugepages;

 # sexpr.h
 sexpr_append;
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@ -3482,6 +3482,15 @@ int qemuProcessStart(virConnectPtr conn,
    }
    virDomainAuditSecurityLabel(vm, true);

+    if (driver->hugepage_path && vm->def->mem.hugepage_backed) {
+        if (virSecurityManagerSetHugepages(driver->securityManager,
+                    vm->def, driver->hugepage_path) < 0) {
+            virReportError(VIR_ERR_INTERNAL_ERROR,
+                    "%s", _("Unable to set huge path in security driver"));
+            goto cleanup;
+        }
+    }
+
    /* Ensure no historical cgroup for this VM is lying around bogus
     * settings */
    VIR_DEBUG("Ensuring no historical cgroup is lying around");
--- a/src/security/security_driver.h
+++ b/src/security/security_driver.h
@ -100,6 +100,9 @@ typedef int (*virSecurityDomainSetTapFDLabel) (virSecurityManagerPtr mgr,
                                               int fd);
 typedef char *(*virSecurityDomainGetMountOptions) (virSecurityManagerPtr mgr,
                                                         virDomainDefPtr def);
+typedef int (*virSecurityDomainSetHugepages) (virSecurityManagerPtr mgr,
+                                                         virDomainDefPtr def,
+                                                         const char *path);

 struct _virSecurityDriver {
    size_t privateDataLen;
@ -140,6 +143,7 @@ struct _virSecurityDriver {
    virSecurityDomainSetTapFDLabel domainSetSecurityTapFDLabel;

    virSecurityDomainGetMountOptions domainGetSecurityMountOptions;
+    virSecurityDomainSetHugepages domainSetSecurityHugepages;
 };

 virSecurityDriverPtr virSecurityDriverLookup(const char *name,
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@ -508,3 +508,13 @@ virSecurityManagerGetNested(virSecurityManagerPtr mgr)
    list[1] = NULL;
    return list;
 }
+
+int virSecurityManagerSetHugepages(virSecurityManagerPtr mgr,
+                                    virDomainDefPtr vm,
+                                    const char *path)
+{
+    if (mgr->drv->domainSetSecurityHugepages)
+        return mgr->drv->domainSetSecurityHugepages(mgr, vm, path);
+
+    return 0;
+}
--- a/src/security/security_manager.h
+++ b/src/security/security_manager.h
@ -112,5 +112,8 @@ char *virSecurityManagerGetMountOptions(virSecurityManagerPtr mgr,
                                              virDomainDefPtr vm);
 virSecurityManagerPtr*
 virSecurityManagerGetNested(virSecurityManagerPtr mgr);
+int virSecurityManagerSetHugepages(virSecurityManagerPtr mgr,
+                                  virDomainDefPtr sec,
+                                  const char *hugepages_path);

 #endif /* VIR_SECURITY_MANAGER_H__ */
--- a/src/security/security_stack.c
+++ b/src/security/security_stack.c
@ -462,6 +462,23 @@ virSecurityStackSetTapFDLabel(virSecurityManagerPtr mgr,
    return rc;
 }

+static int
+virSecurityStackSetHugepages(virSecurityManagerPtr mgr,
+                              virDomainDefPtr vm,
+                              const char *path)
+{
+    virSecurityStackDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityStackItemPtr item = priv->itemsHead;
+    int rc = 0;
+
+    for (; item; item = item->next) {
+        if (virSecurityManagerSetHugepages(item->securityManager, vm, path) < 0)
+            rc = -1;
+    }
+
+    return rc;
+}
+
 static char *virSecurityStackGetMountOptions(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
                                             virDomainDefPtr vm ATTRIBUTE_UNUSED) {
    return NULL;
@ -529,4 +546,6 @@ virSecurityDriver virSecurityDriverStack = {
    .domainSetSecurityTapFDLabel        = virSecurityStackSetTapFDLabel,

    .domainGetSecurityMountOptions      = virSecurityStackGetMountOptions,
+
+    .domainSetSecurityHugepages         = virSecurityStackSetHugepages,
 };
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@ -316,6 +316,9 @@ testme "0" "initrd is /initrd.img" "-r -u $valid_uuid" "$test_xml"
 sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e "s,<graphics*,<graphics type='sdl' display=':0.0' xauth='/home/myself/.Xauthority'/>,g" "$template_xml" > "$test_xml"
 testme "0" "sdl Xauthority" "-r -u $valid_uuid" "$test_xml"

+sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" "$template_xml" > "$test_xml"
+testme "0" "hugepages" "-r -u $valid_uuid -F /run/hugepages/kvm/\*\*" "$test_xml"
+
 testme "0" "help" "-h"

 echo "" >$output