qemu: cgroup: Expose /dev/sev/ only to domains that require SEV

SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2024-07-30 13:37:17 +00:00 · 2019-01-21 14:50:11 +01:00 · 2019-01-21 14:50:11 +01:00 · a404ac3476
commit a404ac3476
parent b644011918
1 changed files with 19 additions and 0 deletions
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
 }


+static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+                                   VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+                             "rw", ret);
+    return ret;
+}
+
 static int
 qemuSetupDevicesCgroup(virDomainObjPtr vm)
 {
@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
            goto cleanup;
    }

+    if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+        goto cleanup;
+
    ret = 0;
 cleanup:
    virObjectUnref(cfg);