mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
b644011918
commit
a404ac3476
@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
|
||||
}
|
||||
|
||||
|
||||
static int
|
||||
qemuSetupSEVCgroup(virDomainObjPtr vm)
|
||||
{
|
||||
qemuDomainObjPrivatePtr priv = vm->privateData;
|
||||
int ret;
|
||||
|
||||
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
||||
return 0;
|
||||
|
||||
ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
|
||||
VIR_CGROUP_DEVICE_RW, false);
|
||||
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
|
||||
"rw", ret);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
qemuSetupDevicesCgroup(virDomainObjPtr vm)
|
||||
{
|
||||
@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
|
||||
goto cleanup;
|
||||
|
||||
ret = 0;
|
||||
cleanup:
|
||||
virObjectUnref(cfg);
|
||||
|
Loading…
Reference in New Issue
Block a user