qemu: cgroup: Expose /dev/sev/ only to domains that require SEV

SEV has a limit on number of concurrent guests. From security POV we
should only expose resources (any resources for that matter) to domains
that truly need them.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Erik Skultety 2019-01-21 14:50:11 +01:00
parent b644011918
commit a404ac3476

View File

@ -691,6 +691,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
}
static int
qemuSetupSEVCgroup(virDomainObjPtr vm)
{
qemuDomainObjPrivatePtr priv = vm->privateData;
int ret;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0;
ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
"rw", ret);
return ret;
}
static int
qemuSetupDevicesCgroup(virDomainObjPtr vm)
{
@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
goto cleanup;
}
if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
goto cleanup;
ret = 0;
cleanup:
virObjectUnref(cfg);