virt-aa-helper: allow access to /dev/vhost-net if needed

Only allow the access if it is a KVM domain which has a NIC which wants non-userspace networking. This addresses https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1322568 Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
2024-12-22 05:35:25 +00:00 · 2014-06-18 03:20:59 +00:00 · 2014-06-18 03:20:59 +00:00 · c7abe7448c
commit c7abe7448c
parent b73aafd6dd
1 changed files with 16 additions and 1 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -929,7 +929,7 @@ get_files(vahControl * ctl)
    size_t i;
    char *uuid;
    char uuidstr[VIR_UUID_STRING_BUFLEN];
-    bool needsVfio = false;
+    bool needsVfio = false, needsvhost = false;

    /* verify uuid is same as what we were given on the command line */
    virUUIDFormat(ctl->def->uuid, uuidstr);
@ -1105,6 +1105,21 @@ get_files(vahControl * ctl)
        }
    }

+    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+        for (i = 0; i < ctl->def->nnets; i++) {
+            virDomainNetDefPtr net = ctl->def->nets[i];
+            if (net && net->model) {
+                if (net->driver.virtio.name == VIR_DOMAIN_NET_BACKEND_TYPE_QEMU)
+                    continue;
+                if (STRNEQ(net->model, "virtio"))
+                    continue;
+            }
+            needsvhost = true;
+        }
+    }
+    if (needsvhost)
+        virBufferAddLit(&buf, "  /dev/vhost-net rw,\n");
+
    if (needsVfio) {
        virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
        virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");