mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-03 03:25:20 +00:00
security: do not remember/recall labels for VFIO MDEVs
Commitdbf1f68410
("security: do not remember/recall labels for VFIO") rightly changed the DAC and SELinux labeling parameters to fix a problem with "VFIO hostdevs" but really only addressed the PCI codepaths. As a result, we can still encounter this with VFIO MDEVs such as vfio-ccw and vfio-ap, which can fail on a hotplug: [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0 [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0 [test@host ~]# cat disk.xml <hostdev mode='subsystem' type='mdev' model='vfio-ccw'> <source> <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/> </source> <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/> </hostdev> [test@host ~]# virsh attach-device guest ~/disk.xml error: Failed to attach device from /home/test/disk.xml error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use Make the same changes as reported in commitdbf1f68410
, for the mdev paths. Reported-by: Matthew Rosato <mjrosato@linux.ibm.com> Signed-off-by: Eric Farman <farman@linux.ibm.com> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
parent
4497c1ac40
commit
ebd004a03d
@ -1309,7 +1309,7 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
|
||||
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
|
||||
return -1;
|
||||
|
||||
ret = virSecurityDACSetHostdevLabelHelper(vfiodev, true, &cbdata);
|
||||
ret = virSecurityDACSetHostdevLabelHelper(vfiodev, false, &cbdata);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -1465,7 +1465,7 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
|
||||
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
|
||||
return -1;
|
||||
|
||||
ret = virSecurityDACRestoreFileLabel(mgr, vfiodev);
|
||||
ret = virSecurityDACRestoreFileLabelInternal(mgr, NULL, vfiodev, false);
|
||||
break;
|
||||
}
|
||||
|
||||
|
@ -2261,7 +2261,7 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
|
||||
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
|
||||
return ret;
|
||||
|
||||
ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, true, &data);
|
||||
ret = virSecuritySELinuxSetHostdevLabelHelper(vfiodev, false, &data);
|
||||
break;
|
||||
}
|
||||
|
||||
@ -2489,7 +2489,7 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
|
||||
if (!(vfiodev = virMediatedDeviceGetIOMMUGroupDev(mdevsrc->uuidstr)))
|
||||
return -1;
|
||||
|
||||
ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, true);
|
||||
ret = virSecuritySELinuxRestoreFileLabel(mgr, vfiodev, false);
|
||||
break;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user