diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 122edd4df1..0aff794a9a 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + } virPCIDeviceFree(pci); break; } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 8576081b2d..5e00112d10 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, - params); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, + params); + } + virPCIDeviceFree(pci); break; @@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a8b74eebcc..a5b54cb821 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + } virPCIDeviceFree(pci); break; @@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break;