From f0bd70a940de690216c538b0ab1b71c8a7d2fbb6 Mon Sep 17 00:00:00 2001 From: Laine Stump Date: Thu, 25 Apr 2013 06:37:21 -0400 Subject: [PATCH] security: update hostdev labelling functions for VFIO Legacy kvm style pci device assignment requires changes to the labelling of several sysfs files for each device, but for vfio device assignment, the only thing that needs to be relabelled/chowned is the "group" device for the group that contains the device to be assigned. --- src/security/security_apparmor.c | 12 +++++++++++- src/security/security_dac.c | 27 ++++++++++++++++++++++++--- src/security/security_selinux.c | 24 ++++++++++++++++++++++-- 3 files changed, 57 insertions(+), 6 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 122edd4df1..0aff794a9a 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + } virPCIDeviceFree(pci); break; } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 8576081b2d..5e00112d10 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, - params); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, + params); + } + virPCIDeviceFree(pci); break; @@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a8b74eebcc..a5b54cb821 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + } virPCIDeviceFree(pci); break; @@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break;