mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 06:35:24 +00:00
security: update hostdev labelling functions for VFIO
Legacy kvm style pci device assignment requires changes to the labelling of several sysfs files for each device, but for vfio device assignment, the only thing that needs to be relabelled/chowned is the "group" device for the group that contains the device to be assigned.
This commit is contained in:
parent
b210208f97
commit
f0bd70a940
@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (!pci)
|
if (!pci)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
|
if (dev->source.subsys.u.pci.backend
|
||||||
|
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
|
||||||
|
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
|
||||||
|
|
||||||
|
if (!vfioGroupDev)
|
||||||
|
goto done;
|
||||||
|
ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
|
||||||
|
VIR_FREE(vfioGroupDev);
|
||||||
|
} else {
|
||||||
|
ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
|
||||||
|
}
|
||||||
virPCIDeviceFree(pci);
|
virPCIDeviceFree(pci);
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (!pci)
|
if (!pci)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
|
if (dev->source.subsys.u.pci.backend
|
||||||
params);
|
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
|
||||||
|
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
|
||||||
|
|
||||||
|
if (!vfioGroupDev)
|
||||||
|
goto done;
|
||||||
|
ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params);
|
||||||
|
VIR_FREE(vfioGroupDev);
|
||||||
|
} else {
|
||||||
|
ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
|
||||||
|
params);
|
||||||
|
}
|
||||||
|
|
||||||
virPCIDeviceFree(pci);
|
virPCIDeviceFree(pci);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
|
|||||||
if (!pci)
|
if (!pci)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
|
if (dev->source.subsys.u.pci.backend
|
||||||
|
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
|
||||||
|
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
|
||||||
|
|
||||||
|
if (!vfioGroupDev)
|
||||||
|
goto done;
|
||||||
|
ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
|
||||||
|
VIR_FREE(vfioGroupDev);
|
||||||
|
} else {
|
||||||
|
ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
|
||||||
|
}
|
||||||
virPCIDeviceFree(pci);
|
virPCIDeviceFree(pci);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
|
|||||||
if (!pci)
|
if (!pci)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
|
if (dev->source.subsys.u.pci.backend
|
||||||
|
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
|
||||||
|
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
|
||||||
|
|
||||||
|
if (!vfioGroupDev)
|
||||||
|
goto done;
|
||||||
|
ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
|
||||||
|
VIR_FREE(vfioGroupDev);
|
||||||
|
} else {
|
||||||
|
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
|
||||||
|
}
|
||||||
virPCIDeviceFree(pci);
|
virPCIDeviceFree(pci);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
|
|||||||
if (!pci)
|
if (!pci)
|
||||||
goto done;
|
goto done;
|
||||||
|
|
||||||
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
|
if (dev->source.subsys.u.pci.backend
|
||||||
|
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
|
||||||
|
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
|
||||||
|
|
||||||
|
if (!vfioGroupDev)
|
||||||
|
goto done;
|
||||||
|
ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
|
||||||
|
VIR_FREE(vfioGroupDev);
|
||||||
|
} else {
|
||||||
|
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
|
||||||
|
}
|
||||||
virPCIDeviceFree(pci);
|
virPCIDeviceFree(pci);
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user