security: update hostdev labelling functions for VFIO

Legacy kvm style pci device assignment requires changes to the
labelling of several sysfs files for each device, but for vfio device
assignment, the only thing that needs to be relabelled/chowned is the
"group" device for the group that contains the device to be assigned.
This commit is contained in:
Laine Stump 2013-04-25 06:37:21 -04:00
parent b210208f97
commit f0bd70a940
3 changed files with 57 additions and 6 deletions

View File

@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
if (dev->source.subsys.u.pci.backend
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
if (!vfioGroupDev)
goto done;
ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
VIR_FREE(vfioGroupDev);
} else {
ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
}
virPCIDeviceFree(pci);
break;
}

View File

@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
if (dev->source.subsys.u.pci.backend
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
if (!vfioGroupDev)
goto done;
ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params);
VIR_FREE(vfioGroupDev);
} else {
ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
params);
}
virPCIDeviceFree(pci);
break;
@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
if (dev->source.subsys.u.pci.backend
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
if (!vfioGroupDev)
goto done;
ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
VIR_FREE(vfioGroupDev);
} else {
ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
}
virPCIDeviceFree(pci);
break;

View File

@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
if (!pci)
goto done;
if (dev->source.subsys.u.pci.backend
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
if (!vfioGroupDev)
goto done;
ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
VIR_FREE(vfioGroupDev);
} else {
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
}
virPCIDeviceFree(pci);
break;
@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
if (!pci)
goto done;
if (dev->source.subsys.u.pci.backend
== VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
if (!vfioGroupDev)
goto done;
ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
VIR_FREE(vfioGroupDev);
} else {
ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
}
virPCIDeviceFree(pci);
break;