External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-08-28 03:21:19 +00:00
Code Issues Packages Projects Releases Wiki Activity
34c1715ed1
libvirt/src/security
History
Eric Farman ebd004a03d security: do not remember/recall labels for VFIO MDEVs 
Commit dbf1f68410 ("security: do not remember/recall labels for VFIO")
rightly changed the DAC and SELinux labeling parameters to fix a problem
with "VFIO hostdevs" but really only addressed the PCI codepaths.
As a result, we can still encounter this with VFIO MDEVs such as
vfio-ccw and vfio-ap, which can fail on a hotplug:

  [test@host ~]# mdevctl stop -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# mdevctl start -u 11f2d2bc-4083-431d-a023-eff72715c4f0
  [test@host ~]# cat disk.xml
    <hostdev mode='subsystem' type='mdev' model='vfio-ccw'>
      <source>
        <address uuid='11f2d2bc-4083-431d-a023-eff72715c4f0'/>
      </source>
      <address type='ccw' cssid='0xfe' ssid='0x0' devno='0x3c51'/>
    </hostdev>
  [test@host ~]# virsh attach-device guest ~/disk.xml
  error: Failed to attach device from /home/test/disk.xml
  error: Requested operation is not valid: Setting different SELinux label on /dev/vfio/3 which is already in use

Make the same changes as reported in commit dbf1f68410, for the mdev paths.

Reported-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Eric Farman <farman@linux.ibm.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2023-04-13 16:34:13 +02:00
..
apparmor apparmor: Enable passt support 2023-03-10 15:32:39 +01:00
meson.build meson: Always use the / operator to join paths 2021-08-11 09:16:36 +02:00
security_apparmor.c security: Update format strings in translated messages 2023-04-01 11:40:34 +02:00
security_apparmor.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_dac.c security: do not remember/recall labels for VFIO MDEVs 2023-04-13 16:34:13 +02:00
security_dac.h lib: Drop internal virXXXPtr typedefs 2021-04-13 17:00:38 +02:00
security_driver.c security: Update format strings in translated messages 2023-04-01 11:40:34 +02:00
security_driver.h security: make it possible to set SELinux label of child process from its binary 2023-03-10 14:09:29 -05:00
security_manager.c security: Update format strings in translated messages 2023-04-01 11:40:34 +02:00
security_manager.h security: make it possible to set SELinux label of child process from its binary 2023-03-10 14:09:29 -05:00
security_nop.c security: make it possible to set SELinux label of child process from its binary 2023-03-10 14:09:29 -05:00
security_nop.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_selinux.c security: do not remember/recall labels for VFIO MDEVs 2023-04-13 16:34:13 +02:00
security_selinux.h src/security: use #pragma once in headers 2019-06-19 17:12:31 +02:00
security_stack.c security: make it possible to set SELinux label of child process from its binary 2023-03-10 14:09:29 -05:00
security_stack.h lib: Drop internal virXXXPtr typedefs 2021-04-13 17:00:38 +02:00
security_util.c security: Update format strings in translated messages 2023-04-01 11:40:34 +02:00
security_util.h qemusecuritytest: Skip on non supported platforms 2020-11-06 09:14:53 +01:00
virt-aa-helper.c security: Update format strings in translated messages 2023-04-01 11:40:34 +02:00