diff options
author | Laine Stump <laine@laine.org> | 2013-04-25 06:37:21 -0400 |
---|---|---|
committer | Laine Stump <laine@laine.org> | 2013-04-25 21:28:43 -0400 |
commit | f0bd70a940de690216c538b0ab1b71c8a7d2fbb6 (patch) | |
tree | 31d92897ab6001f44822d34acef826282ea881a7 | |
parent | b210208f97a7af627570a656e0c334c2cf57b770 (diff) | |
download | libvirt-1.0.5-rc1.tar.gz |
security: update hostdev labelling functions for VFIOv1.0.5-rc1
Legacy kvm style pci device assignment requires changes to the
labelling of several sysfs files for each device, but for vfio device
assignment, the only thing that needs to be relabelled/chowned is the
"group" device for the group that contains the device to be assigned.
-rw-r--r-- | src/security/security_apparmor.c | 12 | ||||
-rw-r--r-- | src/security/security_dac.c | 27 | ||||
-rw-r--r-- | src/security/security_selinux.c | 24 |
3 files changed, 57 insertions, 6 deletions
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 122edd4df1..0aff794a9a 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr); + } virPCIDeviceFree(pci); break; } diff --git a/src/security/security_dac.c b/src/security/security_dac.c index 8576081b2d..5e00112d10 100644 --- a/src/security/security_dac.c +++ b/src/security/security_dac.c @@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, - params); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel, + params); + } + virPCIDeviceFree(pci); break; @@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break; diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c index a8b74eebcc..a5b54cb821 100644 --- a/src/security/security_selinux.c +++ b/src/security/security_selinux.c @@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def); + } virPCIDeviceFree(pci); break; @@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr, if (!pci) goto done; - ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + if (dev->source.subsys.u.pci.backend + == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) { + char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci); + + if (!vfioGroupDev) + goto done; + ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr); + VIR_FREE(vfioGroupDev); + } else { + ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr); + } virPCIDeviceFree(pci); break; |