Re: [PATCH] security: aa-helper: fix static defined vfio MDEVs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Nov 22, 2018 at 11:27:36AM +0100, Christian Ehrhardt wrote:
> For vfio MDEVs we need to allow qemu the vfio access in apparmor.

How about:
"Apparmor needs to be able to grant QEMU access to VFIO MDEV devices."

>
> This is extending the older fix 74e86b6b: "Fix apparmor profile

This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI
assignment.

> to make vfio pci passthrough work" which was for VFIO PCI
> passthrough on static hostdevs to now also cover vfio MDEVs.
> It is having the same limitations of the lifecycle at that time

It has still the same limitations regarding the device lifecycle, IOW we're
unable to predict the actual VFIO device being created, thus we need wildcards.

> being unable to detect the actual vfio device and therefore
> adds a wildcars.
>
> Please also note that hotplug - which in can detect the right
> device at runtime - is covered by labeling callbacks in
> 606afafb: "security: Enable labeling of vfio mediated devices"

Also note that the hotplug case, where apparmor is able to detect the actual
VFIO device during runtime, is already covered by commit 606afafb.

>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx>
> ---

Apart from the tiny typographical nit pick I had - you don't even need to agree
to them as I'm not a native speaker myself - I don't see a functional problem
with the patch from libvirt's perspective, so:

Reviewed-by: Erik Skultety <eskultet@xxxxxxxxxx>

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux