On Thu, Nov 22, 2018 at 11:27:36AM +0100, Christian Ehrhardt wrote: > For vfio MDEVs we need to allow qemu the vfio access in apparmor. How about: "Apparmor needs to be able to grant QEMU access to VFIO MDEV devices." > > This is extending the older fix 74e86b6b: "Fix apparmor profile This extends commit 74e86b6b which only covered PCI hostdevs for VFIO-PCI assignment. > to make vfio pci passthrough work" which was for VFIO PCI > passthrough on static hostdevs to now also cover vfio MDEVs. > It is having the same limitations of the lifecycle at that time It has still the same limitations regarding the device lifecycle, IOW we're unable to predict the actual VFIO device being created, thus we need wildcards. > being unable to detect the actual vfio device and therefore > adds a wildcars. > > Please also note that hotplug - which in can detect the right > device at runtime - is covered by labeling callbacks in > 606afafb: "security: Enable labeling of vfio mediated devices" Also note that the hotplug case, where apparmor is able to detect the actual VFIO device during runtime, is already covered by commit 606afafb. > > Signed-off-by: Christian Ehrhardt <christian.ehrhardt@xxxxxxxxxxxxx> > --- Apart from the tiny typographical nit pick I had - you don't even need to agree to them as I'm not a native speaker myself - I don't see a functional problem with the patch from libvirt's perspective, so: Reviewed-by: Erik Skultety <eskultet@xxxxxxxxxx> -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list