Quoting Cédric Bosdonnat (cbosdonnat@xxxxxxxx):
> See lp#1276719 for the bug description. As virt-aa-helper doesn't know
Great, thanks for addressing this.
> the VFIO groups to use for the guest,
Is there really no way for it to know that (based on xml)? If not then
I guess this is the way to go - though even in that case could we at
least have virt-aa-helper only allow access to all vfio* only when vfio
pci is required?
> allow access to all
> /dev/vfio/[0-9]* and /dev/vfio/vfio files.
> ---
(Note - there is no signed-off-by on these patches)
> examples/apparmor/libvirt-qemu | 5 +++++
> examples/apparmor/usr.sbin.libvirtd | 3 +++
> 2 files changed, 8 insertions(+)
>
> diff --git a/examples/apparmor/libvirt-qemu b/examples/apparmor/libvirt-qemu
> index e1980b7..c3dfa57 100644
> --- a/examples/apparmor/libvirt-qemu
> +++ b/examples/apparmor/libvirt-qemu
> @@ -110,6 +110,7 @@
> /usr/bin/qemu-sparc32plus rmix,
> /usr/bin/qemu-sparc64 rmix,
> /usr/bin/qemu-x86_64 rmix,
> + /usr/lib/qemu/block-curl.so mr,
>
> # for save and resume
> /bin/dash rmix,
> @@ -122,6 +123,10 @@
> /sys/bus/ r,
> /sys/class/ r,
>
> + # for vfio access
> + /dev/vfio/vfio rw,
> + /dev/vfio/[0-9]* rw,
> +
> /usr/{lib,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
> # child profile for bridge helper process
> profile qemu_bridge_helper {
> diff --git a/examples/apparmor/usr.sbin.libvirtd b/examples/apparmor/usr.sbin.libvirtd
> index fd6def1..3011eff 100644
> --- a/examples/apparmor/usr.sbin.libvirtd
> +++ b/examples/apparmor/usr.sbin.libvirtd
> @@ -25,6 +25,9 @@
> capability fsetid,
> capability audit_write,
>
> + # Needed for vfio
> + capability sys_resource,
> +
> network inet stream,
> network inet dgram,
> network inet6 stream,
> --
> 1.9.0
>
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list