git.ipfire.org Git - thirdparty/libvirt.git/commit

author	Daniel Henrique Barboza <danielhb413@gmail.com>
	Mon, 27 Jan 2020 18:23:21 +0000 (15:23 -0300)
committer	Michal Privoznik <mprivozn@redhat.com>
	Wed, 29 Jan 2020 12:50:51 +0000 (13:50 +0100)
commit	dbf1f68410e0cfd327ea0895ef1dd2bf297f4bf7
tree	2580b9423efa9a815bcc4419c1373ede996e0a7b	tree
parent	09804edd0a1aad0a677085bfa976035b8b8f5c4e	commit \| diff

security: do not remember/recall labels for VFIO

Files inside /dev/vfio/ can't be opened more than once, meaning
that any subsequent open calls will fail. This behavior was
introduced in kernel v3.11, commit 6d6768c61b39.

When using the VFIO driver, we open a FD to /dev/vfio/N and
pass it to QEMU. If any other call attempt for the same
/dev/vfio/N happens while QEMU is still using the file, we are
unable to open it and QEMU will report -EBUSY. This can happen
if we hotplug a PCI hostdev that belongs to the same IOMMU group
of an existing domain hostdev.

The problem and solution is similar to what we already dealt
with for TPM in commit 4e95cdcbb3. This patch changes both
DAC and SELinux drivers to disable 'remember' for VFIO hostdevs
in virSecurityDACSetHostdevLabelHelper() and
virSecurityDACSetHostdevLabel(), and 'recall'
in virSecurityDACRestoreHostdevLabel() and
virSecuritySELinuxRestoreHostdevSubsysLabel().

Signed-off-by: Daniel Henrique Barboza <danielhb413@gmail.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

src/security/security_dac.c		diff \| blob \| blame \| history
src/security/security_selinux.c		diff \| blob \| blame \| history