qemu: Fix IOMMUFD and VFIO security labels

author Pavel Hrdina <phrdina@redhat.com>

Fri, 27 Feb 2026 16:55:34 +0000 (17:55 +0100)

committer Pavel Hrdina <phrdina@redhat.com>

Tue, 3 Mar 2026 10:16:54 +0000 (11:16 +0100)
author Pavel Hrdina <phrdina@redhat.com>
Fri, 27 Feb 2026 16:55:34 +0000 (17:55 +0100)
committer Pavel Hrdina <phrdina@redhat.com>
Tue, 3 Mar 2026 10:16:54 +0000 (11:16 +0100)
diff --git a/src/qemu/qemu_hotplug.c b/src/qemu/qemu_hotplug.c

index 40489b84db416d5d8bf9f6538267d6ae59bdc3f6..b3f2a173a8fbd33c1095ab6c1058d7c65ef20de6 100644 (file)
--- a/src/qemu/qemu_hotplug.c
+++ b/src/qemu/qemu_hotplug.c
@@ -1613,7 +1613,7 @@ qemuDomainAttachHostPCIDevice(virQEMUDriver *driver,
      }
  
      if (virHostdevIsPCIDeviceWithIOMMUFD(hostdev)) {
-        if (qemuProcessOpenVfioDeviceFd(hostdev) < 0)
+        if (qemuProcessOpenVfioDeviceFd(vm, hostdev) < 0)
              goto error;
  
          if (!priv->iommufdState) {
diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c

index a82ee4b15e00b5ca66ba2599898ac36eb36ececf..ab7cf03c0eb19579fc71330e23fdb1e7d25620c4 100644 (file)
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7728,13 +7728,16 @@ int
  qemuProcessOpenIommuFd(virDomainObj *vm)
  {
      qemuDomainObjPrivate *priv = vm->privateData;
-    int iommufd;
+    VIR_AUTOCLOSE iommufd = -1;
  
      VIR_DEBUG("Opening IOMMU FD for domain %s", vm->def->name);
  
      if ((iommufd = virIOMMUFDOpenDevice()) < 0)
          return -1;
  
+    if (qemuSecuritySetImageFDLabel(priv->driver->securityManager, vm->def, iommufd) < 0)
+        return -1;
+
      priv->iommufd = qemuFDPassDirectNew("iommufd", &iommufd);
  
      return 0;
@@ -7749,16 +7752,21 @@ qemuProcessOpenIommuFd(virDomainObj *vm)
   * Returns: 0 on success, -1 on failure
   */
  int
-qemuProcessOpenVfioDeviceFd(virDomainHostdevDef *hostdev)
+qemuProcessOpenVfioDeviceFd(virDomainObj *vm,
+                            virDomainHostdevDef *hostdev)
  {
+    qemuDomainObjPrivate *priv = vm->privateData;
      qemuDomainHostdevPrivate *hostdevPriv = QEMU_DOMAIN_HOSTDEV_PRIVATE(hostdev);
      virDomainHostdevSubsysPCI *pci = &hostdev->source.subsys.u.pci;
      g_autofree char *name = g_strdup_printf("hostdev-%s-fd", hostdev->info->alias);
-    int vfioDeviceFd;
+    VIR_AUTOCLOSE vfioDeviceFd = -1;
  
      if ((vfioDeviceFd = virPCIDeviceOpenVfioFd(&pci->addr)) < 0)
          return -1;
  
+    if (qemuSecuritySetImageFDLabel(priv->driver->securityManager, vm->def, vfioDeviceFd) < 0)
+        return -1;
+
      hostdevPriv->vfioDeviceFd = qemuFDPassDirectNew(name, &vfioDeviceFd);
  
      return 0;
@@ -7776,7 +7784,7 @@ qemuProcessPrepareHostHostdev(virDomainObj *vm)
          case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI:
              if (virHostdevIsPCIDeviceWithIOMMUFD(hostdev)) {
                  /* Open VFIO device FD */
-                if (qemuProcessOpenVfioDeviceFd(hostdev) < 0)
+                if (qemuProcessOpenVfioDeviceFd(vm, hostdev) < 0)
                      return -1;
              }
              break;
diff --git a/src/qemu/qemu_process.h b/src/qemu/qemu_process.h

index fccd41e1a67272469eb4fa9c92c32821ae248a12..5874214596f1ce56d16e7e9a47074a2757366b85 100644 (file)
--- a/src/qemu/qemu_process.h
+++ b/src/qemu/qemu_process.h
@@ -136,7 +136,8 @@ int qemuProcessPrepareHostBackendChardevHotplug(virDomainObj *vm,
  
  int qemuProcessOpenIommuFd(virDomainObj *vm);
  
-int qemuProcessOpenVfioDeviceFd(virDomainHostdevDef *hostdev);
+int qemuProcessOpenVfioDeviceFd(virDomainObj *vm,
+                                virDomainHostdevDef *hostdev);
  
  int qemuProcessPrepareHost(virQEMUDriver *driver,
                             virDomainObj *vm,
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c

index 1c3496893c6edacaaf7f110c5236b3643f662914..40f13ec1a517ef9a8dafb697fe9ef2d44fcd832d 100644 (file)
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -45,7 +45,6 @@
  #include "virstring.h"
  #include "virscsi.h"
  #include "virmdev.h"
-#include "viriommufd.h"
  
  #define VIR_FROM_THIS VIR_FROM_SECURITY
  
@@ -856,17 +855,6 @@ AppArmorSetSecurityHostdevLabel(virSecurityManager *mgr,
  
                  if (AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr) < 0)
                      return -1;
-            } else {
-                g_autofree char *vfiofdDev = NULL;
-
-                if (virPCIDeviceGetVfioPath(pci, &vfiofdDev) < 0)
-                    return -1;
-
-                if (AppArmorSetSecurityPCILabel(pci, vfiofdDev, ptr) < 0)
-                    return -1;
-
-                if (AppArmorSetSecurityPCILabel(pci, VIR_IOMMU_DEV_PATH, ptr) < 0)
-                    return -1;
              }
          } else {
              if (virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr) < 0)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c

index dc6dac0fb11cff265269bd3278d1f21d8310c785..5aa13741e65c130e25b003cdc6cd5f8b91b6a30f 100644 (file)
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -41,7 +41,6 @@
  #include "virscsivhost.h"
  #include "virstring.h"
  #include "virutil.h"
-#include "viriommufd.h"
  
  #define VIR_FROM_THIS VIR_FROM_SECURITY
  
@@ -1295,17 +1294,6 @@ virSecurityDACSetHostdevLabel(virSecurityManager *mgr,
                                                          &cbdata) < 0) {
                      return -1;
                  }
-            } else {
-                g_autofree char *vfiofdDev = NULL;
-
-                if (virPCIDeviceGetVfioPath(pci, &vfiofdDev) < 0)
-                    return -1;
-
-                if (virSecurityDACSetHostdevLabelHelper(vfiofdDev, false, &cbdata) < 0)
-                    return -1;
-
-                if (virSecurityDACSetHostdevLabelHelper(VIR_IOMMU_DEV_PATH, false, &cbdata) < 0)
-                    return -1;
              }
          } else {
              if (virPCIDeviceFileIterate(pci,
@@ -1476,21 +1464,6 @@ virSecurityDACRestoreHostdevLabel(virSecurityManager *mgr,
                                                             vfioGroupDev, false) < 0) {
                      return -1;
                  }
-            } else {
-                g_autofree char *vfiofdDev = NULL;
-
-                if (virPCIDeviceGetVfioPath(pci, &vfiofdDev) < 0)
-                    return -1;
-
-                if (virSecurityDACRestoreFileLabelInternal(mgr, NULL,
-                                                           vfiofdDev, false) < 0) {
-                    return -1;
-                }
-
-                if (virSecurityDACRestoreFileLabelInternal(mgr, NULL,
-                                                           VIR_IOMMU_DEV_PATH, false) < 0) {
-                    return -1;
-                }
              }
          } else {
              if (virPCIDeviceFileIterate(pci, virSecurityDACRestorePCILabel, mgr) < 0)
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c

index 94a796ec4999d5427aa648082e236e4a3667b4b0..89546e3316c1687b9d71c0f33027bfec83e2bed1 100644 (file)
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -41,7 +41,6 @@
  #include "virconf.h"
  #include "virtpm.h"
  #include "virstring.h"
-#include "viriommufd.h"
  
  #define VIR_FROM_THIS VIR_FROM_SECURITY
  
@@ -2267,17 +2266,6 @@ virSecuritySELinuxSetHostdevSubsysLabel(virSecurityManager *mgr,
                                                              &data) < 0) {
                      return -1;
                  }
-            } else {
-                g_autofree char *vfiofdDev = NULL;
-
-                if (virPCIDeviceGetVfioPath(pci, &vfiofdDev) < 0)
-                    return -1;
-
-                if (virSecuritySELinuxSetHostdevLabelHelper(vfiofdDev, false, &data) < 0)
-                    return -1;
-
-                if (virSecuritySELinuxSetHostdevLabelHelper(VIR_IOMMU_DEV_PATH, false, &data) < 0)
-                    return -1;
              }
          } else {
              if (virPCIDeviceFileIterate(pci, virSecuritySELinuxSetPCILabel, &data) < 0)
@@ -2519,17 +2507,6 @@ virSecuritySELinuxRestoreHostdevSubsysLabel(virSecurityManager *mgr,
  
                  if (virSecuritySELinuxRestoreFileLabel(mgr, vfioGroupDev, false, false) < 0)
                      return -1;
-            } else {
-                g_autofree char *vfiofdDev = NULL;
-
-                if (virPCIDeviceGetVfioPath(pci, &vfiofdDev) < 0)
-                    return -1;
-
-                if (virSecuritySELinuxRestoreFileLabel(mgr, vfiofdDev, false, false) < 0)
-                    return -1;
-
-                if (virSecuritySELinuxRestoreFileLabel(mgr, VIR_IOMMU_DEV_PATH, false, false) < 0)
-                    return -1;
              }
          } else {
              if (virPCIDeviceFileIterate(pci, virSecuritySELinuxRestorePCILabel, mgr) < 0)
author	Pavel Hrdina <phrdina@redhat.com>
	Fri, 27 Feb 2026 16:55:34 +0000 (17:55 +0100)
committer	Pavel Hrdina <phrdina@redhat.com>
	Tue, 3 Mar 2026 10:16:54 +0000 (11:16 +0100)
src/qemu/qemu_hotplug.c		patch \| blob \| blame \| history
src/qemu/qemu_process.c		patch \| blob \| blame \| history
src/qemu/qemu_process.h		patch \| blob \| blame \| history
src/security/security_apparmor.c		patch \| blob \| blame \| history
src/security/security_dac.c		patch \| blob \| blame \| history
src/security/security_selinux.c		patch \| blob \| blame \| history