AMD-SEV virtual machines interact with the underlying
AMD-SEV technology through the character device /dev/sev.
Currently, the AppArmor profile does not include the rule
required to allow this access.
There are two main approaches to address this limitation:
1) Add the required rule to the libvirt-qemu abstraction.
2) Dynamically add the rule only when the VM is an AMD-SEV
guest.
Since AMD-SEV guests represent a niche use case, it is more
appropriate to apply the rule dynamically rather than granting
access to all VMs through a global abstraction change.
This commit implements option (2) by modifying the virt-aa-helper
binary to insert the necessary rule into the AppArmor dynamic
profile when the VM is identified as an AMD-SEV guest.
The added entry in the generated libvirt-<uuid>.files file
will look like:
...
"/dev/sev" rw,
...
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
virBufferAddLit(&buf, " deny \"/var/lib/libvirt/.cache/\" w,\n");
}
+ /* AMD-SEV VM needs to read/write the character device /dev/sev */
+ if (ctl->def->sec) {
+ switch (ctl->def->sec->sectype) {
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_SEV_SNP:
+ virBufferAddLit(&buf, " \"/dev/sev\" rw,\n");
+ break;
+ case VIR_DOMAIN_LAUNCH_SECURITY_PV:
+ case VIR_DOMAIN_LAUNCH_SECURITY_TDX:
+ case VIR_DOMAIN_LAUNCH_SECURITY_NONE:
+ case VIR_DOMAIN_LAUNCH_SECURITY_LAST:
+ break;
+ }
+ }
+
if (ctl->newfile &&
vah_add_file(&buf, ctl->newfile, "rwk") != 0) {
return -1;
projects / thirdparty / libvirt.git / commitdiff
