From: Pavel Hrdina <phrdina@redhat.com>
Date: Fri, 13 Mar 2026 09:50:36 +0000 (+0100)
Subject: viriommufd: Set IOMMU_OPTION_RLIMIT_MODE only when running privileged
X-Git-Tag: v12.2.0-rc1~67
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=293bb59e75f4b4c975bbeccb1bb8b39b6f439a35;p=thirdparty%2Flibvirt.git

viriommufd: Set IOMMU_OPTION_RLIMIT_MODE only when running privileged

If libvirt daemon is running unprivileged it will fail so we should not
even try to set it.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
---

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index ab7cf03c0e..ecd05b4bf6 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -7732,7 +7732,7 @@ qemuProcessOpenIommuFd(virDomainObj *vm)
 
     VIR_DEBUG("Opening IOMMU FD for domain %s", vm->def->name);
 
-    if ((iommufd = virIOMMUFDOpenDevice()) < 0)
+    if ((iommufd = virIOMMUFDOpenDevice(priv->driver->privileged)) < 0)
         return -1;
 
     if (qemuSecuritySetImageFDLabel(priv->driver->securityManager, vm->def, iommufd) < 0)
diff --git a/src/util/viriommufd.c b/src/util/viriommufd.c
index b62d59241d..82920923a2 100644
--- a/src/util/viriommufd.c
+++ b/src/util/viriommufd.c
@@ -80,14 +80,14 @@ virIOMMUFDSetRLimitMode(int fd, bool processAccounting)
 }
 
 int
-virIOMMUFDOpenDevice(void)
+virIOMMUFDOpenDevice(bool privileged)
 {
     int fd = -1;
 
     if ((fd = open(VIR_IOMMU_DEV_PATH, O_RDWR | O_CLOEXEC)) < 0)
         virReportSystemError(errno, "%s", _("cannot open IOMMUFD device"));
 
-    if (virIOMMUFDSetRLimitMode(fd, true) < 0) {
+    if (privileged && virIOMMUFDSetRLimitMode(fd, true) < 0) {
         VIR_FORCE_CLOSE(fd);
         return -1;
     }
@@ -98,7 +98,7 @@ virIOMMUFDOpenDevice(void)
 #else
 
 int
-virIOMMUFDOpenDevice(void)
+virIOMMUFDOpenDevice(bool privileged G_GNUC_UNUSED)
 {
     virReportError(VIR_ERR_NO_SUPPORT, "%s",
                    _("IOMMUFD is not supported on this platform"));
diff --git a/src/util/viriommufd.h b/src/util/viriommufd.h
index 223f44eb5c..7bad5c7472 100644
--- a/src/util/viriommufd.h
+++ b/src/util/viriommufd.h
@@ -22,6 +22,6 @@
 
 #define VIR_IOMMU_DEV_PATH "/dev/iommu"
 
-int virIOMMUFDOpenDevice(void);
+int virIOMMUFDOpenDevice(bool privileged);
 
 bool virIOMMUFDSupported(void);