openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

virt-aa-helper: add rules for shmem devices 

Shared memory devices need qemu to be able to access certain paths
either for the shared memory directly (mostly ivshmem-plain) or for a
socket (mostly ivshmem-doorbell).

Add logic to virt-aa-helper to render those apparmor rules based
on the domain configuration.

https://bugzilla.redhat.com/show_bug.cgi?id=1761645

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Acked-by: Jamie Strandboge <jamie@canonical.com>
Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
This commit is contained in:
Christian Ehrhardt 2019-10-17 12:48:10 +02:00
parent d53f4d02d0
commit 36afd1a78e
No known key found for this signature in database
GPG Key ID: BA3E29338280B242
1 changed files with 33 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
src/security/virt-aa-helper.c
View File

@ -931,6 +931,7 @@ get_files(vahControl * ctl)
int rc = -1; int rc = -1;
size_t i; size_t i;
char *uuid; char *uuid;
char *mem_path = NULL;
char uuidstr[VIR_UUID_STRING_BUFLEN]; char uuidstr[VIR_UUID_STRING_BUFLEN];
bool needsVfio = false, needsvhost = false, needsgl = false; bool needsVfio = false, needsvhost = false, needsgl = false;
@ -1194,6 +1195,37 @@ get_files(vahControl * ctl)
} }
} }
for (i = 0; i < ctl->def->nshmems; i++) {
virDomainShmemDef *shmem = ctl->def->shmems[i];
/* explicit server paths can be on any model to overwrites defaults.
* When the server path is enabled, use it - otherwise fallback to
* model dependent defaults. */
if (shmem->server.enabled &&
shmem->server.chr.data.nix.path) {
if (vah_add_file(&buf, shmem->server.chr.data.nix.path,
"rw") != 0)
goto cleanup;
} else {
switch (shmem->model) {
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_PLAIN:
/* until exposed, recreate qemuBuildShmemBackendMemProps */
mem_path = g_strdup_printf("/dev/shm/%s", shmem->name);
break;
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM_DOORBELL:
case VIR_DOMAIN_SHMEM_MODEL_IVSHMEM:
/* until exposed, recreate qemuDomainPrepareShmemChardev */
mem_path = g_strdup_printf("/var/lib/libvirt/shmem-%s-sock",
shmem->name);
break;
}
if (mem_path != NULL) {
if (vah_add_file(&buf, mem_path, "rw") != 0)
goto cleanup;
}
}
}
if (ctl->def->tpm) { if (ctl->def->tpm) {
char *shortName = NULL; char *shortName = NULL;
const char *tpmpath = NULL; const char *tpmpath = NULL;
@ -1288,6 +1320,7 @@ get_files(vahControl * ctl)
ctl->files = virBufferContentAndReset(&buf); ctl->files = virBufferContentAndReset(&buf);
cleanup: cleanup:
VIR_FREE(mem_path);
VIR_FREE(uuid); VIR_FREE(uuid);
return rc; return rc;
} }