security: update hostdev labelling functions for VFIOv1.0.5-rc1

Legacy kvm style pci device assignment requires changes to the labelling of several sysfs files for each device, but for vfio device assignment, the only thing that needs to be relabelled/chowned is the "group" device for the group that contains the device to be assigned.
author: Laine Stump <laine@laine.org> 2013-04-25 06:37:21 -0400
committer: Laine Stump <laine@laine.org> 2013-04-25 21:28:43 -0400
commit: f0bd70a940de690216c538b0ab1b71c8a7d2fbb6 (patch)
tree: 31d92897ab6001f44822d34acef826282ea881a7
parent: b210208f97a7af627570a656e0c334c2cf57b770 (diff)
download: libvirt-f0bd70a940de690216c538b0ab1b71c8a7d2fbb6.tar.gz
3 files changed, 57 insertions, 6 deletions
diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
index 122edd4df1..0aff794a9a 100644
--- a/src/security/security_apparmor.c
+++ b/src/security/security_apparmor.c
@@ -831,7 +831,17 @@ AppArmorSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
         if (!pci)
             goto done;
 
-        ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+        if (dev->source.subsys.u.pci.backend
+            == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+            char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+            if (!vfioGroupDev)
+                goto done;
+            ret = AppArmorSetSecurityPCILabel(pci, vfioGroupDev, ptr);
+            VIR_FREE(vfioGroupDev);
+        } else {
+            ret = virPCIDeviceFileIterate(pci, AppArmorSetSecurityPCILabel, ptr);
+        }
         virPCIDeviceFree(pci);
         break;
     }
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 8576081b2d..5e00112d10 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -516,8 +516,19 @@ virSecurityDACSetSecurityHostdevLabel(virSecurityManagerPtr mgr,
         if (!pci)
             goto done;
 
-        ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
-                                      params);
+        if (dev->source.subsys.u.pci.backend
+            == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+            char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+            if (!vfioGroupDev)
+                goto done;
+            ret = virSecurityDACSetSecurityPCILabel(pci, vfioGroupDev, params);
+            VIR_FREE(vfioGroupDev);
+        } else {
+            ret = virPCIDeviceFileIterate(pci, virSecurityDACSetSecurityPCILabel,
+                                          params);
+        }
+
         virPCIDeviceFree(pci);
 
         break;
@@ -596,7 +607,17 @@ virSecurityDACRestoreSecurityHostdevLabel(virSecurityManagerPtr mgr,
         if (!pci)
             goto done;
 
-        ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
+        if (dev->source.subsys.u.pci.backend
+            == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+            char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+            if (!vfioGroupDev)
+                goto done;
+            ret = virSecurityDACRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+            VIR_FREE(vfioGroupDev);
+        } else {
+            ret = virPCIDeviceFileIterate(pci, virSecurityDACRestoreSecurityPCILabel, mgr);
+        }
         virPCIDeviceFree(pci);
 
         break;
diff --git a/src/security/security_selinux.c b/src/security/security_selinux.c
index a8b74eebcc..a5b54cb821 100644
--- a/src/security/security_selinux.c
+++ b/src/security/security_selinux.c
@@ -1342,7 +1342,17 @@ virSecuritySELinuxSetSecurityHostdevSubsysLabel(virDomainDefPtr def,
         if (!pci)
             goto done;
 
-        ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
+        if (dev->source.subsys.u.pci.backend
+            == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+            char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+            if (!vfioGroupDev)
+                goto done;
+            ret = virSecuritySELinuxSetSecurityPCILabel(pci, vfioGroupDev, def);
+            VIR_FREE(vfioGroupDev);
+        } else {
+            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxSetSecurityPCILabel, def);
+        }
         virPCIDeviceFree(pci);
 
         break;
@@ -1504,7 +1514,17 @@ virSecuritySELinuxRestoreSecurityHostdevSubsysLabel(virSecurityManagerPtr mgr,
         if (!pci)
             goto done;
 
-        ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
+        if (dev->source.subsys.u.pci.backend
+            == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_TYPE_VFIO) {
+            char *vfioGroupDev = virPCIDeviceGetVFIOGroupDev(pci);
+
+            if (!vfioGroupDev)
+                goto done;
+            ret = virSecuritySELinuxRestoreSecurityPCILabel(pci, vfioGroupDev, mgr);
+            VIR_FREE(vfioGroupDev);
+        } else {
+            ret = virPCIDeviceFileIterate(pci, virSecuritySELinuxRestoreSecurityPCILabel, mgr);
+        }
         virPCIDeviceFree(pci);
 
         break;
author	Laine Stump <laine@laine.org>	2013-04-25 06:37:21 -0400
committer	Laine Stump <laine@laine.org>	2013-04-25 21:28:43 -0400
commit	f0bd70a940de690216c538b0ab1b71c8a7d2fbb6 (patch)
tree	31d92897ab6001f44822d34acef826282ea881a7
parent	b210208f97a7af627570a656e0c334c2cf57b770 (diff)
download	libvirt-f0bd70a940de690216c538b0ab1b71c8a7d2fbb6.tar.gz