From: dac.override@gmail.com (Dominick Grift)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] proposal for libvirt vfio/vt-d support
Date: Sun, 7 Jun 2015 19:12:39 +0200 [thread overview]
Message-ID: <20150607171238.GA21587@x131e> (raw)
In-Reply-To: <55747110.5030901@web.de>
On Sun, Jun 07, 2015 at 06:28:00PM +0200, Alexander Wetzel wrote:
>
> The attached patch proposes a way to allow pci device pass through via
> a new selinux boolean "virt_use_vfio" for libvirt.
>
Also, please submit your patches in git format so that it can be easily merged when issues in my other reply are resolved.
see: https://github.com/TresysTechnology/refpolicy/wiki/HowToContribute
> This was originally proposed in a slightly different version as gentoo
> enhancement here: https://bugs.gentoo.org/show_bug.cgi?id=522736
> (It's only tested as patch against the gentoo version of the refpoliciy.)
>
> I used it for around one year to pass an ISDN PCIe card to a guest and
> verified today the function with an USB PCI device. (The ISDN card is no
> longer in the system.)
> USB HUP was ok in guest with lspci and lsusb, but a USB stick did not
> work as expected. That's not related to selinux and was ignored here,
> since I have the same problem with selinux in permissive mode on the host.
>
> The patch adds "vfio_device_t;", the boolean virt_use_vfio and when the
> boolean is set the following rules:
>
> allow virtd_t self:process setrlimit;
> allow virtd_t self:capability sys_resource;
> allow virtd_t svirt_t:process rlimitinh;
> allow virtd_t vfio_device_t:chr_file { relabelfrom setattr };
> allow svirt_t vfio_device_t:chr_file { read write open ioctl };
>
> Here the errors I get when I remove one of the rights (keeping all the
> others in place):
>
> Without "allow virtd_t self:process setrlimit" or "allow virtd_t
> self:capability sys_resource":
> error: Failed to start domain web-old
> error: internal error: Process exited prior to exec: libvirt: error :
> cannot limit locked memory to 5368709120: Permission denied
>
> Without "allow virtd_t svirt_t:process rlimitinh":
> error: Failed to start domain web-old
> error: internal error: early end of file from monitor: possible problem:
> 2015-06-07T14:28:21.433403Z qemu-system-x86_64: -device
> vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
> vfio_dma_map(0x3ebad4fcd0, 0x0, 0xa0000, 0x39030000000) = -12 (Cannot
> allocate memory)
> 2015-06-07T14:28:21.433480Z qemu-system-x86_64: -device
> vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
> vfio_dma_map(0x3ebad4fcd0, 0xc0000, 0x20000, 0x39144200000) = -12
> (Cannot allocate memory)
> 2015-06-07T14:28:21.433538Z qemu-system-x86_64: -device
> vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
> vfio_dma_map(0x3ebad4fcd0, 0x100000, 0xdff00000, 0x39030100000) = -12
> (Cannot allocate memory)
> 2015-06-07T14:28:21.433707Z qemu-system-x86_64: -device
> vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
> vfio_dma_map(0x3ebad4fcd0, 0x100000000, 0x20000000, 0x39110000000) = -12
> (Cannot allocate memory)
> 2015-06-07T14:28:21.433730Z qemu-system-x86_64: -device
> vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1: vfio:
>
>
> Without "allow virtd_t vfio_device_t:chr_file relabelfrom"
> error: Failed to start domain web-old
> error: unable to set security context
> 'system_u:object_r:svirt_image_t:s0:c587,c898' on '/dev/vfio/2':
> Permission denied
>
>
> Without "allow virtd_t vfio_device_t:chr_file setattr":
> --> Can't reproduce an error without this right any more.
> I'm pretty sure it was needed in the past, see gentoo ticket from link
> above.
>
>
> Without any of the permissions of
> "allow svirt_t vfio_device_t:chr_file { read write open ioctl }":
> error: Failed to start domain web-old
> error: internal error: early end of file from monitor: possible problem:
> 2015-06-07T15:40:47.505774Z qemu-system-x86_64: -device
> vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: supported
> vfio version: 0, reported version: -1
> 2015-06-07T15:40:47.505814Z qemu-system-x86_64: -device
> vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
> setup container for group 2
> 2015-06-07T15:40:47.505835Z qemu-system-x86_64: -device
> vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
> get group 2
> 2015-06-07T15:40:47.505858Z qemu-system-x86_64: -device
> vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device
> initialization failed.
> 2015-06-07T15:40:47.505883Z qemu-system-x86_64: -device
> vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device 'vfio-pci'
> could not be initialized
>
>
> diff -ru refpolicy_orig/policy/modules/contrib/virt.te refpolicy/policy/modules/contrib/virt.te
> --- refpolicy_orig/policy/modules/contrib/virt.te 2014-06-16 19:45:41.000000000 +0200
> +++ refpolicy/policy/modules/contrib/virt.te 2015-06-07 16:01:56.160252828 +0200
> @@ -70,6 +70,14 @@
> ## </desc>
> gen_tunable(virt_use_xserver, false)
>
> +## <desc>
> +### <p>
> +### Determine whether confined virtual guests
> +### can use vfio for pci device pass through (vt-d).
> +### </p>
> +### </desc>
> +gen_tunable(virt_use_vfio, false)
> +
> attribute virt_ptynode;
> attribute virt_domain;
> attribute virt_image_type;
> @@ -340,6 +348,14 @@
> fs_manage_dos_files(virt_domain)
> ')
>
> +tunable_policy(`virt_use_vfio',`
> + dev_rw_vfio_dev(svirt_t)
> + dev_trans_vfio_dev(virtd_t)
> + allow virtd_t self:process setrlimit;
> + allow virtd_t self:capability sys_resource;
> + allow virtd_t svirt_t:process rlimitinh;
> +')
> +
> optional_policy(`
> tunable_policy(`virt_use_xserver',`
> xserver_read_xdm_pid(virt_domain)
> diff -ru refpolicy_orig/policy/modules/kernel/devices.fc refpolicy/policy/modules/kernel/devices.fc
> --- refpolicy_orig/policy/modules/kernel/devices.fc 2014-06-16 19:44:12.000000000 +0200
> +++ refpolicy/policy/modules/kernel/devices.fc 2015-06-07 16:01:53.110252822 +0200
> @@ -118,6 +118,7 @@
> ifdef(`distro_suse', `
> /dev/usbscanner -c gen_context(system_u:object_r:scanner_device_t,s0)
> ')
> +/dev/vfio/(vfio)?[0-9]* -c gen_context(system_u:object_r:vfio_device_t,s0)
> /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vbi.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vbox.* -c gen_context(system_u:object_r:xserver_misc_device_t,s0)
> diff -ru refpolicy_orig/policy/modules/kernel/devices.if refpolicy/policy/modules/kernel/devices.if
> --- refpolicy_orig/policy/modules/kernel/devices.if 2014-09-12 15:52:18.000000000 +0200
> +++ refpolicy/policy/modules/kernel/devices.if 2015-06-07 16:01:53.110252822 +0200
> @@ -4611,6 +4611,42 @@
>
> ########################################
> ## <summary>
> +## Allow libvirt to use vfio for vt-d passthrough
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_rw_vfio_dev',`
> + gen_require(`
> + type device_t, vfio_device_t;
> + ')
> +
> + allow $1 vfio_device_t:chr_file { read write open ioctl };
> +')
> +
> +########################################
> +## <summary>
> +## Allow dev file transition to new user and type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_trans_vfio_dev',`
> + gen_require(`
> + type device_t, vfio_device_t;
> + ')
> +
> + allow $1 vfio_device_t:chr_file { relabelfrom setattr };
> +')
> +
> +############################
> +## <summary>
> ## Allow read/write the vhost net device
> ## </summary>
> ## <param name="domain">
> diff -ru refpolicy_orig/policy/modules/kernel/devices.te refpolicy/policy/modules/kernel/devices.te
> --- refpolicy_orig/policy/modules/kernel/devices.te 2014-12-03 19:37:34.000000000 +0100
> +++ refpolicy/policy/modules/kernel/devices.te 2015-06-07 16:01:53.110252822 +0200
> @@ -273,6 +273,9 @@
> type userio_device_t;
> dev_node(userio_device_t)
>
> +type vfio_device_t;
> +dev_node(vfio_device_t)
> +
> type v4l_device_t;
> dev_node(v4l_device_t)
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150607/587676b6/attachment-0001.bin
next prev parent reply other threads:[~2015-06-07 17:12 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <55746E03.90502@web.de>
2015-06-07 16:28 ` [refpolicy] [PATCH] proposal for libvirt vfio/vt-d support Alexander Wetzel
2015-06-07 17:02 ` Dominick Grift
2015-06-07 17:12 ` Dominick Grift [this message]
2015-06-07 17:26 ` Dominick Grift
2015-06-08 21:11 ` Alexander Wetzel
2015-06-08 21:37 ` Dominick Grift
2015-06-08 22:39 ` Alexander Wetzel
2015-06-09 13:52 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150607171238.GA21587@x131e \
--to=dac.override@gmail.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.