From: alexander.wetzel@web.de (Alexander Wetzel)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] proposal for libvirt vfio/vt-d support
Date: Sun, 07 Jun 2015 18:28:00 +0200 [thread overview]
Message-ID: <55747110.5030901@web.de> (raw)
In-Reply-To: <55746E03.90502@web.de>
The attached patch proposes a way to allow pci device pass through via
a new selinux boolean "virt_use_vfio" for libvirt.
This was originally proposed in a slightly different version as gentoo
enhancement here: https://bugs.gentoo.org/show_bug.cgi?id=522736
(It's only tested as patch against the gentoo version of the refpoliciy.)
I used it for around one year to pass an ISDN PCIe card to a guest and
verified today the function with an USB PCI device. (The ISDN card is no
longer in the system.)
USB HUP was ok in guest with lspci and lsusb, but a USB stick did not
work as expected. That's not related to selinux and was ignored here,
since I have the same problem with selinux in permissive mode on the host.
The patch adds "vfio_device_t;", the boolean virt_use_vfio and when the
boolean is set the following rules:
allow virtd_t self:process setrlimit;
allow virtd_t self:capability sys_resource;
allow virtd_t svirt_t:process rlimitinh;
allow virtd_t vfio_device_t:chr_file { relabelfrom setattr };
allow svirt_t vfio_device_t:chr_file { read write open ioctl };
Here the errors I get when I remove one of the rights (keeping all the
others in place):
Without "allow virtd_t self:process setrlimit" or "allow virtd_t
self:capability sys_resource":
error: Failed to start domain web-old
error: internal error: Process exited prior to exec: libvirt: error :
cannot limit locked memory to 5368709120: Permission denied
Without "allow virtd_t svirt_t:process rlimitinh":
error: Failed to start domain web-old
error: internal error: early end of file from monitor: possible problem:
2015-06-07T14:28:21.433403Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x0, 0xa0000, 0x39030000000) = -12 (Cannot
allocate memory)
2015-06-07T14:28:21.433480Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0xc0000, 0x20000, 0x39144200000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433538Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x100000, 0xdff00000, 0x39030100000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433707Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x100000000, 0x20000000, 0x39110000000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433730Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1: vfio:
Without "allow virtd_t vfio_device_t:chr_file relabelfrom"
error: Failed to start domain web-old
error: unable to set security context
'system_u:object_r:svirt_image_t:s0:c587,c898' on '/dev/vfio/2':
Permission denied
Without "allow virtd_t vfio_device_t:chr_file setattr":
--> Can't reproduce an error without this right any more.
I'm pretty sure it was needed in the past, see gentoo ticket from link
above.
Without any of the permissions of
"allow svirt_t vfio_device_t:chr_file { read write open ioctl }":
error: Failed to start domain web-old
error: internal error: early end of file from monitor: possible problem:
2015-06-07T15:40:47.505774Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: supported
vfio version: 0, reported version: -1
2015-06-07T15:40:47.505814Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
setup container for group 2
2015-06-07T15:40:47.505835Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
get group 2
2015-06-07T15:40:47.505858Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device
initialization failed.
2015-06-07T15:40:47.505883Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device 'vfio-pci'
could not be initialized
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vfio.patch
Type: text/x-patch
Size: 3321 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150607/6207b8a8/attachment.bin
next parent reply other threads:[~2015-06-07 16:28 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <55746E03.90502@web.de>
2015-06-07 16:28 ` Alexander Wetzel [this message]
2015-06-07 17:02 ` [refpolicy] [PATCH] proposal for libvirt vfio/vt-d support Dominick Grift
2015-06-07 17:12 ` Dominick Grift
2015-06-07 17:26 ` Dominick Grift
2015-06-08 21:11 ` Alexander Wetzel
2015-06-08 21:37 ` Dominick Grift
2015-06-08 22:39 ` Alexander Wetzel
2015-06-09 13:52 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55747110.5030901@web.de \
--to=alexander.wetzel@web.de \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.