3558b40b5b
- qemu: fix issues related to restricted permissions on /dev/sev b6440119-qemu-conf-sev.patch, a404ac34-qemu-cgroup-sev.patch, 6fd4c8f8-qemu-domain-sev.patch, 17f6a257-security-dac-sev.patch, a2d3dea9-qemu-caps-dac-override-sev.patch bsc#1124842 OBS-URL: https://build.opensuse.org/request/show/672885 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=728
51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
commit a404ac34768e975bd420d1eeac3811563da67e3f
|
|
Author: Erik Skultety <eskultet@redhat.com>
|
|
Date: Mon Jan 21 14:50:11 2019 +0100
|
|
|
|
qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
|
|
|
|
SEV has a limit on number of concurrent guests. From security POV we
|
|
should only expose resources (any resources for that matter) to domains
|
|
that truly need them.
|
|
|
|
Signed-off-by: Erik Skultety <eskultet@redhat.com>
|
|
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
|
Index: libvirt-5.0.0/src/qemu/qemu_cgroup.c
|
|
===================================================================
|
|
--- libvirt-5.0.0.orig/src/qemu/qemu_cgroup.c
|
|
+++ libvirt-5.0.0/src/qemu/qemu_cgroup.c
|
|
@@ -692,6 +692,22 @@ qemuTeardownChardevCgroup(virDomainObjPt
|
|
|
|
|
|
static int
|
|
+qemuSetupSEVCgroup(virDomainObjPtr vm)
|
|
+{
|
|
+ qemuDomainObjPrivatePtr priv = vm->privateData;
|
|
+ int ret;
|
|
+
|
|
+ if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
+ return 0;
|
|
+
|
|
+ ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
|
|
+ VIR_CGROUP_DEVICE_RW, false);
|
|
+ virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
|
|
+ "rw", ret);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
+static int
|
|
qemuSetupDevicesCgroup(virDomainObjPtr vm)
|
|
{
|
|
qemuDomainObjPrivatePtr priv = vm->privateData;
|
|
@@ -798,6 +814,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr v
|
|
goto cleanup;
|
|
}
|
|
|
|
+ if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
|
|
+ goto cleanup;
|
|
+
|
|
ret = 0;
|
|
cleanup:
|
|
virObjectUnref(cfg);
|