Bug 624151

Summary: pcidev missing files for security drivers
Product: [Community] Virtualization Tools Reporter: Jamie Strandboge <jamie>
Component: libvirtAssignee: Libvirt Maintainers <libvirt-maint>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: low    
Version: unspecifiedCC: berrange, crobinso, jtomko, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-07-28 14:53:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jamie Strandboge 2010-08-13 20:32:52 UTC 
Someone reported a bug in Ubuntu on pcidev devices not being correctly added with the AppArmor driver and a patch was submitted:
https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/545795/comments/29

This patch is not tested but suggests that more than just the AppArmor driver is affected, so I am forwarding it here. That bug is kinda all over the place and has various things unrelated to this report.

Here is the comment and submitted patch:

"Patch to allow PCI pass through to work woth app armor. It's currently missing a couple of files"

--- libvirt-0.7.5.orig/src/util/pci.c	2010-06-11 01:43:41 +0000
+++  libvirt-0.7.5/src/util/pci.c	2010-06-11 01:45:06 +0000
@@ -1089,6 +1089,8 @@
          */
         if (STREQ(ent->d_name, "config") ||
             STRPREFIX(ent->d_name, "resource") ||
+            STREQ(ent->d_name, "vendor") ||
+            STREQ(ent->d_name, "device") ||
             STREQ(ent->d_name, "rom")) {
             if (virAsprintf(&file, "%s/%s", pcidir, ent->d_name) < 0) {
                 virReportOOMError(conn);
Comment 1 Daniel Berrangé 2010-08-14 20:19:06 UTC 
This is rather odd. QEMU appears to use the vendor + device files, but AFAICK, under SElinux QEMU is working fine without this change. The patch certainly looks reasonable though.
Comment 2 Jamie Strandboge 2010-11-05 18:17:21 UTC 
I'm just following up on this since we are pulling in 0.8.5 into Ubuntu and the above isn't committed yet. I can say that at this point Ubuntu is carrying it in its 10.10 release (libvirt 0.8.3) and there are no reported regressions.
Comment 3 Ján Tomko 2015-07-28 14:53:21 UTC 
Identical patch was already pushed upstream:
commit 28d599c5130ee102d5174c01d59eeb14a75a3747
Author:     Cédric Bosdonnat <cbosdonnat>
AuthorDate: 2015-04-23 09:32:16 +0200
Commit:     Cédric Bosdonnat <cbosdonnat>
CommitDate: 2015-04-24 10:47:41 +0200

    Allow access to vendor and device file for PCI device passthrough
    
    For some devices, the $PCIDIR/vendor and $PCIDIR/device need to be
    read. Iterate over them to get them as well in the the generated
    apparmor profile.

git describe: v1.2.14-282-g28d599c contains: v1.2.15-rc1~57