Bug 624151 - pcidev missing files for security drivers
Summary: pcidev missing files for security drivers
Alias: None
Product: Virtualization Tools
Classification: Community
Component: libvirt (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
Target Milestone: ---
Assignee: Libvirt Maintainers
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2010-08-13 20:32 UTC by Jamie Strandboge
Modified: 2015-07-28 14:53 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-07-28 14:53:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Jamie Strandboge 2010-08-13 20:32:52 UTC
Someone reported a bug in Ubuntu on pcidev devices not being correctly added with the AppArmor driver and a patch was submitted:

This patch is not tested but suggests that more than just the AppArmor driver is affected, so I am forwarding it here. That bug is kinda all over the place and has various things unrelated to this report.

Here is the comment and submitted patch:

"Patch to allow PCI pass through to work woth app armor. It's currently missing a couple of files"

--- libvirt-0.7.5.orig/src/util/pci.c	2010-06-11 01:43:41 +0000
+++  libvirt-0.7.5/src/util/pci.c	2010-06-11 01:45:06 +0000
@@ -1089,6 +1089,8 @@
         if (STREQ(ent->d_name, "config") ||
             STRPREFIX(ent->d_name, "resource") ||
+            STREQ(ent->d_name, "vendor") ||
+            STREQ(ent->d_name, "device") ||
             STREQ(ent->d_name, "rom")) {
             if (virAsprintf(&file, "%s/%s", pcidir, ent->d_name) < 0) {

Comment 1 Daniel Berrange 2010-08-14 20:19:06 UTC
This is rather odd. QEMU appears to use the vendor + device files, but AFAICK, under SElinux QEMU is working fine without this change. The patch certainly looks reasonable though.

Comment 2 Jamie Strandboge 2010-11-05 18:17:21 UTC
I'm just following up on this since we are pulling in 0.8.5 into Ubuntu and the above isn't committed yet. I can say that at this point Ubuntu is carrying it in its 10.10 release (libvirt 0.8.3) and there are no reported regressions.

Comment 3 Ján Tomko 2015-07-28 14:53:21 UTC
Identical patch was already pushed upstream:
commit 28d599c5130ee102d5174c01d59eeb14a75a3747
Author:     Cédric Bosdonnat <cbosdonnat@suse.com>
AuthorDate: 2015-04-23 09:32:16 +0200
Commit:     Cédric Bosdonnat <cbosdonnat@suse.com>
CommitDate: 2015-04-24 10:47:41 +0200

    Allow access to vendor and device file for PCI device passthrough
    For some devices, the $PCIDIR/vendor and $PCIDIR/device need to be
    read. Iterate over them to get them as well in the the generated
    apparmor profile.

git describe: v1.2.14-282-g28d599c contains: v1.2.15-rc1~57

Note You need to log in before you can comment on or make changes to this bug.