Someone reported a bug in Ubuntu on pcidev devices not being correctly added with the AppArmor driver and a patch was submitted: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/545795/comments/29 This patch is not tested but suggests that more than just the AppArmor driver is affected, so I am forwarding it here. That bug is kinda all over the place and has various things unrelated to this report. Here is the comment and submitted patch: "Patch to allow PCI pass through to work woth app armor. It's currently missing a couple of files" --- libvirt-0.7.5.orig/src/util/pci.c 2010-06-11 01:43:41 +0000 +++ libvirt-0.7.5/src/util/pci.c 2010-06-11 01:45:06 +0000 @@ -1089,6 +1089,8 @@ */ if (STREQ(ent->d_name, "config") || STRPREFIX(ent->d_name, "resource") || + STREQ(ent->d_name, "vendor") || + STREQ(ent->d_name, "device") || STREQ(ent->d_name, "rom")) { if (virAsprintf(&file, "%s/%s", pcidir, ent->d_name) < 0) { virReportOOMError(conn);
This is rather odd. QEMU appears to use the vendor + device files, but AFAICK, under SElinux QEMU is working fine without this change. The patch certainly looks reasonable though.
I'm just following up on this since we are pulling in 0.8.5 into Ubuntu and the above isn't committed yet. I can say that at this point Ubuntu is carrying it in its 10.10 release (libvirt 0.8.3) and there are no reported regressions.
Identical patch was already pushed upstream: commit 28d599c5130ee102d5174c01d59eeb14a75a3747 Author: Cédric Bosdonnat <cbosdonnat> AuthorDate: 2015-04-23 09:32:16 +0200 Commit: Cédric Bosdonnat <cbosdonnat> CommitDate: 2015-04-24 10:47:41 +0200 Allow access to vendor and device file for PCI device passthrough For some devices, the $PCIDIR/vendor and $PCIDIR/device need to be read. Iterate over them to get them as well in the the generated apparmor profile. git describe: v1.2.14-282-g28d599c contains: v1.2.15-rc1~57