From: alexander.wetzel@web.de (Alexander Wetzel)
Date: Sun, 07 Jun 2015 18:28:00 +0200
Subject: [refpolicy]  [PATCH] proposal for libvirt vfio/vt-d support
In-Reply-To: <55746E03.90502@web.de>
References: <55746E03.90502@web.de>
Message-ID: <55747110.5030901@web.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com


The attached patch proposes a way to allow pci device pass through via
a new selinux boolean "virt_use_vfio" for libvirt.

This was originally proposed in a slightly different version as gentoo
enhancement here: https://bugs.gentoo.org/show_bug.cgi?id=522736
(It's only tested as patch against the gentoo version of the refpoliciy.)

I used it for around one year to pass an ISDN PCIe card to a guest and
verified today the function with an USB PCI device. (The ISDN card is no
longer in the system.)
USB HUP was ok in guest with lspci and lsusb, but a USB stick did not
work as expected. That's not related to selinux and was ignored here,
since I have the same problem with selinux in permissive mode on the host.

The patch adds "vfio_device_t;", the boolean virt_use_vfio and when the
boolean is set the following rules:

  allow virtd_t self:process setrlimit;
  allow virtd_t self:capability sys_resource;
  allow virtd_t svirt_t:process rlimitinh;
  allow virtd_t vfio_device_t:chr_file { relabelfrom setattr };
  allow svirt_t vfio_device_t:chr_file { read write open ioctl };

Here the errors I get when I remove one of the rights (keeping all the
others in place):

Without "allow virtd_t self:process setrlimit" or "allow virtd_t
self:capability sys_resource":
error: Failed to start domain web-old
error: internal error: Process exited prior to exec: libvirt:  error :
cannot limit locked memory to 5368709120: Permission denied

Without "allow virtd_t svirt_t:process rlimitinh":
error: Failed to start domain web-old
error: internal error: early end of file from monitor: possible problem:
2015-06-07T14:28:21.433403Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x0, 0xa0000, 0x39030000000) = -12 (Cannot
allocate memory)
2015-06-07T14:28:21.433480Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0xc0000, 0x20000, 0x39144200000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433538Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x100000, 0xdff00000, 0x39030100000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433707Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1:
vfio_dma_map(0x3ebad4fcd0, 0x100000000, 0x20000000, 0x39110000000) = -12
(Cannot allocate memory)
2015-06-07T14:28:21.433730Z qemu-system-x86_64: -device
vfio-pci,host=00:1d.0,id=hostdev0,bus=pci.0,addr=0xd,rombar=1: vfio:


Without "allow virtd_t vfio_device_t:chr_file relabelfrom"
error: Failed to start domain web-old
error: unable to set security context
'system_u:object_r:svirt_image_t:s0:c587,c898' on '/dev/vfio/2':
Permission denied


Without "allow virtd_t vfio_device_t:chr_file setattr":
--> Can't reproduce an error without this right any more.
I'm pretty sure it was needed in the past, see gentoo ticket from link
above.


Without any of the permissions of
"allow svirt_t vfio_device_t:chr_file { read write open ioctl }":
error: Failed to start domain web-old
error: internal error: early end of file from monitor: possible problem:
2015-06-07T15:40:47.505774Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: supported
vfio version: 0, reported version: -1
2015-06-07T15:40:47.505814Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
setup container for group 2
2015-06-07T15:40:47.505835Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: vfio: failed to
get group 2
2015-06-07T15:40:47.505858Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device
initialization failed.
2015-06-07T15:40:47.505883Z qemu-system-x86_64: -device
vfio-pci,host=00:1a.0,id=hostdev0,bus=pci.0,addr=0xd: Device 'vfio-pci'
could not be initialized


-------------- next part --------------
A non-text attachment was scrubbed...
Name: vfio.patch
Type: text/x-patch
Size: 3321 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150607/6207b8a8/attachment.bin