Allow svirt to rw /dev/udmabuf #1804
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In rhbz#2032406 is added support blob resources for virtio-vga/virtio-gpu device, which requires access to /dev/udmabuf.
u-dma-buf is a Linux device driver that allocates contiguous memory blocks in the kernel space as DMA buffers
and makes them available from the user space.
Add interface to allow domain read and write the the dma device
Allow svirt rw dma_device_t
Addresses the following denial:
time->Tue Jul 18 11:29:31 2023
type=PROCTITLE msg=audit(1689697771.305:3860): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D76647061626C6F636B2D746573742C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261
type=SYSCALL msg=audit(1689697771.305:3860): arch=c000003e syscall=257 success=yes exit=33 a0=ffffff9c a1=55fe1ab9bda6 a2=2 a3=0 items=0 ppid=1 pid=267438 auid=21811 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=25 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 key=(null)
type=AVC msg=audit(1689697771.305:3860): avc: denied { open } for pid=267438 comm="qemu-kvm" path="/dev/udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1689697771.305:3860): avc: denied { read write } for pid=267438 comm="qemu-kvm" name="udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
Resolves: rhbz#2223727
|
Based on the description for this libvirt feature, maybe fix with the SELinux boolean is better option? |
|
I think you'd better ask virt folks. There is a memfd: usage backup so should not be directly required, but it probably depends more on if it is expected to be used by default or if there is any substantional benefit. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In rhbz#2032406 is added support blob resources for virtio-vga/virtio-gpu device, which requires access to /dev/udmabuf. u-dma-buf is a Linux device driver that allocates contiguous memory blocks in the kernel space as DMA buffers and makes them available from the user space.
Add interface to allow domain read and write the the dma device Allow svirt rw dma_device_t
Addresses the following denial:
time->Tue Jul 18 11:29:31 2023
type=PROCTITLE msg=audit(1689697771.305:3860): proctitle=2F7573722F6C6962657865632F71656D752D6B766D002D6E616D650067756573743D76647061626C6F636B2D746573742C64656275672D746872656164733D6F6E002D53002D6F626A656374007B22716F6D2D74797065223A22736563726574222C226964223A226D61737465724B657930222C22666F726D6174223A227261 type=SYSCALL msg=audit(1689697771.305:3860): arch=c000003e syscall=257 success=yes exit=33 a0=ffffff9c a1=55fe1ab9bda6 a2=2 a3=0 items=0 ppid=1 pid=267438 auid=21811 uid=107 gid=107 euid=107 suid=107 fsuid=107 egid=107 sgid=107 fsgid=107 tty=(none) ses=25 comm="qemu-kvm" exe="/usr/libexec/qemu-kvm" subj=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 key=(null) type=AVC msg=audit(1689697771.305:3860): avc: denied { open } for pid=267438 comm="qemu-kvm" path="/dev/udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1689697771.305:3860): avc: denied { read write } for pid=267438 comm="qemu-kvm" name="udmabuf" dev="tmpfs" ino=6 scontext=unconfined_u:unconfined_r:svirt_t:s0:c190,c1016 tcontext=system_u:object_r:dma_device_t:s0 tclass=chr_file permissive=1
Resolves: rhbz#2223727