Implement proper isolation and access control for ACPI EGM memory devices:
- Add device to cgroup for access control
- Set up namespace mappings for device access
- Ensure proper permissions in containerized environments
Signed-off-by: Ian May <i...@nvidia.com>
---
src/qemu/qemu_cgroup.c | 21 +++++++++++++++++++++
src/qemu/qemu_namespace.c | 21 +++++++++++++++++++++
2 files changed, 42 insertions(+)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 25e42ebfc6..3a33087778 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -753,6 +753,22 @@ qemuSetupSEVCgroup(virDomainObj *vm)
VIR_CGROUP_DEVICE_RW, false);
}
+static int
+qemuSetupAcpiEgmCgroup(virDomainObj *vm)
+{
+ g_autofree char *path = NULL;
+
+ path = g_strdup_printf("/dev/%s", vm->def->egm->alias);
+
+ if (path &&
+ qemuCgroupAllowDevicePath(vm, path,
+ VIR_CGROUP_DEVICE_RW, false) < 0) {
+ return -1;
+ }
+
+ return 0;
+}
+
static int
qemuSetupDevicesCgroup(virDomainObj *vm)
{
@@ -871,6 +887,11 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
}
}
+ if (vm->def->egm) {
+ if (qemuSetupAcpiEgmCgroup(vm) < 0)
+ return -1;
+ }
+
return 0;
}
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index 59421ec9d1..60000c2636 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -676,6 +676,24 @@ qemuDomainSetupLaunchSecurity(virDomainObj *vm,
}
+static int
+qemuDomainSetupAcpiEgm(virDomainObj *vm,
+ GSList **paths)
+{
+ virDomainAcpiEgmDef *egm = vm->def->egm;
+ g_autofree char *path = NULL;
+
+ if (!egm)
+ return 0;
+
+ path = g_strdup_printf("/dev/%s", egm->alias);
+
+ *paths = g_slist_prepend(*paths, g_steal_pointer(&path));
+
+ return 0;
+}
+
+
static int
qemuNamespaceMknodPaths(virDomainObj *vm,
GSList *paths,
@@ -729,6 +747,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfig *cfg,
if (qemuDomainSetupLaunchSecurity(vm, &paths) < 0)
return -1;
+ if (qemuDomainSetupAcpiEgm(vm, &paths) < 0)
+ return -1;
+
if (qemuNamespaceMknodPaths(vm, paths, NULL) < 0)
return -1;
--
2.43.0
