We don't know exactly the names of the VFIO devices that will be
needed (and due to hotplug, we can't ever assume we won't need them at
all), so we just add an ACL to allow any vfio device - they all have
the major number 244 (/dev/vfio/vfio is 244,0, and the /dev/vfio/n
devices are up from there).
---
src/qemu/qemu_cgroup.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 891984a..ad2027d 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -44,6 +44,7 @@ static const char *const defaultDeviceACL[] = {
};
#define DEVICE_PTY_MAJOR 136
#define DEVICE_SND_MAJOR 116
+#define DEVICE_VFIO_MAJOR 244
static int
qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
@@ -388,6 +389,16 @@ int qemuSetupCgroup(virQEMUDriverPtr driver,
}
}
+ rc = virCgroupAllowDeviceMajor(priv->cgroup, 'c', DEVICE_VFIO_MAJOR,
+ VIR_CGROUP_DEVICE_RW);
+ virDomainAuditCgroupMajor(vm, priv->cgroup, "allow", DEVICE_VFIO_MAJOR,
+ "vfio", "rw", rc == 0);
+ if (rc != 0) {
+ virReportSystemError(-rc, "%s",
+ _("unable to allow /dev/vfio/ devices"));
+ goto cleanup;
+ }
+
for (i = 0; deviceACL[i] != NULL ; i++) {
if (access(deviceACL[i], F_OK) < 0) {
VIR_DEBUG("Ignoring non-existant device %s",
--
1.7.11.7
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
