shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-20 06:50:22 +03:00
Code Releases Activity

apparmor: Allow SGX if configured

Browse Source 
If SGX memory model is configured for domain then we need to
allow QEMU access some additional files:

  1) /dev/sgx_vepc needs to be RW
  2) /dev/sgx_provision needs to be RO

We already do this in SELinux driver but not in AppArmor.

Resolves: https://gitlab.com/libvirt/libvirt/-/issues/751

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2025-02-25 11:01:04 +01:00
parent 5c78395bad
commit 291186daa3
1 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/security/virt-aa-helper.c
View File

@ -1152,9 +1152,15 @@ get_files(vahControl * ctl)
if (vah_add_file(&buf, mem->source.virtio_pmem.path, "rw") != 0)
goto cleanup;
break;
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
if (vah_add_file(&buf, DEV_SGX_VEPC, "rw") != 0 ||
vah_add_file(&buf, DEV_SGX_PROVISION, "r") != 0) {
goto cleanup;
}
break;
case VIR_DOMAIN_MEMORY_MODEL_DIMM:
case VIR_DOMAIN_MEMORY_MODEL_VIRTIO_MEM:
case VIR_DOMAIN_MEMORY_MODEL_SGX_EPC:
case VIR_DOMAIN_MEMORY_MODEL_NONE:
case VIR_DOMAIN_MEMORY_MODEL_LAST:
break;