From 03cf4bcbcfa55297b2359875640819a755b7860c Mon Sep 17 00:00:00 2001
Message-Id: <03cf4bcbcfa55297b2359875640819a755b7860c@dist-git>
From: Erik Skultety <eskultet@redhat.com>
Date: Fri, 1 Feb 2019 17:21:55 +0100
Subject: [PATCH] qemu: cgroup: Expose /dev/sev/ only to domains that require
 SEV
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

SEV has a limit on number of concurrent guests. From security POV we
should only expose resources (any resources for that matter) to domains
that truly need them.

Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit a404ac34768e975bd420d1eeac3811563da67e3f)

https: //bugzilla.redhat.com/show_bug.cgi?id=1665400
Signed-off-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/qemu/qemu_cgroup.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index fd54333fb9..9f2fc1b062 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -695,6 +695,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm,
 }
 
 
+static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+                                   VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+                             "rw", ret);
+    return ret;
+}
+
 static int
 qemuSetupDevicesCgroup(virDomainObjPtr vm)
 {
@@ -802,6 +818,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
             goto cleanup;
     }
 
+    if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+        goto cleanup;
+
     ret = 0;
  cleanup:
     virObjectUnref(cfg);
-- 
2.20.1