From 03cf4bcbcfa55297b2359875640819a755b7860c Mon Sep 17 00:00:00 2001 Message-Id: <03cf4bcbcfa55297b2359875640819a755b7860c@dist-git> From: Erik Skultety Date: Fri, 1 Feb 2019 17:21:55 +0100 Subject: [PATCH] qemu: cgroup: Expose /dev/sev/ only to domains that require SEV MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit SEV has a limit on number of concurrent guests. From security POV we should only expose resources (any resources for that matter) to domains that truly need them. Signed-off-by: Erik Skultety Reviewed-by: Daniel P. Berrangé (cherry picked from commit a404ac34768e975bd420d1eeac3811563da67e3f) https: //bugzilla.redhat.com/show_bug.cgi?id=1665400 Signed-off-by: Erik Skultety Reviewed-by: Ján Tomko --- src/qemu/qemu_cgroup.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index fd54333fb9..9f2fc1b062 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -695,6 +695,22 @@ qemuTeardownChardevCgroup(virDomainObjPtr vm, } +static int +qemuSetupSEVCgroup(virDomainObjPtr vm) +{ + qemuDomainObjPrivatePtr priv = vm->privateData; + int ret; + + if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) + return 0; + + ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev", + VIR_CGROUP_DEVICE_RW, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev", + "rw", ret); + return ret; +} + static int qemuSetupDevicesCgroup(virDomainObjPtr vm) { @@ -802,6 +818,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm) goto cleanup; } + if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0) + goto cleanup; + ret = 0; cleanup: virObjectUnref(cfg); -- 2.20.1