File a404ac34-qemu-cgroup-sev.patch of Package libvirt.11329

commit a404ac34768e975bd420d1eeac3811563da67e3f
Author: Erik Skultety <eskultet@redhat.com>
Date:   Mon Jan 21 14:50:11 2019 +0100

    qemu: cgroup: Expose /dev/sev/ only to domains that require SEV
    
    SEV has a limit on number of concurrent guests. From security POV we
    should only expose resources (any resources for that matter) to domains
    that truly need them.
    
    Signed-off-by: Erik Skultety <eskultet@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-4.0.0/src/qemu/qemu_cgroup.c
===================================================================
--- libvirt-4.0.0.orig/src/qemu/qemu_cgroup.c
+++ libvirt-4.0.0/src/qemu/qemu_cgroup.c
@@ -627,6 +627,22 @@ qemuTeardownChardevCgroup(virDomainObjPt
 
 
 static int
+qemuSetupSEVCgroup(virDomainObjPtr vm)
+{
+    qemuDomainObjPrivatePtr priv = vm->privateData;
+    int ret;
+
+    if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev",
+                                   VIR_CGROUP_DEVICE_RW, false);
+    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
+                             "rw", ret);
+    return ret;
+}
+
+static int
 qemuSetupDevicesCgroup(virDomainObjPtr vm)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
@@ -733,6 +749,9 @@ qemuSetupDevicesCgroup(virDomainObjPtr v
             goto cleanup;
     }
 
+    if (vm->def->sev && qemuSetupSEVCgroup(vm) < 0)
+        goto cleanup;
+
     ret = 0;
  cleanup:
     virObjectUnref(cfg);
Places

File a404ac34-qemu-cgroup-sev.patch of Package libvirt.11329

Places
