commit 74e86b6b2521881808bb93290bcebcb469ab7820
Author: Cédric Bosdonnat <cbosdonnat@suse.com>
Date:   Tue Mar 25 12:48:26 2014 +0100

    Fix apparmor profile to make vfio pci passthrough work
    
    See lp#1276719 for the bug description. As virt-aa-helper doesn't know
    the VFIO groups to use for the guest, allow access to all
    /dev/vfio/[0-9]* and /dev/vfio/vfio files if there is a potential need
    for vfio
    
    Signed-off-by: Eric Blake <eblake@redhat.com>

Index: libvirt-1.2.2/examples/apparmor/libvirt-qemu
===================================================================
--- libvirt-1.2.2.orig/examples/apparmor/libvirt-qemu
+++ libvirt-1.2.2/examples/apparmor/libvirt-qemu
@@ -110,6 +110,7 @@
   /usr/bin/qemu-sparc32plus rmix,
   /usr/bin/qemu-sparc64 rmix,
   /usr/bin/qemu-x86_64 rmix,
+  /usr/lib/qemu/block-curl.so mr,
 
   # for save and resume
   /bin/dash rmix,
Index: libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd
===================================================================
--- libvirt-1.2.2.orig/examples/apparmor/usr.sbin.libvirtd
+++ libvirt-1.2.2/examples/apparmor/usr.sbin.libvirtd
@@ -25,6 +25,9 @@
   capability fsetid,
   capability audit_write,
 
+  # Needed for vfio
+  capability sys_resource,
+
   network inet stream,
   network inet dgram,
   network inet6 stream,
Index: libvirt-1.2.2/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.2.2.orig/src/security/virt-aa-helper.c
+++ libvirt-1.2.2/src/security/virt-aa-helper.c
@@ -2,7 +2,7 @@
 /*
  * virt-aa-helper: wrapper program used by AppArmor security driver.
  *
- * Copyright (C) 2010-2013 Red Hat, Inc.
+ * Copyright (C) 2010-2014 Red Hat, Inc.
  * Copyright (C) 2009-2011 Canonical Ltd.
  *
  * This library is free software; you can redistribute it and/or
@@ -900,6 +900,7 @@ get_files(vahControl * ctl)
     size_t i;
     char *uuid;
     char uuidstr[VIR_UUID_STRING_BUFLEN];
+    bool needsVfio = false;
 
     /* verify uuid is same as what we were given on the command line */
     virUUIDFormat(ctl->def->uuid, uuidstr);
@@ -1041,6 +1042,12 @@ get_files(vahControl * ctl)
                            dev->source.subsys.u.pci.addr.slot,
                            dev->source.subsys.u.pci.addr.function);
 
+                virDomainHostdevSubsysPciBackendType backend = dev->source.subsys.u.pci.backend;
+                if (backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO ||
+                        backend == VIR_DOMAIN_HOSTDEV_PCI_BACKEND_DEFAULT) {
+                    needsVfio = true;
+                }
+
                 if (pci == NULL)
                     continue;
 
@@ -1069,6 +1076,11 @@ get_files(vahControl * ctl)
         }
     }
 
+    if (needsVfio) {
+        virBufferAddLit(&buf, "  /dev/vfio/vfio rw,\n");
+        virBufferAddLit(&buf, "  /dev/vfio/[0-9]* rw,\n");
+    }
+
     if (ctl->newfile)
         if (vah_add_file(&buf, ctl->newfile, "rw") != 0)
             goto cleanup;
