0011-Add-permissive-option-for-PCI-devices.patch

From b9ee12583cf68d5417bcd42e2bb4c22a9880a9ee Mon Sep 17 00:00:00 2001
From: Simon Gaiser <simon@invisiblethingslab.com>
Date: Fri, 19 Jan 2018 04:46:01 +0100
Subject: [PATCH] Add 'permissive' option for PCI devices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Organization: Invisible Things Lab
Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>

By setting the permissive flag the guest access to the PCI config space
is not filtered. This might be a security risk, but it's required for
some devices and the IOMMU and interrupt remapping should (mostly?)
contain it.

Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
---
 docs/formatdomain.html.in     |  3 +++
 docs/schemas/domaincommon.rng |  5 +++++
 src/conf/domain_conf.c        | 12 ++++++++++++
 src/conf/domain_conf.h        |  1 +
 src/libxl/libxl_conf.c        |  1 +
 5 files changed, 22 insertions(+)

diff --git a/docs/formatdomain.html.in b/docs/formatdomain.html.in
index c3a6b028aa..88f5cb8e16 100644
--- a/docs/formatdomain.html.in
+++ b/docs/formatdomain.html.in
@@ -5139,6 +5139,9 @@
             Additionally when <code>strictreset</code> is "no", device will
             be assigned to the domain, even when reset fails. The default is
             "yes".
+            When <code>permissive</code> is "yes" the pci config space access
+            will not be filtered. This might be a security issue. The default
+            is "no".
           </dd>
           <dt><code>scsi</code></dt>
           <dd>For SCSI devices, user is responsible to make sure the device
diff --git a/docs/schemas/domaincommon.rng b/docs/schemas/domaincommon.rng
index 6a9a809931..56ae80a4dd 100644
--- a/docs/schemas/domaincommon.rng
+++ b/docs/schemas/domaincommon.rng
@@ -3078,6 +3078,11 @@
               <ref name="virYesNo"/>
             </attribute>
           </optional>
+          <optional>
+            <attribute name="permissive">
+              <ref name="virYesNo"/>
+            </attribute>
+          </optional>
           <interleave>
             <element name="source">
               <optional>
diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index e2eb5022f4..dc6f977e2b 100644
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -8477,6 +8477,7 @@ virDomainHostdevDefParseXMLSubsys(xmlNodePtr node,
     virDomainHostdevSubsysMediatedDevPtr mdevsrc = &def->source.subsys.u.mdev;
     g_autofree char *managed = NULL;
     g_autofree char *nostrictreset = NULL;
+    g_autofree char *permissive = NULL;
     g_autofree char *sgio = NULL;
     g_autofree char *rawio = NULL;
     g_autofree char *backendStr = NULL;
@@ -8497,6 +8498,11 @@ virDomainHostdevDefParseXMLSubsys(xmlNodePtr node,
             def->nostrictreset = true;
     }
 
+    if ((permissive = virXMLPropString(node, "permissive")) != NULL) {
+        if (STREQ(permissive, "yes"))
+            def->permissive = true;
+    }
+
     sgio = virXMLPropString(node, "sgio");
     rawio = virXMLPropString(node, "rawio");
     model = virXMLPropString(node, "model");
@@ -26303,6 +26309,8 @@ virDomainActualNetDefFormat(virBufferPtr buf,
             virBufferAddLit(buf, " managed='yes'");
         if  (hostdef && hostdef->nostrictreset)
             virBufferAddLit(buf, " nostrictreset='yes'");
+        if  (hostdef && hostdef->permissive)
+            virBufferAddLit(buf, " permissive='yes'");
     }
     if (def->trustGuestRxFilters)
         virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
@@ -26493,6 +26501,8 @@ virDomainNetDefFormat(virBufferPtr buf,
         virBufferAddLit(buf, " managed='yes'");
     if (hostdef && hostdef->nostrictreset)
         virBufferAddLit(buf, " nostrictreset='yes'");
+    if (hostdef && hostdef->permissive)
+        virBufferAddLit(buf, " permissive='yes'");
     if (def->trustGuestRxFilters)
         virBufferAsprintf(buf, " trustGuestRxFilters='%s'",
                           virTristateBoolTypeToString(def->trustGuestRxFilters));
@@ -28289,6 +28299,8 @@ virDomainHostdevDefFormat(virBufferPtr buf,
                           def->managed ? "yes" : "no");
         if (def->nostrictreset)
             virBufferAddLit(buf, " nostrictreset='yes'");
+        if (def->permissive)
+            virBufferAddLit(buf, " permissive='yes'");
 
         if (def->source.subsys.type == VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI &&
             scsisrc->sgio)
diff --git a/src/conf/domain_conf.h b/src/conf/domain_conf.h
index 226bb86537..d6c7551bc8 100644
--- a/src/conf/domain_conf.h
+++ b/src/conf/domain_conf.h
@@ -346,6 +346,7 @@ struct _virDomainHostdevDef {
     bool readonly;
     bool shareable;
     bool nostrictreset;
+    bool permissive;
     union {
         virDomainHostdevSubsys subsys;
         virDomainHostdevCaps caps;
diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c
index 15dbe7a5d6..6efd5a7306 100644
--- a/src/libxl/libxl_conf.c
+++ b/src/libxl/libxl_conf.c
@@ -2324,6 +2324,7 @@ libxlMakePCI(virDomainHostdevDefPtr hostdev, libxl_device_pci *pcidev)
     /* there is no LIBXL_HAVE_xxx for this field... */
     if (hostdev->nostrictreset)
         pcidev->rdm_policy = LIBXL_RDM_RESERVE_POLICY_RELAXED;
+    pcidev->permissive = hostdev->permissive;
 
     return 0;
 }
-- 
2.25.4