I did some history on this as we had that in the past. We had it for bug 1678322 But then in a discussion around upstreaming dropped it https://www.redhat.com/archives/libvir-list/2017-December/msg00714.html
What we missed back then is this: A) system has hostdev in initial guest, virt-aa-helper adds /dev/vfio/vfio and all works B) as A, but later one does hotplug with such a device - still works C) the initial system has no hostdev, so virt-aa-helper adds no rule But if on (c) later hotplug is done it will break as it will need to access /dev/vfio/vfio before it knows anything. The actual per device rule is added to the guest which is all the isolation we want. Now one could try to find the spot in BEFORE the guest needs /dev/vfio/vfio and add it to the guest profile then. But I haven't found it and until one can spend more time on this we need to bring the static rule back. After all /dev/vfio/vfio is safe to be shared. So I don't mind if someone codes up a long term dynamic vfio access, but for now add the line to un-break case (C). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1775777 Title: allow /dev/vfio/vfio in general To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/1775777/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
