[Spyre] change in vfio device access permissions

sahithiRavindranath · sahithiRavindranath · commit addc29e78edc · 2025-10-23T04:54:13.000-05:00
Changed the vfio device access permission such that only root and
group users will have access to the device.

Signed-off-by: Sahithi Ravindranath &lt;sahithi.Ravindranath@ibm.com&gt;
diff --git a/servicereportpkg/repair/plugins/spyre_repair.py b/servicereportpkg/repair/plugins/spyre_repair.py
@@ -7,6 +7,7 @@
 
 
 import os
+import grp
 import stat
 import re
 import shutil
@@ -117,14 +118,25 @@ def fix_vfio_perm_check(self, plugin_obj, vfio_device_permission_check):
         """Fix VFIO device permission"""
 
         vfio_dir = "/dev/vfio/"
+        group_name = 'sentient'
+        try:
+            gid = grp.getgrnam(group_name).gr_gid
+        except Exception as e:
+            self.log.error("Failed to get groupid of group: %s", group_name)
+            vfio_device_permission_check.set_note(Notes.FAIL_TO_FIX)
+            return
+
         for name in os.listdir(vfio_dir):
             full_path = vfio_dir + name
             try:
                 mode = os.stat(full_path).st_mode
                 if stat.S_ISCHR(mode):
-                    os.chmod(full_path, 0o666)
+                    os.chmod(full_path, 0o660)
+                if os.stat(full_path).st_gid != gid:
+                    os.chown(full_path, -1, gid)
+
             except Exception as e:
-                self.log.error("Failed to %s file permission to 0o666", full_path)
+                self.log.error("Failed to set %s file permission to 0o660", full_path)
 
         re_check = plugin_obj.check_vfio_access_permission()
         if re_check.get_status():
@@ -297,10 +309,10 @@ def repair(self, plugin_obj, checks):
             vfio_kernel_mod_check.set_note(Notes.FAIL_TO_FIX)
 
         vfio_device_permission_check = check_dir["VFIO device permission"]
-        if vfio_device_permission_check.get_status() is False:
-            self.fix_vfio_perm_check(plugin_obj, vfio_device_permission_check)
-        elif vfio_device_permission_check.get_status() is None:
+        if user_group_conf_check.get_status() is not True or vfio_device_permission_check.get_status() is None:
             vfio_device_permission_check.set_note(Notes.NOT_FIXABLE)
+        elif vfio_device_permission_check.get_status() is False:
+            self.fix_vfio_perm_check(plugin_obj, vfio_device_permission_check)
 
         sos_package_check = check_dir["sos package"]
         if sos_package_check.get_status() is False:
diff --git a/servicereportpkg/utils.py b/servicereportpkg/utils.py
@@ -404,6 +404,36 @@ def is_read_write_to_all_users(file_path):
         log.debug("File %s not found.", file_path)
         return False
 
+def is_read_write_to_owner_group_users(file_path):
+    """
+    Check if a file has read and write permissions for owner,
+    group only
+
+    Args:
+        file_path (str): The full path to the file.
+
+    Returns:
+        bool: True if users (owner, group) have both read and write
+              permissions, False otherwise. Also returns False if the file does
+              not exist.
+    """
+
+    log = get_default_logger()
+
+    try:
+        mode = os.stat(file_path).st_mode
+        return (
+            not(bool(mode & stat.S_IROTH) and  # Read permission for others
+            bool(mode & stat.S_IWOTH)) and  # Write permission for others
+            bool(mode & stat.S_IRUSR) and  # Read permission for owner
+            bool(mode & stat.S_IWUSR) and  # Write permission for owner
+            bool(mode & stat.S_IRGRP) and  # Read permission for group
+            bool(mode & stat.S_IWGRP)      # Write permission for group
+        )
+    except FileNotFoundError:
+        log.debug("File %s not found.", file_path)
+        return False
+
 
 def append_to_file(file_path, s):
     """Append the given stirng to the file"""
diff --git a/servicereportpkg/validate/plugins/spyre.py b/servicereportpkg/validate/plugins/spyre.py
@@ -6,6 +6,7 @@
 """Plugin to check spyre configuration"""
 
 import os
+import grp
 import re
 import stat
 import pyudev
@@ -19,6 +20,7 @@
 from servicereportpkg.utils import is_package_installed
 from servicereportpkg.check import ConfigurationFileCheck
 from servicereportpkg.utils import is_read_write_to_all_users
+from servicereportpkg.utils import is_read_write_to_owner_group_users
 
 
 class Spyre(Plugin, Scheme):
@@ -105,7 +107,7 @@ def check_driver_config(self):
     def check_udev_rule(self):
         """VFIO udev rules configuration"""
 
-        vfio_udev = "SUBSYSTEM==\"vfio\", MODE=\"0666\""
+        vfio_udev = "SUBSYSTEM==\"vfio\", GROUP=\"sentient\", MODE=\"0660\""
         config_file = "/etc/udev/rules.d/95-vfio-3.rules"
 
         conf_check = ConfigurationFileCheck(self.check_udev_rule.__doc__,
@@ -248,14 +250,26 @@ def check_vfio_access_permission(self):
 
         if not os.path.isdir(vfio_dir):
             self.log.error("No %s directory", vfio_dir)
+            perm_check.set_status(False)
+            return perm_check
+
+        group_name = 'sentient'
+        try:
+            gid = grp.getgrnam(group_name).gr_gid
+        except Exception as e:
+            self.log.error("Failed to get groupid of group: %s", group_name)
+            perm_check.set_status(False)
             return perm_check
 
         for name in os.listdir(vfio_dir):
             full_path = vfio_dir + name
             try:
+                ret = True
+                if os.stat(full_path).st_gid != gid:
+                    ret = False
                 mode = os.stat(full_path).st_mode
                 if stat.S_ISCHR(mode):
-                    ret = is_read_write_to_all_users(full_path)
+                    ret = ret & is_read_write_to_owner_group_users(full_path)
                     if not ret and status:
                         status = ret
                     perm_check.add_file(full_path, ret)
