While parts of QEMU's CGroup code were moved under hypervisor
agnostic location (src/hypervisor/) a typo sneaked in. The
inspiration for virDomainCgroupConnectCgroup() comes from
qemuConnectCgroup(). The former is called upon reconnecting to a
running domain (after daemon restart). While the latter returned
early if the daemon was running unprivileged, the former returns
early if the daemon runs privileged. This is obviously wrong,
because root can set up CGroups.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2075765
Fixes: 788e2b58cb1896f1c25ebbdbde4bafddc5ed4dc9
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/hypervisor/domain_cgroup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/hypervisor/domain_cgroup.c b/src/hypervisor/domain_cgroup.c
index 5af88155bc..8072465615 100644
--- a/src/hypervisor/domain_cgroup.c
+++ b/src/hypervisor/domain_cgroup.c
@@ -485,7 +485,7 @@ virDomainCgroupConnectCgroup(const char *prefix,
                              bool privileged,
                              char *machineName)
 {
-    if (privileged)
+    if (!privileged)
         return 0;
 
     if (!virCgroupAvailable())
-- 
2.35.1

On a Tuesday in 2022, Michal Privoznik wrote:
>While parts of QEMU's CGroup code were moved under hypervisor
>agnostic location (src/hypervisor/) a typo sneaked in. The
>inspiration for virDomainCgroupConnectCgroup() comes from
>qemuConnectCgroup(). The former is called upon reconnecting to a
>running domain (after daemon restart). While the latter returned
>early if the daemon was running unprivileged, the former returns
>early if the daemon runs privileged. This is obviously wrong,
>because root can set up CGroups.
>
>Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2075765
>Fixes: 788e2b58cb1896f1c25ebbdbde4bafddc5ed4dc9
>Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>---
> src/hypervisor/domain_cgroup.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano