From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1486738828101112.74788052386282; Fri, 10 Feb 2017 07:00:28 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEvHFu008976; Fri, 10 Feb 2017 09:57:17 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEuxmn006999 for ; Fri, 10 Feb 2017 09:56:59 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSE016574 for ; Fri, 10 Feb 2017 09:56:59 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:49 +0100 Message-Id: <1115af4d4750ad08191b1c9c06eefd226fb058a7.1486738487.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/7] qemu_cgroup: Kill qemuSetupHostUSBDeviceCgroup X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There's no need for this function. Currently it is passed as a callback to virUSBDeviceFileIterate(). However, USB devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 34 +++++++++------------------------- 1 file changed, 9 insertions(+), 25 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 6c90d46d1..7302c43ee 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -260,23 +260,6 @@ qemuSetupInputCgroup(virDomainObjPtr vm, } =20 =20 -static int -qemuSetupHostUSBDeviceCgroup(virUSBDevicePtr dev ATTRIBUTE_UNUSED, - const char *path, - void *opaque) -{ - virDomainObjPtr vm =3D opaque; - qemuDomainObjPrivatePtr priv =3D vm->privateData; - int ret; - - VIR_DEBUG("Process path '%s' for USB device", path); - ret =3D virCgroupAllowDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, "rw", ret = =3D=3D 0); - - return ret; -} - static int qemuSetupHostSCSIDeviceCgroup(virSCSIDevicePtr dev ATTRIBUTE_UNUSED, const char *path, @@ -333,6 +316,7 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, virSCSIDevicePtr scsi =3D NULL; virSCSIVHostDevicePtr host =3D NULL; char *path =3D NULL; + int rv; =20 /* currently this only does something for PCI devices using vfio * for device assignment, but it is called for *all* hostdev @@ -347,8 +331,6 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, switch ((virDomainHostdevSubsysType) dev->source.subsys.type) { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: if (pcisrc->backend =3D=3D VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO= ) { - int rv; - pci =3D virPCIDeviceNew(pcisrc->addr.domain, pcisrc->addr.bus, pcisrc->addr.slot, @@ -381,13 +363,15 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, goto cleanup; } =20 - /* oddly, qemuSetupHostUSBDeviceCgroup doesn't ever - * reference the usb object we just created - */ - if (virUSBDeviceFileIterate(usb, qemuSetupHostUSBDeviceCgroup, - vm) < 0) { + if (VIR_STRDUP(path, virUSBDeviceGetPath(usb)) < 0) + goto cleanup; + + VIR_DEBUG("Process path '%s' for USB device", path); + rv =3D virCgroupAllowDevicePath(priv->cgroup, path, + VIR_CGROUP_DEVICE_RW, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, "rw"= , rv =3D=3D 0); + if (rv < 0) goto cleanup; - } break; =20 case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: { --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 148673883429726.812627101567955; Fri, 10 Feb 2017 07:00:34 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEv2e9059392; Fri, 10 Feb 2017 09:57:02 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv0e5007007 for ; Fri, 10 Feb 2017 09:57:00 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSF016574 for ; Fri, 10 Feb 2017 09:56:59 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:50 +0100 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 2/7] qemu_cgroup: Kill qemuSetupHostSCSIDeviceCgroup X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There's no need for this function. Currently it is passed as a callback to virSCSIDeviceFileIterate(). However, SCSI devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 38 +++++++++++++------------------------- 1 file changed, 13 insertions(+), 25 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 7302c43ee..6017da662 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -260,28 +260,6 @@ qemuSetupInputCgroup(virDomainObjPtr vm, } =20 =20 -static int -qemuSetupHostSCSIDeviceCgroup(virSCSIDevicePtr dev ATTRIBUTE_UNUSED, - const char *path, - void *opaque) -{ - virDomainObjPtr vm =3D opaque; - qemuDomainObjPrivatePtr priv =3D vm->privateData; - int ret; - - VIR_DEBUG("Process path '%s' for SCSI device", path); - - ret =3D virCgroupAllowDevicePath(priv->cgroup, path, - virSCSIDeviceGetReadonly(dev) ? - VIR_CGROUP_DEVICE_READ : - VIR_CGROUP_DEVICE_RW, false); - - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, - virSCSIDeviceGetReadonly(dev) ? "r" : "rw", r= et =3D=3D 0); - - return ret; -} - static int qemuSetupHostSCSIVHostDeviceCgroup(virSCSIVHostDevicePtr dev ATTRIBUTE_UNU= SED, const char *path, @@ -395,9 +373,19 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, dev->shareable)) =3D=3D NULL) goto cleanup; =20 - if (virSCSIDeviceFileIterate(scsi, - qemuSetupHostSCSIDeviceCgroup, - vm) < 0) + if (VIR_STRDUP(path, virSCSIDeviceGetPath(scsi)) < 0) + goto cleanup; + + VIR_DEBUG("Process path '%s' for SCSI device", path); + rv =3D virCgroupAllowDevicePath(priv->cgroup, path, + virSCSIDeviceGetReadonly(scs= i) ? + VIR_CGROUP_DEVICE_READ : + VIR_CGROUP_DEVICE_RW, false); + + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, + virSCSIDeviceGetReadonly(scsi) ? = "r" : "rw", + rv =3D=3D 0); + if (rv < 0) goto cleanup; } break; --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 1486738827446838.1906615467477; Fri, 10 Feb 2017 07:00:27 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEvHe9008975; Fri, 10 Feb 2017 09:57:17 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv1fM007014 for ; Fri, 10 Feb 2017 09:57:01 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSG016574 for ; Fri, 10 Feb 2017 09:57:00 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:51 +0100 Message-Id: <21c46b05c5f2741baf91e17ac2b9ade572faeb6b.1486738487.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 3/7] qemu_cgroup: Kill qemuSetupHostSCSIVHostDeviceCgroup X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" There's no need for this function. Currently it is passed as a callback to virSCSIVHostDeviceFileIterate(). However, SCSI host devices have just one file path. Therefore we can mimic approach used in qemuDomainGetHostdevPath() to get path and call virCgroupAllowDevicePath() directly. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 33 +++++++++++---------------------- 1 file changed, 11 insertions(+), 22 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 6017da662..89854b5bd 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -260,25 +260,6 @@ qemuSetupInputCgroup(virDomainObjPtr vm, } =20 =20 -static int -qemuSetupHostSCSIVHostDeviceCgroup(virSCSIVHostDevicePtr dev ATTRIBUTE_UNU= SED, - const char *path, - void *opaque) -{ - virDomainObjPtr vm =3D opaque; - qemuDomainObjPrivatePtr priv =3D vm->privateData; - int ret; - - VIR_DEBUG("Process path '%s' for scsi_host device", path); - - ret =3D virCgroupAllowDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RW, false); - - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, "rw", ret = =3D=3D 0); - - return ret; -} - int qemuSetupHostdevCgroup(virDomainObjPtr vm, virDomainHostdevDefPtr dev) @@ -397,9 +378,17 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, if (!(host =3D virSCSIVHostDeviceNew(hostsrc->wwpn))) goto cleanup; =20 - if (virSCSIVHostDeviceFileIterate(host, - qemuSetupHostSCSIVHostDeviceC= group, - vm) < 0) + if (VIR_STRDUP(path, virSCSIVHostDeviceGetPath(host)) < 0) + goto cleanup; + + VIR_DEBUG("Process path '%s' for scsi_host device", path); + + rv =3D virCgroupAllowDevicePath(priv->cgroup, path, + VIR_CGROUP_DEVICE_RW, false); + + virDomainAuditCgroupPath(vm, priv->cgroup, + "allow", path, "rw", rv =3D=3D 0); + if (rv < 0) goto cleanup; } break; --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1486738823314134.01559965121828; Fri, 10 Feb 2017 07:00:23 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEv5la059401; Fri, 10 Feb 2017 09:57:05 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv2qM007019 for ; Fri, 10 Feb 2017 09:57:02 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSH016574 for ; Fri, 10 Feb 2017 09:57:01 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:52 +0100 Message-Id: In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 4/7] qemuSetupHostdevCgroup: Use qemuDomainGetHostdevPath X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" Since these two functions are nearly identical (with qemuSetupHostdevCgroup actually calling virCgroupAllowDevicePath) we can have one function call the other and thus de-duplicate some code. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 147 +++++----------------------------------------= ---- src/qemu/qemu_domain.c | 31 +++++++++-- src/qemu/qemu_domain.h | 4 ++ 3 files changed, 43 insertions(+), 139 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 89854b5bd..19832c209 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -264,147 +264,26 @@ int qemuSetupHostdevCgroup(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { - int ret =3D -1; qemuDomainObjPrivatePtr priv =3D vm->privateData; - virDomainHostdevSubsysUSBPtr usbsrc =3D &dev->source.subsys.u.usb; - virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; - virDomainHostdevSubsysSCSIPtr scsisrc =3D &dev->source.subsys.u.scsi; - virDomainHostdevSubsysSCSIVHostPtr hostsrc =3D &dev->source.subsys.u.s= csi_host; - virPCIDevicePtr pci =3D NULL; - virUSBDevicePtr usb =3D NULL; - virSCSIDevicePtr scsi =3D NULL; - virSCSIVHostDevicePtr host =3D NULL; char *path =3D NULL; - int rv; + int perms; + int ret =3D -1; =20 - /* currently this only does something for PCI devices using vfio - * for device assignment, but it is called for *all* hostdev - * devices. - */ + if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) + goto cleanup; =20 - if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) - return 0; - - if (dev->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) { - - switch ((virDomainHostdevSubsysType) dev->source.subsys.type) { - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: - if (pcisrc->backend =3D=3D VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO= ) { - pci =3D virPCIDeviceNew(pcisrc->addr.domain, - pcisrc->addr.bus, - pcisrc->addr.slot, - pcisrc->addr.function); - if (!pci) - goto cleanup; - - if (!(path =3D virPCIDeviceGetIOMMUGroupDev(pci))) - goto cleanup; - - VIR_DEBUG("Cgroup allow %s for PCI device assignment", pat= h); - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, - "allow", path, "rw", rv =3D=3D 0); - if (rv < 0) - goto cleanup; - } - break; - - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: - /* NB: hostdev->missing wasn't previously checked in the - * case of hotplug, only when starting a domain. Now it is - * always checked, and the cgroup setup skipped if true. - */ - if (dev->missing) - break; - if ((usb =3D virUSBDeviceNew(usbsrc->bus, usbsrc->device, - NULL)) =3D=3D NULL) { - goto cleanup; - } - - if (VIR_STRDUP(path, virUSBDeviceGetPath(usb)) < 0) - goto cleanup; - - VIR_DEBUG("Process path '%s' for USB device", path); - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, "rw"= , rv =3D=3D 0); - if (rv < 0) - goto cleanup; - break; - - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: { - if (scsisrc->protocol =3D=3D - VIR_DOMAIN_HOSTDEV_SCSI_PROTOCOL_TYPE_ISCSI) { - virDomainHostdevSubsysSCSIiSCSIPtr iscsisrc =3D &scsisrc->= u.iscsi; - /* Follow qemuSetupDiskCgroup() and qemuSetImageCgroupInte= rnal() - * which does nothing for non local storage - */ - VIR_DEBUG("Not updating cgroups for hostdev iSCSI path '%s= '", - iscsisrc->path); - } else { - virDomainHostdevSubsysSCSIHostPtr scsihostsrc =3D - &scsisrc->u.host; - if ((scsi =3D virSCSIDeviceNew(NULL, - scsihostsrc->adapter, - scsihostsrc->bus, - scsihostsrc->target, - scsihostsrc->unit, - dev->readonly, - dev->shareable)) =3D=3D NULL) - goto cleanup; - - if (VIR_STRDUP(path, virSCSIDeviceGetPath(scsi)) < 0) - goto cleanup; - - VIR_DEBUG("Process path '%s' for SCSI device", path); - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, - virSCSIDeviceGetReadonly(scs= i) ? - VIR_CGROUP_DEVICE_READ : - VIR_CGROUP_DEVICE_RW, false); - - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, - virSCSIDeviceGetReadonly(scsi) ? = "r" : "rw", - rv =3D=3D 0); - if (rv < 0) - goto cleanup; - } - break; - } - - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: { - if (hostsrc->protocol =3D=3D - VIR_DOMAIN_HOSTDEV_SUBSYS_SCSI_HOST_PROTOCOL_TYPE_VHOST) { - if (!(host =3D virSCSIVHostDeviceNew(hostsrc->wwpn))) - goto cleanup; - - if (VIR_STRDUP(path, virSCSIVHostDeviceGetPath(host)) < 0) - goto cleanup; - - VIR_DEBUG("Process path '%s' for scsi_host device", path); - - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RW, false); - - virDomainAuditCgroupPath(vm, priv->cgroup, - "allow", path, "rw", rv =3D=3D 0); - if (rv < 0) - goto cleanup; - } - break; - } - - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: - break; - } + if (!path) { + /* There's no path that we need to allow. Claim success. */ + ret =3D 0; + goto cleanup; } =20 - ret =3D 0; + VIR_DEBUG("Cgroup allow %s perms=3D%d", path, perms); + ret =3D virCgroupAllowDevicePath(priv->cgroup, path, perms, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, + virCgroupGetDevicePermsString(perms), ret =3D= =3D 0); + cleanup: - virPCIDeviceFree(pci); - virUSBDeviceFree(usb); - virSCSIDeviceFree(scsi); - virSCSIVHostDeviceFree(host); VIR_FREE(path); return ret; } diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 7c696963e..c6d32525f 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -6831,9 +6831,21 @@ qemuDomainSupportsVideoVga(virDomainVideoDefPtr vide= o, } =20 =20 -static int +/** + * qemuDomainGetHostdevPath: + * @dev: host device definition + * @path: resulting path to @dev + * @perms: Optional pointer to VIR_CGROUP_DEVICE_* perms + * + * For given device @dev fetch its host path and store it at @path. Option= ally, + * caller can get @perms on the path (e.g. rw/ro). + * + * Returns 0 on success, -1 otherwise. + */ +int qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, - char **path) + char **path, + int *perms) { int ret =3D -1; virDomainHostdevSubsysUSBPtr usbsrc =3D &dev->source.subsys.u.usb; @@ -6864,6 +6876,8 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, if (!(tmpPath =3D virPCIDeviceGetIOMMUGroupDev(pci))) goto cleanup; freeTmpPath =3D true; + if (perms) + *perms =3D VIR_CGROUP_DEVICE_RW; } break; =20 @@ -6878,6 +6892,8 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virUSBDeviceGetPath(usb))) goto cleanup; + if (perms) + *perms =3D VIR_CGROUP_DEVICE_RW; break; =20 case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: @@ -6902,6 +6918,9 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virSCSIDeviceGetPath(scsi))) goto cleanup; + if (perms) + *perms =3D virSCSIDeviceGetReadonly(scsi) ? + VIR_CGROUP_DEVICE_READ :VIR_CGROUP_DEVICE_RW; } break; =20 @@ -6913,6 +6932,8 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virSCSIVHostDeviceGetPath(host)= )) goto cleanup; + if (perms) + *perms =3D VIR_CGROUP_DEVICE_RW; } break; } @@ -7328,7 +7349,7 @@ qemuDomainSetupHostdev(virQEMUDriverPtr driver ATTRIB= UTE_UNUSED, int ret =3D -1; char *path =3D NULL; =20 - if (qemuDomainGetHostdevPath(dev, &path) < 0) + if (qemuDomainGetHostdevPath(dev, &path, NULL) < 0) goto cleanup; =20 if (!path) { @@ -7964,7 +7985,7 @@ qemuDomainNamespaceSetupHostdev(virQEMUDriverPtr driv= er, if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &path) < 0) + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) goto cleanup; =20 if (!path) { @@ -7995,7 +8016,7 @@ qemuDomainNamespaceTeardownHostdev(virQEMUDriverPtr d= river, if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &path) < 0) + if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) goto cleanup; =20 if (!path) { diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index 5cfa3e114..f81550e2f 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -802,6 +802,10 @@ int qemuDomainCheckMonitor(virQEMUDriverPtr driver, bool qemuDomainSupportsVideoVga(virDomainVideoDefPtr video, virQEMUCapsPtr qemuCaps); =20 +int qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, + char **path, + int *perms); + int qemuDomainBuildNamespace(virQEMUDriverPtr driver, virDomainObjPtr vm); =20 --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) client-ip=209.132.183.37; envelope-from=libvir-list-bounces@redhat.com; helo=mx5-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.37 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx5-phx2.redhat.com (mx5-phx2.redhat.com [209.132.183.37]) by mx.zohomail.com with SMTPS id 1486738853167611.1760830620786; Fri, 10 Feb 2017 07:00:53 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx5-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEvHaW059435; Fri, 10 Feb 2017 09:57:17 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv2bu007027 for ; Fri, 10 Feb 2017 09:57:02 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSI016574 for ; Fri, 10 Feb 2017 09:57:02 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:53 +0100 Message-Id: <4cc4699801882e7c3c3733e2f87609e4cb8d18bc.1486738487.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 5/7] qemuDomainGetHostdevPath: Create /dev/vfio/vfio iff needed X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" So far, we are allowing /dev/vfio/vfio in the devices cgroup unconditionally (and creating it in the namespace too). Even if domain has no hostdev assignment configured. This is potential security hole. Therefore, when starting the domain (or hotplugging a hostdev) create & allow /dev/vfio/vfio too (if needed). Signed-off-by: Michal Privoznik --- src/qemu/qemu.conf | 2 +- src/qemu/qemu_cgroup.c | 53 ++++++++++++---- src/qemu/qemu_domain.c | 124 ++++++++++++++++++++++++---------= ---- src/qemu/qemu_domain.h | 5 +- src/qemu/test_libvirtd_qemu.aug.in | 1 - 5 files changed, 125 insertions(+), 60 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 97d769d42..9f990c20d 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -354,7 +354,7 @@ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", -# "/dev/rtc","/dev/hpet", "/dev/vfio/vfio" +# "/dev/rtc","/dev/hpet" #] # # RDMA migration requires the following extra files to be added to the lis= t: diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 19832c209..944e8dc87 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -46,12 +46,13 @@ const char *const defaultDeviceACL[] =3D { "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", - "/dev/rtc", "/dev/hpet", "/dev/vfio/vfio", + "/dev/rtc", "/dev/hpet", NULL, }; #define DEVICE_PTY_MAJOR 136 #define DEVICE_SND_MAJOR 116 =20 +#define DEV_VFIO "/dev/vfio/vfio" =20 static int qemuSetupImagePathCgroup(virDomainObjPtr vm, @@ -265,26 +266,31 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { qemuDomainObjPrivatePtr priv =3D vm->privateData; - char *path =3D NULL; - int perms; - int ret =3D -1; + char **path =3D NULL; + int *perms =3D NULL; + size_t i, npaths =3D 0; + int rv, ret =3D -1; =20 - if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) + if (qemuDomainGetHostdevPath(dev, &npaths, &path, &perms) < 0) goto cleanup; =20 - if (!path) { - /* There's no path that we need to allow. Claim success. */ - ret =3D 0; - goto cleanup; + for (i =3D 0; i < npaths; i++) { + VIR_DEBUG("Cgroup allow %s perms=3D%d", path[i], perms[i]); + rv =3D virCgroupAllowDevicePath(priv->cgroup, path[i], perms[i], f= alse); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path[i], + virCgroupGetDevicePermsString(perms[i]), + ret =3D=3D 0); + if (rv < 0) + goto cleanup; } =20 - VIR_DEBUG("Cgroup allow %s perms=3D%d", path, perms); - ret =3D virCgroupAllowDevicePath(priv->cgroup, path, perms, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, - virCgroupGetDevicePermsString(perms), ret =3D= =3D 0); + ret =3D 0; =20 cleanup: + for (i =3D 0; i < npaths; i++) + VIR_FREE(path[i]); VIR_FREE(path); + VIR_FREE(perms); return ret; } =20 @@ -312,6 +318,7 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm, case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: if (pcisrc->backend =3D=3D VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO= ) { int rv; + size_t i, vfios =3D 0; =20 pci =3D virPCIDeviceNew(pcisrc->addr.domain, pcisrc->addr.bus, @@ -330,6 +337,26 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm, "deny", path, "rwm", rv =3D=3D 0); if (rv < 0) goto cleanup; + + /* If this is the last hostdev with VFIO backend deny + * /dev/vfio/vfio too. */ + for (i =3D 0; i < vm->def->nhostdevs; i++) { + virDomainHostdevDefPtr tmp =3D vm->def->hostdevs[i]; + if (tmp->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && + tmp->source.subsys.type =3D=3D VIR_DOMAIN_HOSTDEV_= SUBSYS_TYPE_PCI && + tmp->source.subsys.u.pci.backend =3D=3D VIR_DOMAIN= _HOSTDEV_PCI_BACKEND_VFIO) + vfios++; + } + + if (vfios =3D=3D 0) { + VIR_DEBUG("Cgroup deny " DEV_VFIO " for PCI device ass= ignment"); + rv =3D virCgroupDenyDevicePath(priv->cgroup, DEV_VFIO, + VIR_CGROUP_DEVICE_RWM, fa= lse); + virDomainAuditCgroupPath(vm, priv->cgroup, + "deny", DEV_VFIO, "rwm", rv = =3D=3D 0); + if (rv < 0) + goto cleanup; + } } break; case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index c6d32525f..530eced33 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -107,6 +107,7 @@ VIR_ENUM_IMPL(qemuDomainNamespace, QEMU_DOMAIN_NS_LAST, =20 #define PROC_MOUNTS "/proc/mounts" #define DEVPREFIX "/dev/" +#define DEV_VFIO "/dev/vfio/vfio" =20 =20 struct _qemuDomainLogContext { @@ -6834,18 +6835,24 @@ qemuDomainSupportsVideoVga(virDomainVideoDefPtr vid= eo, /** * qemuDomainGetHostdevPath: * @dev: host device definition + * @npaths: number of items in @path and @perms arrays * @path: resulting path to @dev * @perms: Optional pointer to VIR_CGROUP_DEVICE_* perms * - * For given device @dev fetch its host path and store it at @path. Option= ally, - * caller can get @perms on the path (e.g. rw/ro). + * For given device @dev fetch its host path and store it at + * @path. If a device requires other paths to be present/allowed + * they are stored in the @path array after the actual path. + * Optionally, caller can get @perms on the path (e.g. rw/ro). + * + * The caller is responsible for freeing the memory. * * Returns 0 on success, -1 otherwise. */ int qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, - char **path, - int *perms) + size_t *npaths, + char ***path, + int **perms) { int ret =3D -1; virDomainHostdevSubsysUSBPtr usbsrc =3D &dev->source.subsys.u.usb; @@ -6858,8 +6865,13 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, virSCSIVHostDevicePtr host =3D NULL; char *tmpPath =3D NULL; bool freeTmpPath =3D false; + bool includeVFIO =3D false; + char **tmpPaths =3D NULL; + int *tmpPerms =3D NULL; + size_t i, tmpNpaths =3D 0; + int perm =3D 0; =20 - *path =3D NULL; + *npaths =3D 0; =20 switch ((virDomainHostdevMode) dev->mode) { case VIR_DOMAIN_HOSTDEV_MODE_SUBSYS: @@ -6876,8 +6888,9 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, if (!(tmpPath =3D virPCIDeviceGetIOMMUGroupDev(pci))) goto cleanup; freeTmpPath =3D true; - if (perms) - *perms =3D VIR_CGROUP_DEVICE_RW; + + perm =3D VIR_CGROUP_DEVICE_RW; + includeVFIO =3D true; } break; =20 @@ -6892,8 +6905,7 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virUSBDeviceGetPath(usb))) goto cleanup; - if (perms) - *perms =3D VIR_CGROUP_DEVICE_RW; + perm =3D VIR_CGROUP_DEVICE_RW; break; =20 case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: @@ -6918,9 +6930,8 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virSCSIDeviceGetPath(scsi))) goto cleanup; - if (perms) - *perms =3D virSCSIDeviceGetReadonly(scsi) ? - VIR_CGROUP_DEVICE_READ :VIR_CGROUP_DEVICE_RW; + perm =3D virSCSIDeviceGetReadonly(scsi) ? + VIR_CGROUP_DEVICE_READ :VIR_CGROUP_DEVICE_RW; } break; =20 @@ -6932,8 +6943,7 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, =20 if (!(tmpPath =3D (char *) virSCSIVHostDeviceGetPath(host)= )) goto cleanup; - if (perms) - *perms =3D VIR_CGROUP_DEVICE_RW; + perm =3D VIR_CGROUP_DEVICE_RW; } break; } @@ -6949,11 +6959,40 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, break; } =20 - if (VIR_STRDUP(*path, tmpPath) < 0) - goto cleanup; + if (tmpPath) { + size_t toAlloc =3D 1; =20 + if (includeVFIO) + toAlloc =3D 2; + + if (VIR_ALLOC_N(tmpPaths, toAlloc) < 0 || + VIR_ALLOC_N(tmpPerms, toAlloc) < 0 || + VIR_STRDUP(tmpPaths[0], tmpPath) < 0) + goto cleanup; + tmpNpaths =3D toAlloc; + tmpPerms[0] =3D perm; + + if (includeVFIO) { + if (VIR_STRDUP(tmpPaths[1], DEV_VFIO) < 0) + goto cleanup; + tmpPerms[1] =3D VIR_CGROUP_DEVICE_RW; + } + } + + *npaths =3D tmpNpaths; + tmpNpaths =3D 0; + *path =3D tmpPaths; + tmpPaths =3D NULL; + if (perms) { + *perms =3D tmpPerms; + tmpPerms =3D NULL; + } ret =3D 0; cleanup: + for (i =3D 0; i < tmpNpaths; i++) + VIR_FREE(tmpPaths[i]); + VIR_FREE(tmpPaths); + VIR_FREE(tmpPerms); virPCIDeviceFree(pci); virUSBDeviceFree(usb); virSCSIDeviceFree(scsi); @@ -7347,22 +7386,21 @@ qemuDomainSetupHostdev(virQEMUDriverPtr driver ATTR= IBUTE_UNUSED, const char *devPath) { int ret =3D -1; - char *path =3D NULL; + char **path =3D NULL; + size_t i, npaths =3D 0; =20 - if (qemuDomainGetHostdevPath(dev, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(dev, &npaths, &path, NULL) < 0) goto cleanup; =20 - if (!path) { - /* There's no /dev device that we need to create. Claim success. */ - ret =3D 0; - goto cleanup; + for (i =3D 0; i < npaths; i++) { + if (qemuDomainCreateDevice(path[i], devPath, false) < 0) + goto cleanup; } =20 - if (qemuDomainCreateDevice(path, devPath, false) < 0) - goto cleanup; - ret =3D 0; cleanup: + for (i =3D 0; i < npaths; i++) + VIR_FREE(path[i]); VIR_FREE(path); return ret; } @@ -7980,26 +8018,26 @@ qemuDomainNamespaceSetupHostdev(virQEMUDriverPtr dr= iver, virDomainHostdevDefPtr hostdev) { int ret =3D -1; - char *path =3D NULL; + char **path =3D NULL; + size_t i, npaths =3D 0; =20 if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(hostdev, &npaths, &path, NULL) < 0) goto cleanup; =20 - if (!path) { - /* There's no /dev device that we need to create. Claim success. */ - ret =3D 0; + for (i =3D 0; i < npaths; i++) { + if (qemuDomainAttachDeviceMknod(driver, + vm, + path[i]) < 0) goto cleanup; } =20 - if (qemuDomainAttachDeviceMknod(driver, - vm, - path) < 0) - goto cleanup; ret =3D 0; cleanup: + for (i =3D 0; i < npaths; i++) + VIR_FREE(path[i]); VIR_FREE(path); return ret; } @@ -8011,25 +8049,25 @@ qemuDomainNamespaceTeardownHostdev(virQEMUDriverPtr= driver, virDomainHostdevDefPtr hostdev) { int ret =3D -1; - char *path =3D NULL; + char **path =3D NULL; + size_t i, npaths =3D 0; =20 if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(hostdev, &npaths, &path, NULL) < 0) goto cleanup; =20 - if (!path) { - /* There's no /dev device that we need to create. Claim success. */ - ret =3D 0; - goto cleanup; - } - - if (qemuDomainDetachDeviceUnlink(driver, vm, path) < 0) + /* Don't remove other paths than for the @hostdev itself. + * They might be still in use by other devices. */ + if (npaths > 0 && + qemuDomainDetachDeviceUnlink(driver, vm, path[0]) < 0) goto cleanup; =20 ret =3D 0; cleanup: + for (i =3D 0; i < npaths; i++) + VIR_FREE(path[i]); VIR_FREE(path); return ret; } diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f81550e2f..e64aa25ba 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -803,8 +803,9 @@ bool qemuDomainSupportsVideoVga(virDomainVideoDefPtr vi= deo, virQEMUCapsPtr qemuCaps); =20 int qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, - char **path, - int *perms); + size_t *npaths, + char ***path, + int **perms); =20 int qemuDomainBuildNamespace(virQEMUDriverPtr driver, virDomainObjPtr vm); diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index bd25235d3..6f03898c0 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -55,7 +55,6 @@ module Test_libvirtd_qemu =3D { "8" =3D "/dev/kqemu" } { "9" =3D "/dev/rtc" } { "10" =3D "/dev/hpet" } - { "11" =3D "/dev/vfio/vfio" } } { "save_image_format" =3D "raw" } { "dump_image_format" =3D "raw" } --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) client-ip=209.132.183.39; envelope-from=libvir-list-bounces@redhat.com; helo=mx6-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.39 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx6-phx2.redhat.com (mx6-phx2.redhat.com [209.132.183.39]) by mx.zohomail.com with SMTPS id 148673884322939.576272304550685; Fri, 10 Feb 2017 07:00:43 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx6-phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEvJkQ007949; Fri, 10 Feb 2017 09:57:19 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv3up007037 for ; Fri, 10 Feb 2017 09:57:03 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSJ016574 for ; Fri, 10 Feb 2017 09:57:03 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:54 +0100 Message-Id: <0e6fc3a1f18dd074539427015615196f3ef2bb08.1486738487.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 6/7] qemuDomainGetHostdevPath: Report /dev/vfio/vfio less frequently X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" So far, qemuDomainGetHostdevPath has no knowledge of the reasong it is called and thus reports /dev/vfio/vfio for every VFIO backed device. This is suboptimal, as we want it to: a) report /dev/vfio/vfio on every addition or domain startup b) report /dev/vfio/vfio only on last VFIO device being unplugged If a domain is being stopped then namespace and CGroup die with it so no need to worry about that. I mean, even when a domain that's exiting has more than one VFIO devices assigned to it, this function does not clean /dev/vfio/vfio in CGroup nor in the namespace. But that doesn't matter. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 87 ++++++++++++----------------------------------= ---- src/qemu/qemu_domain.c | 38 ++++++++++++++++------ src/qemu/qemu_domain.h | 4 ++- 3 files changed, 52 insertions(+), 77 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 944e8dc87..209cbc275 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -52,7 +52,6 @@ const char *const defaultDeviceACL[] =3D { #define DEVICE_PTY_MAJOR 136 #define DEVICE_SND_MAJOR 116 =20 -#define DEV_VFIO "/dev/vfio/vfio" =20 static int qemuSetupImagePathCgroup(virDomainObjPtr vm, @@ -271,7 +270,7 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm, size_t i, npaths =3D 0; int rv, ret =3D -1; =20 - if (qemuDomainGetHostdevPath(dev, &npaths, &path, &perms) < 0) + if (qemuDomainGetHostdevPath(NULL, dev, false, &npaths, &path, &perms)= < 0) goto cleanup; =20 for (i =3D 0; i < npaths; i++) { @@ -298,11 +297,10 @@ int qemuTeardownHostdevCgroup(virDomainObjPtr vm, virDomainHostdevDefPtr dev) { - int ret =3D -1; qemuDomainObjPrivatePtr priv =3D vm->privateData; - virDomainHostdevSubsysPCIPtr pcisrc =3D &dev->source.subsys.u.pci; - virPCIDevicePtr pci =3D NULL; - char *path =3D NULL; + char **path =3D NULL; + size_t i, npaths =3D 0; + int rv, ret =3D -1; =20 /* currently this only does something for PCI devices using vfio * for device assignment, but it is called for *all* hostdev @@ -312,70 +310,27 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm, if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - if (dev->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) { - - switch ((virDomainHostdevSubsysType) dev->source.subsys.type) { - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: - if (pcisrc->backend =3D=3D VIR_DOMAIN_HOSTDEV_PCI_BACKEND_VFIO= ) { - int rv; - size_t i, vfios =3D 0; - - pci =3D virPCIDeviceNew(pcisrc->addr.domain, - pcisrc->addr.bus, - pcisrc->addr.slot, - pcisrc->addr.function); - if (!pci) - goto cleanup; - - if (!(path =3D virPCIDeviceGetIOMMUGroupDev(pci))) - goto cleanup; - - VIR_DEBUG("Cgroup deny %s for PCI device assignment", path= ); - rv =3D virCgroupDenyDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RWM, false); - virDomainAuditCgroupPath(vm, priv->cgroup, - "deny", path, "rwm", rv =3D=3D 0); - if (rv < 0) - goto cleanup; - - /* If this is the last hostdev with VFIO backend deny - * /dev/vfio/vfio too. */ - for (i =3D 0; i < vm->def->nhostdevs; i++) { - virDomainHostdevDefPtr tmp =3D vm->def->hostdevs[i]; - if (tmp->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && - tmp->source.subsys.type =3D=3D VIR_DOMAIN_HOSTDEV_= SUBSYS_TYPE_PCI && - tmp->source.subsys.u.pci.backend =3D=3D VIR_DOMAIN= _HOSTDEV_PCI_BACKEND_VFIO) - vfios++; - } - - if (vfios =3D=3D 0) { - VIR_DEBUG("Cgroup deny " DEV_VFIO " for PCI device ass= ignment"); - rv =3D virCgroupDenyDevicePath(priv->cgroup, DEV_VFIO, - VIR_CGROUP_DEVICE_RWM, fa= lse); - virDomainAuditCgroupPath(vm, priv->cgroup, - "deny", DEV_VFIO, "rwm", rv = =3D=3D 0); - if (rv < 0) - goto cleanup; - } - } - break; - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: - /* nothing to tear down for USB */ - break; - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: - /* nothing to tear down for SCSI */ - break; - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI_HOST: - /* nothing to tear down for scsi_host */ - break; - case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_LAST: - break; - } + if (dev->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSYS && + dev->source.subsys.type =3D=3D VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI = && + dev->source.subsys.u.pci.backend =3D=3D VIR_DOMAIN_HOSTDEV_PCI_BAC= KEND_VFIO && + qemuDomainGetHostdevPath(vm->def, dev, true, + &npaths, &path, NULL) < 0) + goto cleanup; + + for (i =3D 0; i < npaths; i++) { + VIR_DEBUG("Cgroup deny %s", path[i]); + rv =3D virCgroupDenyDevicePath(priv->cgroup, path[i], + VIR_CGROUP_DEVICE_RWM, false); + virDomainAuditCgroupPath(vm, priv->cgroup, + "deny", path[i], "rwm", rv =3D=3D 0); + if (rv < 0) + goto cleanup; } =20 ret =3D 0; cleanup: - virPCIDeviceFree(pci); + for (i =3D 0; i < npaths; i++) + VIR_FREE(path[i]); VIR_FREE(path); return ret; } diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 530eced33..515e0052e 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -6834,7 +6834,9 @@ qemuDomainSupportsVideoVga(virDomainVideoDefPtr video, =20 /** * qemuDomainGetHostdevPath: + * @def: domain definition * @dev: host device definition + * @teardown: true if device will be removed * @npaths: number of items in @path and @perms arrays * @path: resulting path to @dev * @perms: Optional pointer to VIR_CGROUP_DEVICE_* perms @@ -6849,7 +6851,9 @@ qemuDomainSupportsVideoVga(virDomainVideoDefPtr video, * Returns 0 on success, -1 otherwise. */ int -qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, +qemuDomainGetHostdevPath(virDomainDefPtr def, + virDomainHostdevDefPtr dev, + bool teardown, size_t *npaths, char ***path, int **perms) @@ -6890,7 +6894,21 @@ qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, freeTmpPath =3D true; =20 perm =3D VIR_CGROUP_DEVICE_RW; - includeVFIO =3D true; + if (teardown) { + size_t nvfios =3D 0; + for (i =3D 0; i < def->nhostdevs; i++) { + virDomainHostdevDefPtr tmp =3D def->hostdevs[i]; + if (tmp->mode =3D=3D VIR_DOMAIN_HOSTDEV_MODE_SUBSY= S && + tmp->source.subsys.type =3D=3D VIR_DOMAIN_HOST= DEV_SUBSYS_TYPE_PCI && + tmp->source.subsys.u.pci.backend =3D=3D VIR_DO= MAIN_HOSTDEV_PCI_BACKEND_VFIO) + nvfios++; + } + + if (nvfios =3D=3D 0) + includeVFIO =3D true; + } else { + includeVFIO =3D true; + } } break; =20 @@ -7389,7 +7407,7 @@ qemuDomainSetupHostdev(virQEMUDriverPtr driver ATTRIB= UTE_UNUSED, char **path =3D NULL; size_t i, npaths =3D 0; =20 - if (qemuDomainGetHostdevPath(dev, &npaths, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(NULL, dev, false, &npaths, &path, NULL) <= 0) goto cleanup; =20 for (i =3D 0; i < npaths; i++) { @@ -8024,7 +8042,7 @@ qemuDomainNamespaceSetupHostdev(virQEMUDriverPtr driv= er, if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &npaths, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(NULL, hostdev, false, &npaths, &path, NUL= L) < 0) goto cleanup; =20 for (i =3D 0; i < npaths; i++) { @@ -8055,14 +8073,14 @@ qemuDomainNamespaceTeardownHostdev(virQEMUDriverPtr= driver, if (!qemuDomainNamespaceEnabled(vm, QEMU_DOMAIN_NS_MOUNT)) return 0; =20 - if (qemuDomainGetHostdevPath(hostdev, &npaths, &path, NULL) < 0) + if (qemuDomainGetHostdevPath(vm->def, hostdev, true, + &npaths, &path, NULL) < 0) goto cleanup; =20 - /* Don't remove other paths than for the @hostdev itself. - * They might be still in use by other devices. */ - if (npaths > 0 && - qemuDomainDetachDeviceUnlink(driver, vm, path[0]) < 0) - goto cleanup; + for (i =3D 0; i < npaths; i++) { + if (qemuDomainDetachDeviceUnlink(driver, vm, path[i]) < 0) + goto cleanup; + } =20 ret =3D 0; cleanup: diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index e64aa25ba..80de50fbe 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -802,7 +802,9 @@ int qemuDomainCheckMonitor(virQEMUDriverPtr driver, bool qemuDomainSupportsVideoVga(virDomainVideoDefPtr video, virQEMUCapsPtr qemuCaps); =20 -int qemuDomainGetHostdevPath(virDomainHostdevDefPtr dev, +int qemuDomainGetHostdevPath(virDomainDefPtr def, + virDomainHostdevDefPtr dev, + bool teardown, size_t *npaths, char ***path, int **perms); --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Sun Apr 28 00:17:04 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) client-ip=209.132.183.25; envelope-from=libvir-list-bounces@redhat.com; helo=mx4-phx2.redhat.com; Authentication-Results: mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.25 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; Return-Path: Received: from mx4-phx2.redhat.com (mx4-phx2.redhat.com [209.132.183.25]) by mx.zohomail.com with SMTPS id 14867388436251012.7358837791006; Fri, 10 Feb 2017 07:00:43 -0800 (PST) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by mx4-phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEvKK3009001; Fri, 10 Feb 2017 09:57:20 -0500 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v1AEv4OD007049 for ; Fri, 10 Feb 2017 09:57:04 -0500 Received: from moe.brq.redhat.com (dhcp129-131.brq.redhat.com [10.34.129.131]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v1AEuvSK016574 for ; Fri, 10 Feb 2017 09:57:03 -0500 From: Michal Privoznik To: libvir-list@redhat.com Date: Fri, 10 Feb 2017 15:56:55 +0100 Message-Id: <1bebdb813af95cc777d07558096c2bf6599b3b7e.1486738487.git.mprivozn@redhat.com> In-Reply-To: References: In-Reply-To: References: X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 7/7] qemu: Allow /dev/dri/render* for virgl domains X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" When enabling virgl, qemu opens /dev/dri/render*. So far, we are not allowing that in devices cgroup nor creating the file in domain's namespace and thus requiring users to set the paths in qemu.conf. This, however, is suboptimal as it allows access to ALL qemu processes even those which don't have virgl configured. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 51 ++++++++++++++++++++++++++++++++++++++++ src/qemu/qemu_domain.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++= ++++ 2 files changed, 115 insertions(+) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 209cbc275..c667dc12b 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -335,6 +335,52 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm, return ret; } =20 + +static int +qemuSetupVideoCgroup(virDomainObjPtr vm, + virDomainVideoDefPtr video) +{ + qemuDomainObjPrivatePtr priv =3D vm->privateData; + const char *dripath =3D "/dev/dri"; + char *devpath =3D NULL; + struct dirent *ent; + DIR *dir; + int rv, rc, ret =3D -1; + + if (!video->accel || + !video->accel->accel3d) + return 0; + + if (virDirOpen(&dir, dripath) < 0) + return ret; + + while ((rv =3D virDirRead(dir, &ent, dripath)) > 0) { + if (!STRPREFIX(ent->d_name, "render")) + continue; + + VIR_FREE(devpath); + if (virAsprintf(&devpath, "%s/%s", dripath, ent->d_name) < 0) + goto cleanup; + + rc =3D virCgroupAllowDevicePath(priv->cgroup, devpath, + VIR_CGROUP_DEVICE_RW, false); + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", devpath, + "rw", rc =3D=3D 0); + if (rv < 0) + goto cleanup; + } + + if (rv < 0) + goto cleanup; + + ret =3D 0; + cleanup: + VIR_FREE(devpath); + VIR_DIR_CLOSE(dir); + return ret; +} + + static int qemuSetupBlkioCgroup(virDomainObjPtr vm) { @@ -604,6 +650,11 @@ qemuSetupDevicesCgroup(virQEMUDriverPtr driver, goto cleanup; } =20 + for (i =3D 0; i < vm->def->nvideos; i++) { + if (qemuSetupVideoCgroup(vm, vm->def->videos[i]) < 0) + goto cleanup; + } + for (i =3D 0; i < vm->def->ninputs; i++) { if (qemuSetupInputCgroup(vm, vm->def->inputs[i]) < 0) goto cleanup; diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 515e0052e..06ba1cf00 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7504,6 +7504,67 @@ qemuDomainSetupTPM(virQEMUDriverPtr driver ATTRIBUTE= _UNUSED, } =20 =20 +static int +qemuDomainSetupVideo(virQEMUDriverPtr driver ATTRIBUTE_UNUSED, + virDomainVideoDefPtr video, + const char *devPath) +{ + const char *dripath =3D "/dev/dri"; + char *dridevpath =3D NULL; + struct dirent *ent; + DIR *dir; + int rv, ret =3D -1; + + if (!video->accel || + !video->accel->accel3d) + return 0; + + if (virDirOpen(&dir, dripath) < 0) + return ret; + + while ((rv =3D virDirRead(dir, &ent, dripath)) > 0) { + if (!STRPREFIX(ent->d_name, "render")) + continue; + + VIR_FREE(dridevpath); + if (virAsprintf(&dridevpath, "%s/%s", dripath, ent->d_name) < 0) + goto cleanup; + + if (qemuDomainCreateDevice(dridevpath, devPath, false) < 0) + goto cleanup; + } + + if (rv < 0) + goto cleanup; + + ret =3D 0; + cleanup: + VIR_FREE(dridevpath); + VIR_DIR_CLOSE(dir); + return ret; +} + + +static int +qemuDomainSetupAllVideos(virQEMUDriverPtr driver, + virDomainObjPtr vm, + const char *devPath) +{ + size_t i; + + VIR_DEBUG("Setting up videos"); + for (i =3D 0; i < vm->def->nvideos; i++) { + if (qemuDomainSetupVideo(driver, + vm->def->videos[i], + devPath) < 0) + return -1; + } + + VIR_DEBUG("Setup all videos"); + return 0; +} + + static int qemuDomainSetupInput(virQEMUDriverPtr driver ATTRIBUTE_UNUSED, virDomainInputDefPtr input, @@ -7657,6 +7718,9 @@ qemuDomainBuildNamespace(virQEMUDriverPtr driver, if (qemuDomainSetupTPM(driver, vm, devPath) < 0) goto cleanup; =20 + if (qemuDomainSetupAllVideos(driver, vm, devPath) < 0) + goto cleanup; + if (qemuDomainSetupAllInputs(driver, vm, devPath) < 0) goto cleanup; =20 --=20 2.11.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list