From nobody Tue May 14 08:43:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647360451; cv=none; d=zohomail.com; s=zohoarc; b=brHFRb+LZVEVh1DGjoifDBsrJd5y6cm+8Trnj1hBAT9WDl1diVl8EPrRfoyMm4KBicV1476PIyQDIutYIBgNXNPJRqBusSBXtmFt85HhuaTnVjVfNFSaZM1Uwt7Z69SWw7O/wUj6HDQKC8byrB8lIO8mXBemtrnBZrTQbekAJ1Q= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647360451; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=X/sHf0X503iYIIM6AmyTemuW11d81Wgi/5IEo+irnDA=; b=loL6r9beWCqlE/g7+NbXSSGGi5DUPi15bOjKj5F/KKE5SUs8rB6/2F1magMN+UhaLzPZRKANKF4MYimQAuJZMXdfUrPhdzrbcyy+tOZMtm/gj3WVakM3to2K8lO7fJISogvCCi/zgTH3yrTZ0V36H9XXRXUBI1330EiaGM79jvQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1647360451357251.49283296319072; Tue, 15 Mar 2022 09:07:31 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-459-LtdK7y9FMYS160DYm_dxsw-1; Tue, 15 Mar 2022 12:07:28 -0400 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id C6CB23803906; Tue, 15 Mar 2022 16:07:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 312D8C50941; Tue, 15 Mar 2022 16:07:24 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CFD261931BF2; Tue, 15 Mar 2022 16:07:22 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id C47D3194F4B3 for ; Tue, 15 Mar 2022 16:07:21 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 96751C50944; Tue, 15 Mar 2022 16:07:21 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3DCFCC50941 for ; Tue, 15 Mar 2022 16:07:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647360450; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=X/sHf0X503iYIIM6AmyTemuW11d81Wgi/5IEo+irnDA=; b=TmVQBYjTElFaTRWhooMw05hG6YKurZyaNBO+Scr26kI3p0DVOJgs2oixIX902TlrtTo1zY s4EqBOtKZed5k99yUPc5pAQDZjixDQHmnPt1WM40Fz6SV9yGtWGVDCADdAHKZo0cO5ufWw ct+snTWGCahjuu8MCviKHkbmztrfEOk= X-MC-Unique: LtdK7y9FMYS160DYm_dxsw-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/4] qemu_cgroup: Drop ENOENT special case for RNG devices Date: Tue, 15 Mar 2022 17:07:16 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647360453346100001 Content-Type: text/plain; charset="utf-8" When allowing or denying RNG device in CGroups there's a special check if the backend device exists (errno =3D=3D ENOENT) in which case success is returned to caller. This is in contrast with the rest of the functions and in fact wrong too - if the backend device doesn't exist then QEMU will fail opening it. Might as well signal error here. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 34b50ddd1d..9d47803fce 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -630,8 +630,7 @@ qemuSetupRNGCgroup(virDomainObj *vm, virDomainAuditCgroupPath(vm, priv->cgroup, "allow", rng->source.file, "rw", rv); - if (rv < 0 && - !virLastErrorIsSystemErrno(ENOENT)) + if (rv < 0) return -1; } =20 @@ -657,8 +656,7 @@ qemuTeardownRNGCgroup(virDomainObj *vm, virDomainAuditCgroupPath(vm, priv->cgroup, "deny", rng->source.file, "rw", rv); - if (rv < 0 && - !virLastErrorIsSystemErrno(ENOENT)) + if (rv < 0) return -1; } =20 --=20 2.34.1 From nobody Tue May 14 08:43:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647360450; cv=none; d=zohomail.com; s=zohoarc; b=A6gM5xRH9QKtlRgK9DTlmzTjhmZK6pR8VCI5tdaXB78JN1WKdOoLdDEkyFE3VWqzoecDWRl+D/DI+kCo9F3c02FhPBRZKTq41eiqgEJVypVVaeIP34WrNTIfR5QzFA7GFkSEicTLv+kqOY9miLUHrPJbkJ3HnMODTLj8ZTlO82M= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647360450; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=X+ICgMyInFkx2A9rUgD3g+OxdFAzX3WrPGFuLYrVo3E=; b=T0Uf7nvMZpvdH7fjG3oB8W8bpGlyXs5SKRu38tQoUE58ixk4B2bzfj2ayPIREFdGRG82hHwC8t4siQajhH0iMZaAjwBYMw37RG5jYqAmrRVwDo3BMfW7QLaKyby40pznShbbknPd82y9avBzD0tjT1RBEvkNjBwrCJERoFUJ4W4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1647360450826378.7631243323573; Tue, 15 Mar 2022 09:07:30 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-213-ItQQ3D6fNUSJdA9nQRzi_A-1; Tue, 15 Mar 2022 12:07:27 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 74EF329DD98A; Tue, 15 Mar 2022 16:07:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5D041409B41D; Tue, 15 Mar 2022 16:07:25 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 268B91964183; Tue, 15 Mar 2022 16:07:23 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 7713C1932122 for ; Tue, 15 Mar 2022 16:07:22 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 581C2C50943; Tue, 15 Mar 2022 16:07:22 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id D1489C50941 for ; Tue, 15 Mar 2022 16:07:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647360449; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=X+ICgMyInFkx2A9rUgD3g+OxdFAzX3WrPGFuLYrVo3E=; b=fW7N2cqOLP4l6Q224nZPgH2QMC8caK5xhgeaYnIfohLcVcOq6rr+IcA7nzCELR7Kjl/iXS Bgu2gBp3LN5UzdO7hV1CA00gE+19iS0viYK9k3CDD6rS9PQUvcohRHi60n5jUUxx6u0n5G hogR8SHPFjcwc4H908Z4ycn34jT+Gx8= X-MC-Unique: ItQQ3D6fNUSJdA9nQRzi_A-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/4] qemu_cgroup: Introduce and use qemuCgroupAllowDevicePath() Date: Tue, 15 Mar 2022 17:07:17 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.1 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647360451154100001 Content-Type: text/plain; charset="utf-8" In all cases virCgroupAllowDevicePath() is followed by virDomainAuditCgroupPath(). Might as well pack that into one function and call it. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 127 +++++++++++++++-------------------------- 1 file changed, 45 insertions(+), 82 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 9d47803fce..258172c5a5 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -54,6 +54,26 @@ const char *const defaultDeviceACL[] =3D { #define DEVICE_SND_MAJOR 116 =20 =20 +static int +qemuCgroupAllowDevicePath(virDomainObj *vm, + const char *path, + int perms, + bool ignoreEacces) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + int ret; + + VIR_DEBUG("Allow path %s, perms: %s", + path, virCgroupGetDevicePermsString(perms)); + + ret =3D virCgroupAllowDevicePath(priv->cgroup, path, perms, ignoreEacc= es); + + virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, + virCgroupGetDevicePermsString(perms), ret); + return ret; +} + + static int qemuSetupImagePathCgroup(virDomainObj *vm, const char *path, @@ -71,14 +91,7 @@ qemuSetupImagePathCgroup(virDomainObj *vm, if (!readonly) perms |=3D VIR_CGROUP_DEVICE_WRITE; =20 - VIR_DEBUG("Allow path %s, perms: %s", - path, virCgroupGetDevicePermsString(perms)); - - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, perms, true); - - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, - virCgroupGetDevicePermsString(perms), - rv); + rv =3D qemuCgroupAllowDevicePath(vm, path, perms, true); if (rv < 0) return -1; =20 @@ -96,12 +109,7 @@ qemuSetupImagePathCgroup(virDomainObj *vm, } =20 for (n =3D targetPaths; n; n =3D n->next) { - rv =3D virCgroupAllowDevicePath(priv->cgroup, n->data, perms, fals= e); - - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", n->data, - virCgroupGetDevicePermsString(perms), - rv); - if (rv < 0) + if (qemuCgroupAllowDevicePath(vm, n->data, perms, false) < 0) return -1; } =20 @@ -278,7 +286,6 @@ qemuSetupChrSourceCgroup(virDomainObj *vm, virDomainChrSourceDef *source) { qemuDomainObjPrivate *priv =3D vm->privateData; - int ret; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -288,12 +295,8 @@ qemuSetupChrSourceCgroup(virDomainObj *vm, =20 VIR_DEBUG("Process path '%s' for device", source->data.file.path); =20 - ret =3D virCgroupAllowDevicePath(priv->cgroup, source->data.file.path, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", - source->data.file.path, "rw", ret); - - return ret; + return qemuCgroupAllowDevicePath(vm, source->data.file.path, + VIR_CGROUP_DEVICE_RW, false); } =20 =20 @@ -361,10 +364,8 @@ qemuSetupInputCgroup(virDomainObj *vm, switch (dev->type) { case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_EVDEV: - VIR_DEBUG("Process path '%s' for input device", dev->source.evdev); - ret =3D virCgroupAllowDevicePath(priv->cgroup, dev->source.evdev, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", dev->source.ev= dev, "rw", ret); + return qemuCgroupAllowDevicePath(vm, dev->source.evdev, + VIR_CGROUP_DEVICE_RW, false); break; } =20 @@ -413,7 +414,6 @@ qemuSetupHostdevCgroup(virDomainObj *vm, qemuDomainObjPrivate *priv =3D vm->privateData; g_autofree char *path =3D NULL; int perms; - int rv; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -421,24 +421,15 @@ qemuSetupHostdevCgroup(virDomainObj *vm, if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) return -1; =20 - if (path) { - VIR_DEBUG("Cgroup allow %s perms=3D%d", path, perms); - rv =3D virCgroupAllowDevicePath(priv->cgroup, path, perms, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path, - virCgroupGetDevicePermsString(perms), - rv); - if (rv < 0) - return -1; + if (path && + qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) { + return -1; } =20 - if (qemuHostdevNeedsVFIO(dev)) { - VIR_DEBUG("Cgroup allow %s perms=3D%d", QEMU_DEV_VFIO, VIR_CGROUP_= DEVICE_RW); - rv =3D virCgroupAllowDevicePath(priv->cgroup, QEMU_DEV_VFIO, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", - QEMU_DEV_VFIO, "rw", rv); - if (rv < 0) - return -1; + if (qemuHostdevNeedsVFIO(dev) && + qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; } =20 return 0; @@ -510,7 +501,6 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm, virDomainMemoryDef *mem) { qemuDomainObjPrivate *priv =3D vm->privateData; - int rv; =20 if (mem->model !=3D VIR_DOMAIN_MEMORY_MODEL_NVDIMM && mem->model !=3D VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM) @@ -519,13 +509,8 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm, if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - VIR_DEBUG("Setting devices Cgroup for NVDIMM device: %s", mem->nvdimmP= ath); - rv =3D virCgroupAllowDevicePath(priv->cgroup, mem->nvdimmPath, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", - mem->nvdimmPath, "rw", rv); - - return rv; + return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath, + VIR_CGROUP_DEVICE_RW, false); } =20 =20 @@ -557,17 +542,12 @@ qemuSetupGraphicsCgroup(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; const char *rendernode =3D virDomainGraphicsGetRenderNode(gfx); - int ret; =20 if (!rendernode || !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - ret =3D virCgroupAllowDevicePath(priv->cgroup, rendernode, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", rendernode, - "rw", ret); - return ret; + return qemuCgroupAllowDevicePath(vm, rendernode, VIR_CGROUP_DEVICE_RW,= false); } =20 =20 @@ -577,7 +557,6 @@ qemuSetupVideoCgroup(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; virDomainVideoAccelDef *accel =3D def->accel; - int ret; =20 if (!accel) return 0; @@ -586,11 +565,8 @@ qemuSetupVideoCgroup(virDomainObj *vm, !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - ret =3D virCgroupAllowDevicePath(priv->cgroup, accel->rendernode, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", accel->rendernode, - "rw", ret); - return ret; + return qemuCgroupAllowDevicePath(vm, accel->rendernode, + VIR_CGROUP_DEVICE_RW, false); } =20 static int @@ -617,21 +593,14 @@ qemuSetupRNGCgroup(virDomainObj *vm, virDomainRNGDef *rng) { qemuDomainObjPrivate *priv =3D vm->privateData; - int rv; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_RANDOM) { - VIR_DEBUG("Setting Cgroup ACL for RNG device"); - rv =3D virCgroupAllowDevicePath(priv->cgroup, - rng->source.file, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", - rng->source.file, - "rw", rv); - if (rv < 0) - return -1; + if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_RANDOM && + qemuCgroupAllowDevicePath(vm, rng->source.file, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; } =20 return 0; @@ -684,16 +653,12 @@ static int qemuSetupSEVCgroup(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; - int ret; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - ret =3D virCgroupAllowDevicePath(priv->cgroup, "/dev/sev", - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev", - "rw", ret); - return ret; + return qemuCgroupAllowDevicePath(vm, "/dev/sev", + VIR_CGROUP_DEVICE_RW, false); } =20 static int @@ -759,9 +724,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm) continue; } =20 - rv =3D virCgroupAllowDevicePath(priv->cgroup, deviceACL[i], - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "allow", deviceACL[i], = "rw", rv); + rv =3D qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVI= CE_RW, false); if (rv < 0 && !virLastErrorIsSystemErrno(ENOENT)) return -1; --=20 2.34.1 From nobody Tue May 14 08:43:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647360456; cv=none; d=zohomail.com; s=zohoarc; b=Iw0caiLMF4fZPLxfB7W+0iTSdCvjzBgIIOXPX764W4tPTWTTu28ruCLKiO0YU2A7Uv6t7FPPG9YPWsZL+NsXcNNxw1cT2nYXRAKKgmGjV/jxVCekAw6ScDS9Wt19LI2wpV+I6coxq18xw1C/LYnSpA+5Krx6oNFyfiTJyKB0k7Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647360456; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=iasp4vhgeU8rNDvYQKDC7RFO4p/dDemmdF7FyPCuIBQ=; b=MAEj+i0w7Ca6eSa5jjVER//vKBTFLfzNTjcIvNh86pe8MxheHuWswhQ1+LWmHhWW+MCV8FM7rRkdJ6Su8ipGcjzPx27slX8sAHdHLVYTND9co+rQF5oHzCEfVdVGWZLRyUE5Bq3vACzuyFBTGOlGH3LcbS2kolTnakbbSTiThUs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 16473604565017.146588203330111; Tue, 15 Mar 2022 09:07:36 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-491-QkdvLOIaPsKJiFXbDpkFmA-1; Tue, 15 Mar 2022 12:07:35 -0400 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 766223C19849; Tue, 15 Mar 2022 16:07:26 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6226F4B8D49; Tue, 15 Mar 2022 16:07:26 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 78C641932122; Tue, 15 Mar 2022 16:07:25 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2F2E419641B5 for ; Tue, 15 Mar 2022 16:07:23 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id EB846C50943; Tue, 15 Mar 2022 16:07:22 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 925F8C50941 for ; Tue, 15 Mar 2022 16:07:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647360456; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=iasp4vhgeU8rNDvYQKDC7RFO4p/dDemmdF7FyPCuIBQ=; b=h83tS8FSiLdo1b07wl5uwWpESLU6yYitVoeo2xIHVVTNxe1INTMUTs4/wDCdWFxjhkVXsn GGFAsdxjumv7foDY6B73yvFiUE/uvKrHucbSArmoXfvQ82/VA18rnpqNlOE8chLwTPs1Y0 iqgxmfP8XuCUWChkzZMoKZ+cYgKFX9A= X-MC-Unique: QkdvLOIaPsKJiFXbDpkFmA-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 3/4] qemu_cgroup: Introduce and use qemuCgroupDenyDevicePath() Date: Tue, 15 Mar 2022 17:07:18 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647360482841100001 Content-Type: text/plain; charset="utf-8" In all cases virCgroupDenyDevicePath() is followed by virDomainAuditCgroupPath(). Might as well pack that into one function and call it. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 106 +++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 62 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 258172c5a5..c46e7878bc 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -74,6 +74,26 @@ qemuCgroupAllowDevicePath(virDomainObj *vm, } =20 =20 +static int +qemuCgroupDenyDevicePath(virDomainObj *vm, + const char *path, + int perms, + bool ignoreEacces) +{ + qemuDomainObjPrivate *priv =3D vm->privateData; + int ret; + + VIR_DEBUG("Deny path %s, perms: %s", + path, virCgroupGetDevicePermsString(perms)); + + ret =3D virCgroupDenyDevicePath(priv->cgroup, path, perms, ignoreEacce= s); + + virDomainAuditCgroupPath(vm, priv->cgroup, "deny", path, + virCgroupGetDevicePermsString(perms), ret); + return ret; +} + + static int qemuSetupImagePathCgroup(virDomainObj *vm, const char *path, @@ -199,10 +219,8 @@ qemuTeardownImageCgroup(virDomainObj *vm, =20 if (!hasNVMe && !qemuDomainNeedsVFIO(vm->def)) { - ret =3D virCgroupDenyDevicePath(priv->cgroup, QEMU_DEV_VFIO, p= erms, true); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", - QEMU_DEV_VFIO, - virCgroupGetDevicePermsString(perms),= ret); + ret =3D qemuCgroupDenyDevicePath(vm, QEMU_DEV_VFIO, perms, tru= e); + if (ret < 0) return -1; } @@ -218,23 +236,16 @@ qemuTeardownImageCgroup(virDomainObj *vm, =20 if (!hasPR && virFileExists(QEMU_DEVICE_MAPPER_CONTROL_PATH)) { - VIR_DEBUG("Disabling device mapper control"); - ret =3D virCgroupDenyDevicePath(priv->cgroup, - QEMU_DEVICE_MAPPER_CONTROL_PATH, - perms, true); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", - QEMU_DEVICE_MAPPER_CONTROL_PATH, - virCgroupGetDevicePermsString(perms), ret= ); + ret =3D qemuCgroupDenyDevicePath(vm, QEMU_DEVICE_MAPPER_CONTROL_PA= TH, + perms, true); + if (ret < 0) return ret; } =20 VIR_DEBUG("Deny path %s", path); =20 - ret =3D virCgroupDenyDevicePath(priv->cgroup, path, perms, true); - - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", path, - virCgroupGetDevicePermsString(perms), ret); + ret =3D qemuCgroupDenyDevicePath(vm, path, perms, true); =20 /* If you're looking for a counter part to * qemuSetupImagePathCgroup you're at the right place. @@ -305,7 +316,6 @@ qemuTeardownChrSourceCgroup(virDomainObj *vm, virDomainChrSourceDef *source) { qemuDomainObjPrivate *priv =3D vm->privateData; - int ret; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -315,12 +325,8 @@ qemuTeardownChrSourceCgroup(virDomainObj *vm, =20 VIR_DEBUG("Process path '%s' for device", source->data.file.path); =20 - ret =3D virCgroupDenyDevicePath(priv->cgroup, source->data.file.path, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", - source->data.file.path, "rw", ret); - - return ret; + return qemuCgroupDenyDevicePath(vm, source->data.file.path, + VIR_CGROUP_DEVICE_RW, false); } =20 =20 @@ -378,7 +384,6 @@ qemuTeardownInputCgroup(virDomainObj *vm, virDomainInputDef *dev) { qemuDomainObjPrivate *priv =3D vm->privateData; - int ret =3D 0; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -386,14 +391,12 @@ qemuTeardownInputCgroup(virDomainObj *vm, switch (dev->type) { case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_EVDEV: - VIR_DEBUG("Process path '%s' for input device", dev->source.evdev); - ret =3D virCgroupDenyDevicePath(priv->cgroup, dev->source.evdev, - VIR_CGROUP_DEVICE_RWM, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", dev->source.evd= ev, "rwm", ret); + return qemuCgroupDenyDevicePath(vm, dev->source.evdev, + VIR_CGROUP_DEVICE_RWM, false); break; } =20 - return ret; + return 0; } =20 =20 @@ -453,7 +456,6 @@ qemuTeardownHostdevCgroup(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; g_autofree char *path =3D NULL; - int rv; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -471,25 +473,16 @@ qemuTeardownHostdevCgroup(virDomainObj *vm, if (qemuDomainGetHostdevPath(dev, &path, NULL) < 0) return -1; =20 - if (path) { - VIR_DEBUG("Cgroup deny %s", path); - rv =3D virCgroupDenyDevicePath(priv->cgroup, path, - VIR_CGROUP_DEVICE_RWM, false); - virDomainAuditCgroupPath(vm, priv->cgroup, - "deny", path, "rwm", rv); - if (rv < 0) - return -1; + if (path && + qemuCgroupDenyDevicePath(vm, path, VIR_CGROUP_DEVICE_RWM, false) <= 0) { + return -1; } =20 if (qemuHostdevNeedsVFIO(dev) && - !qemuDomainNeedsVFIO(vm->def)) { - VIR_DEBUG("Cgroup deny " QEMU_DEV_VFIO); - rv =3D virCgroupDenyDevicePath(priv->cgroup, QEMU_DEV_VFIO, - VIR_CGROUP_DEVICE_RWM, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", - QEMU_DEV_VFIO, "rwm", rv); - if (rv < 0) - return -1; + !qemuDomainNeedsVFIO(vm->def) && + qemuCgroupDenyDevicePath(vm, QEMU_DEV_VFIO, + VIR_CGROUP_DEVICE_RWM, false) < 0) { + return -1; } =20 return 0; @@ -519,7 +512,6 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm, virDomainMemoryDef *mem) { qemuDomainObjPrivate *priv =3D vm->privateData; - int rv; =20 if (mem->model !=3D VIR_DOMAIN_MEMORY_MODEL_NVDIMM && mem->model !=3D VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM) @@ -528,11 +520,8 @@ qemuTeardownMemoryDevicesCgroup(virDomainObj *vm, if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - rv =3D virCgroupDenyDevicePath(priv->cgroup, mem->nvdimmPath, - VIR_CGROUP_DEVICE_RWM, false); - virDomainAuditCgroupPath(vm, priv->cgroup, - "deny", mem->nvdimmPath, "rwm", rv); - return rv; + return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath, + VIR_CGROUP_DEVICE_RWM, false); } =20 =20 @@ -612,21 +601,14 @@ qemuTeardownRNGCgroup(virDomainObj *vm, virDomainRNGDef *rng) { qemuDomainObjPrivate *priv =3D vm->privateData; - int rv; =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 - if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_RANDOM) { - VIR_DEBUG("Tearing down Cgroup ACL for RNG device"); - rv =3D virCgroupDenyDevicePath(priv->cgroup, - rng->source.file, - VIR_CGROUP_DEVICE_RW, false); - virDomainAuditCgroupPath(vm, priv->cgroup, "deny", - rng->source.file, - "rw", rv); - if (rv < 0) - return -1; + if (rng->backend =3D=3D VIR_DOMAIN_RNG_BACKEND_RANDOM && + qemuCgroupDenyDevicePath(vm, rng->source.file, + VIR_CGROUP_DEVICE_RW, false) < 0) { + return -1; } =20 return 0; --=20 2.34.1 From nobody Tue May 14 08:43:14 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1647360456; cv=none; d=zohomail.com; s=zohoarc; b=lteclNWpOV5501Q73ho1AHqJeHRTJ7SmK0LLjyYiChqg5Gb8OXCJXWqRAmgzBSJWSLcvoX6kYAJvSG2q8vdbBNT6Dm/TpiVIkupYqRdx0Ww6O7YoHMzHsnClbTgUIsTw8mYy5PCUqULYcDCo8q1tKSNX4K3rbsP9S0RtsjhgEbA= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1647360456; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=7PRaj2YdoeDMqL/lsLxGlecMsT/Ku/XqjFEZbnANPjE=; b=nvyBr/prNMdOq3zDm5kcyv/ACflEbD/EiI6mTSlPsbS3Mti+c3cJ8CZdEsJwqHrWqQNtuasy5Zbnt/pXJVyQraUn4suMwh6Y8twAGO8JTobb9ESJ/5e08J/26VLa8BiQsPHasZM+jugNC/4DHtqAkPMVhPWMVqtZovLZtlyRkKA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 164736045653512.598178698648553; Tue, 15 Mar 2022 09:07:36 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-52-J4Lt6E9BP8yH3rGOHcdYSg-1; Tue, 15 Mar 2022 12:07:33 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.rdu2.redhat.com [10.11.54.7]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 139708339C8; Tue, 15 Mar 2022 16:07:27 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id E9BF0141DEDE; Tue, 15 Mar 2022 16:07:26 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id CB3561932122; Tue, 15 Mar 2022 16:07:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A63651966354 for ; Tue, 15 Mar 2022 16:07:23 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 89CC6C50941; Tue, 15 Mar 2022 16:07:23 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.152]) by smtp.corp.redhat.com (Postfix) with ESMTP id 321D4C50944 for ; Tue, 15 Mar 2022 16:07:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647360455; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=7PRaj2YdoeDMqL/lsLxGlecMsT/Ku/XqjFEZbnANPjE=; b=dNbXqcOoa6JXr4ljxwDWbbzBytb/gYta8vqFXSGHd4zKApqM0z2kHEg+L6Y9stQ8+BwvNh maOM4PHSyTPnCbmlYctbNlohxI02VIWhpOWAivKcwtzK6Biti+Ap9y3idZgm311Y3kobV3 nxFv9WJ7nDZVSV5tmJo2hutBnjQB1Bo= X-MC-Unique: J4Lt6E9BP8yH3rGOHcdYSg-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 4/4] qemu_cgroup: Don't deny devices from cgroupDeviceACL Date: Tue, 15 Mar 2022 17:07:19 +0100 Message-Id: In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.7 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1647360457211100001 Content-Type: text/plain; charset="utf-8" On domain startup a couple of devices are allowed in the devices controller no matter the domain configuration. The aim is to allow devices crucial for QEMU or one of its libraries, or user is passing through a device (e.g. through additional cmd line arguments) and wants QEMU to access it. However, during unplug it may happen that a device is configured to use one of such devices and since we deny /dev nodes on hotplug we would deny such device too. For example, /dev/urandom belongs onto the list of implicit devices and users can hotplug and hotunplug an RNG device with /dev/urandom as backend. The fix is fortunately simple - just consult the list of implicit devices before removing the device from the namespace. Signed-off-by: Michal Privoznik --- src/qemu/qemu_cgroup.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index c46e7878bc..aa0c927578 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -81,8 +81,19 @@ qemuCgroupDenyDevicePath(virDomainObj *vm, bool ignoreEacces) { qemuDomainObjPrivate *priv =3D vm->privateData; + g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); + const char *const *deviceACL =3D (const char *const *)cfg->cgroupDevic= eACL; int ret; =20 + if (!deviceACL) + deviceACL =3D defaultDeviceACL; + + if (g_strv_contains(deviceACL, path)) { + VIR_DEBUG("Skipping deny of path %s in CGroups because it's in cgr= oupDeviceACL", + path); + return 0; + } + VIR_DEBUG("Deny path %s, perms: %s", path, virCgroupGetDevicePermsString(perms)); =20 --=20 2.34.1