From nobody Mon Feb  9 01:01:31 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1546438336820470.63295066445767;
 Wed, 2 Jan 2019 06:12:16 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com
 [10.5.11.12])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 450F2C7966;
	Wed,  2 Jan 2019 14:12:14 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id E9F9560C6B;
	Wed,  2 Jan 2019 14:12:13 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 910C8181B9EA;
	Wed,  2 Jan 2019 14:12:13 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
	[10.5.11.13])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x02E96fJ000968 for <libvir-list@listman.util.phx.redhat.com>;
	Wed, 2 Jan 2019 09:09:06 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 92B6C608E5; Wed,  2 Jan 2019 14:09:06 +0000 (UTC)
Received: from antique-work.brq.redhat.com (unknown [10.43.2.181])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 188FD608D9
	for <libvir-list@redhat.com>; Wed,  2 Jan 2019 14:09:05 +0000 (UTC)
From: Pavel Hrdina <phrdina@redhat.com>
To: libvir-list@redhat.com
Date: Wed,  2 Jan 2019 15:08:45 +0100
Message-Id: 
 <1a20e6f4f636171de64e94161862f29789aa7ea6.1546437956.git.phrdina@redhat.com>
In-Reply-To: <cover.1546437956.git.phrdina@redhat.com>
References: <cover.1546437956.git.phrdina@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH 13/19] vircgroup: introduce virCgroupV2DenyDevice
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Wed, 02 Jan 2019 14:12:15 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

In order to deny device we need to check if there is any entry in BPF
map and we need to load the current value from map if there is already
entry for that device.  If both values are same we can remove that entry
but if they are different we need to update the entry because we don't
have to deny all access, but for example only write access.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 src/util/vircgroupv2.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index e579464ff3..aea7ba677f 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -2030,6 +2030,46 @@ virCgroupV2AllowDevice(virCgroupPtr group,
 }
=20
=20
+static int
+virCgroupV2DenyDevice(virCgroupPtr group,
+                      char type,
+                      int major,
+                      int minor,
+                      int perms)
+{
+    __u64 key =3D virCgroupV2DeviceGetKey(major, minor);
+    __u32 newval =3D virCgroupV2DeviceGetPerms(perms, type);
+    __u32 val =3D 0;
+
+    if (virCgroupV2DevicePrepareProg(group) < 0)
+        return -1;
+
+    if (group->unified.devices.count <=3D 0 ||
+        virBPFLookupElem(group->unified.devices.mapfd, &key, &val) < 0) {
+        VIR_DEBUG("nothing to do, device is not allowed");
+        return 0;
+    }
+
+    if (newval =3D=3D val) {
+        if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to remove device from BPF cgrou=
p map"));
+            return -1;
+        }
+        group->unified.devices.count--;
+    } else {
+        val ^=3D val & newval;
+        if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0=
) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to update device in BPF cgroup =
map"));
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+
 virCgroupBackend virCgroupV2Backend =3D {
     .type =3D VIR_CGROUP_BACKEND_TYPE_V2,
=20
@@ -2080,6 +2120,7 @@ virCgroupBackend virCgroupV2Backend =3D {
     .getMemSwapUsage =3D virCgroupV2GetMemSwapUsage,
=20
     .allowDevice =3D virCgroupV2AllowDevice,
+    .denyDevice =3D virCgroupV2DenyDevice,
=20
     .setCpuShares =3D virCgroupV2SetCpuShares,
     .getCpuShares =3D virCgroupV2GetCpuShares,
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list