From nobody Tue Oct 28 08:32:13 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass(p=none dis=none) header.from=gmail.com ARC-Seal: i=1; a=rsa-sha256; t=1760720181; cv=none; d=zohomail.com; s=zohoarc; b=mvHVC2NwpoBgKcD0p0tUbP6MVl5/Qk6yQv/ib3l9eDKRrUkp0awvDkBLjcc8OPUp/7J6YjSFRB2hrYQlZbVfCrMYTQU000Z8G/Vq4mujVGVgBaYNNSqg9ZcPzRGEPFLxN8WDfEKJxkzmOXfPEi9Wv9RUNh6G39D2CSLPs5rqc+c= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1760720181; h=Content-Transfer-Encoding:Cc:Cc:Date:Date:From:From:List-Subscribe:List-Post:List-Owner:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Subject:Subject:To:To:Message-Id:Reply-To; bh=TtvlyzcwzpGRVaLVVOjC7k15SCU0WtEyqTwRDnD8fsI=; b=ggGP68X4OeT1cxMcYSQzX+1/Cl3XctegiltozwoudgdNuDYvsywxHGCQwtYNr4FpP2u67qyzbmHic3d/40czMkWGjQrWQKVqUfvS+UW6mFGs7ueD3am+3jBWNUogKV9KsUfFl/VZx/1QPg/Aqz+zNC/b5CkL5Y6D23WObrJNtck= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of lists.libvirt.org designates 8.43.85.245 as permitted sender) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1760720181798654.4814748834817; Fri, 17 Oct 2025 09:56:21 -0700 (PDT) Received: by lists.libvirt.org (Postfix, from userid 993) id B952B41802; Fri, 17 Oct 2025 12:56:20 -0400 (EDT) Received: from [172.19.199.20] (lists.libvirt.org [8.43.85.245]) by lists.libvirt.org (Postfix) with ESMTP id BFC9C43E54; Fri, 17 Oct 2025 12:55:14 -0400 (EDT) Received: by lists.libvirt.org (Postfix, from userid 993) id 8B1E7419F1; Fri, 17 Oct 2025 12:55:05 -0400 (EDT) Received: from mail-oa1-f41.google.com (mail-oa1-f41.google.com [209.85.160.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (3072 bits) server-digest SHA256) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 3E86741A0C for ; Fri, 17 Oct 2025 12:55:04 -0400 (EDT) Received: by mail-oa1-f41.google.com with SMTP id 586e51a60fabf-3c9859913d0so814495fac.0 for ; Fri, 17 Oct 2025 09:55:04 -0700 (PDT) Received: from home ([2603:8081:c640:1::100d]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-3c9af31d3cbsm6627fac.14.2025.10.17.09.55.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 17 Oct 2025 09:55:01 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED,RCVD_IN_VALIDITY_RPBL_BLOCKED, RCVD_IN_VALIDITY_SAFE_BLOCKED,SPF_PASS autolearn=unavailable autolearn_force=no version=4.0.1 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1760720103; x=1761324903; darn=lists.libvirt.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=TtvlyzcwzpGRVaLVVOjC7k15SCU0WtEyqTwRDnD8fsI=; b=CtcpRCXlxnXjKuirbDmG1XErIdPpjvKq/5Wd4sAXHAn7wxmIK1XiMHhw5xS35XddO3 6pshETWGjtf+FpmQLqu4kIbvBzKm3V9Am82eknGdxS153Mc6TKSVmTmqTXAOkbsaZ+jD OT0ULlOQ/cnNTnK7WlpLXD3C2v4CMA3h7V56u2b7HYHMOVREeY2bSM/VmLMVKk8tDSIy n5k9dxgR0GhcT1UWFZJsOBGa3dykQScaZ1UucbQFwqfCxSErpOLJneocHnXtarudDnsl 7C2tNbMtzIDZLsbqWTHJ1B0KfJ8ZOeTkQFY6rOK8g8aF0KG51FYARkW41UWEWuQkBZc9 FDPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1760720103; x=1761324903; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=TtvlyzcwzpGRVaLVVOjC7k15SCU0WtEyqTwRDnD8fsI=; b=ZNBJ95izJ3Hn8qtK7kZ8AcKadpK77efIUi8ofFvO+s8JzbTscLEZICRU4IhrFIeBs2 oNOf/+DQ08yhlDNZOry3H83y9X/uzNgMQF4JnggYQj6QOMO9wg8IP1z2pppcTyx01jrA HZntfoKZAz2CHtwkLWbcbgKjR36/CTo4V1v0LEYxiEh6Nf/281eUSDHSR9eYAXLr9VFA DGq3ykQNrDS/Rjk/Ymh2cW55RQ84u21qIBhD0SFCodEkA0GUq9jqcun1pAX6sSNtZAUG wrce4CjFuh1PR3n68X5XkSv7APq/AteYyp4PUbvi/Q0Sz8vxDFv8gKvIc57pPs57ikUw ImKA== X-Gm-Message-State: AOJu0YzTBL9SFfbW1xFWK7z9WyLa9lsRAkAkgYPkFep1x6M4UAABUGie Lv5Fz/6jB8lryTCQDd5Vrt78TD6/7si945dtHDQngdtwtGsf+uFKvIr+vw90PRLZ X-Gm-Gg: ASbGncun36mwtMMlhmCCVP62MAidvfnwEl0xW4fKKxeIeiZq3C/votpUazAF0S5FbhD 2VkeNN7sfSPlE/TVyAEQkfm6sPYHy0HJ+HP3eMi864xNXDxgdC1DLPNyMWnLdpOyi4tejBwovhk z11uPdk5n8fY5fqCtah7JHujXdcDVCHTD6WIWvq00/SOyFeuRClkbhLz0BbbHw78kyhQHW8sosI e/HIlP/hl/kIbzLkFAkE6z6PcTLeyNS7lo5o8mLW7jOVkap+th1QQsMiDlIr8vf9opq1My2qDxt LwwVZ758VfCJdHIM3i4+4OaEm8/jyMCiHKd7IYK/0DSwXZj7rEJhW9gK6yMkAB0jyYe779EMjSk WG6xAD6JKpvY1izivtN9aF75tTxHevw08yDT3OHMCqhIvGLiClPUVo1TpuO05I91QU2GKnAKaxJ 7dg9k= X-Google-Smtp-Source: AGHT+IHQC5pxF6aYwpX6guDTI64vgW1LmFyZ+15NUx30zQlFA64aIxncSRB8FIup816wgCFMfzLa7g== X-Received: by 2002:a05:6870:959a:b0:3c1:68a1:6b10 with SMTP id 586e51a60fabf-3c98cf25491mr1690206fac.6.1760720102722; Fri, 17 Oct 2025 09:55:02 -0700 (PDT) From: Praveen K Paladugu To: devel@lists.libvirt.org Subject: [PATCH] qemu: Drop /dev/kvm from default device ACL Date: Fri, 17 Oct 2025 11:54:53 -0500 Message-ID: <20251017165453.28304-1-praveenkpaladugu@gmail.com> X-Mailer: git-send-email 2.51.0 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-ID-Hash: EIONNC6MHNPRC7GKAY7CDNQOPAO5UN23 X-Message-ID-Hash: EIONNC6MHNPRC7GKAY7CDNQOPAO5UN23 X-MailFrom: praveenkpaladugu@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; header-match-devel.lists.libvirt.org-0; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: liuwe@microsoft.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-ZohoMail-DKIM: pass (identity @gmail.com) X-ZM-MESSAGEID: 1760720184462158500 Content-Type: text/plain; charset="utf-8" A domain that runs with TCG emulation does not need kvm device, so drop it from default device ACL. To dynamically add devices to defaultDeviceACL, make it a GSList. This variable will be initialized when qemu driver is initalized. Lastly, dynamically append /dev/kvm to default ACL only if the domain is of type VIR_DOMAIN_VIRT_KVM. Signed-off-by: Praveen K Paladugu --- src/qemu/qemu.conf.in | 3 +- src/qemu/qemu_cgroup.c | 52 ++++++++++++++++++++++-------- src/qemu/qemu_cgroup.h | 5 ++- src/qemu/qemu_conf.c | 14 ++++++-- src/qemu/qemu_conf.h | 2 +- src/qemu/qemu_driver.c | 4 +++ src/qemu/qemu_namespace.c | 12 +++---- src/qemu/qemu_process.c | 6 ++-- src/qemu/test_libvirtd_qemu.aug.in | 3 +- 9 files changed, 71 insertions(+), 30 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index fc91ba8f08..0a8abd9544 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -618,8 +618,7 @@ #cgroup_device_acl =3D [ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", -# "/dev/ptmx", "/dev/kvm", -# "/dev/userfaultfd" +# "/dev/ptmx", "/dev/userfaultfd" #] # # RDMA migration requires the following extra files to be added to the lis= t: diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index f10976c2b0..b2dcefd81e 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -38,17 +38,38 @@ =20 VIR_LOG_INIT("qemu.qemu_cgroup"); =20 -const char *const defaultDeviceACL[] =3D { +GSList *defaultDeviceACL; + +const char *const _defaultDeviceACL[] =3D { "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", - "/dev/ptmx", "/dev/kvm", - "/dev/userfaultfd", + "/dev/ptmx", "/dev/userfaultfd", NULL, }; #define DEVICE_PTY_MAJOR 136 #define DEVICE_SND_MAJOR 116 =20 =20 +void +initDefaultDeviceACL(void) +{ + size_t i; + + for (i =3D 0; _defaultDeviceACL[i] !=3D NULL; i++) { + defaultDeviceACL =3D g_slist_append(defaultDeviceACL, + g_strdup(_defaultDeviceACL[i])= ); + } +} + +void +updateDefaultDeviceACL(virDomainObj *vm) +{ + if (vm->def->virtType =3D=3D VIR_DOMAIN_VIRT_KVM) { + defaultDeviceACL =3D g_slist_append(defaultDeviceACL, + g_strdup("/dev/kvm")); + } +} + static int qemuCgroupAllowDevicePath(virDomainObj *vm, const char *path, @@ -71,19 +92,19 @@ qemuCgroupAllowDevicePath(virDomainObj *vm, =20 static int qemuCgroupAllowDevicesPaths(virDomainObj *vm, - const char *const *deviceACL, + GSList *deviceACL, int perms, bool ignoreEacces) { - size_t i; + GSList *cur =3D NULL; =20 - for (i =3D 0; deviceACL[i] !=3D NULL; i++) { - if (!virFileExists(deviceACL[i])) { - VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]); + for (cur =3D deviceACL; cur; cur =3D g_slist_next(cur)) { + if (!virFileExists(cur->data)) { + VIR_DEBUG("Ignoring non-existent device %s", (char *)cur->data= ); continue; } =20 - if (qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacce= s) < 0) + if (qemuCgroupAllowDevicePath(vm, cur->data, perms, ignoreEacces) = < 0) return -1; } =20 @@ -99,13 +120,13 @@ qemuCgroupDenyDevicePath(virDomainObj *vm, { qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); - const char *const *deviceACL =3D (const char *const *)cfg->cgroupDevic= eACL; int ret; + GSList *deviceACL =3D cfg->cgroupDeviceACL; =20 if (!deviceACL) deviceACL =3D defaultDeviceACL; =20 - if (g_strv_contains(deviceACL, path)) { + if (g_slist_find(deviceACL, path)) { VIR_DEBUG("Skipping deny of path %s in CGroups because it's in cgr= oupDeviceACL", path); return 0; @@ -556,8 +577,11 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm, virDomainMemoryDef *mem) { qemuDomainObjPrivate *priv =3D vm->privateData; - const char *const sgxPaths[] =3D { QEMU_DEV_SGX_VEPVC, - QEMU_DEV_SGX_PROVISION, NULL }; + g_autoptr(virGSListString) sgxPaths =3D NULL; + + sgxPaths =3D g_slist_append(sgxPaths, g_strdup(QEMU_DEV_SGX_VEPVC)); + sgxPaths =3D g_slist_append(sgxPaths, g_strdup(QEMU_DEV_SGX_PROVISION)= ); + sgxPaths =3D g_slist_append(sgxPaths, NULL); =20 if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; @@ -758,7 +782,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); - const char *const *deviceACL =3D (const char *const *) cfg->cgroupDevi= ceACL; + GSList *deviceACL =3D cfg->cgroupDeviceACL; int rv =3D -1; size_t i; =20 diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h index 3668034cde..402120a8f2 100644 --- a/src/qemu/qemu_cgroup.h +++ b/src/qemu/qemu_cgroup.h @@ -66,4 +66,7 @@ struct _qemuCgroupEmulatorAllNodesData { char *emulatorMemMask; }; =20 -extern const char *const defaultDeviceACL[]; +void updateDefaultDeviceACL(virDomainObj *vm); +void initDefaultDeviceACL(void); + +extern GSList *defaultDeviceACL; diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c index 242955200a..a19a86cd70 100644 --- a/src/qemu/qemu_conf.c +++ b/src/qemu/qemu_conf.c @@ -345,7 +345,8 @@ static void virQEMUDriverConfigDispose(void *obj) =20 virBitmapFree(cfg->namespaces); =20 - g_strfreev(cfg->cgroupDeviceACL); + g_slist_free(cfg->cgroupDeviceACL); + cfg->cgroupDeviceACL =3D NULL; g_free(cfg->uri); =20 g_free(cfg->configBaseDir); @@ -1068,6 +1069,7 @@ virQEMUDriverConfigLoadSecurityEntry(virQEMUDriverCon= fig *cfg, g_auto(GStrv) namespaces =3D NULL; g_autofree char *user =3D NULL; g_autofree char *group =3D NULL; + char **cgroupDeviceACL =3D NULL; size_t i, j; =20 if (virConfGetValueStringList(conf, "security_driver", true, &cfg->sec= urityDriverNames) < 0) @@ -1125,9 +1127,17 @@ virQEMUDriverConfigLoadSecurityEntry(virQEMUDriverCo= nfig *cfg, } =20 if (virConfGetValueStringList(conf, "cgroup_device_acl", false, - &cfg->cgroupDeviceACL) < 0) + &cgroupDeviceACL) < 0) return -1; =20 + if (cgroupDeviceACL) { + for (i =3D 0; cgroupDeviceACL[i] !=3D NULL; i++) { + cfg->cgroupDeviceACL =3D g_slist_append(cfg->cgroupDeviceACL, + g_strdup(cgroupDeviceACL= [i])); + } + g_strfreev(cgroupDeviceACL); + } + if (virConfGetValueInt(conf, "seccomp_sandbox", &cfg->seccompSandbox) = < 0) return -1; =20 diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h index edb65c99f4..bef198c2c8 100644 --- a/src/qemu/qemu_conf.h +++ b/src/qemu/qemu_conf.h @@ -96,7 +96,7 @@ struct _virQEMUDriverConfig { bool rememberOwner; =20 int cgroupControllers; - char **cgroupDeviceACL; + GSList *cgroupDeviceACL; =20 /* These five directories are ones libvirtd uses (so must be root:root * to avoid security risk from QEMU processes */ diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index ac72ea5cb0..a5fff3dfb1 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -52,6 +52,7 @@ #include "qemu_saveimage.h" #include "qemu_snapshot.h" #include "qemu_validate.h" +#include "qemu_cgroup.h" =20 #include "virerror.h" #include "virlog.h" @@ -910,6 +911,8 @@ qemuStateInitialize(bool privileged, }; virDomainDriverAutoStart(qemu_driver->domains, &autostartCfg); =20 + initDefaultDeviceACL(); + return VIR_DRV_STATE_INIT_COMPLETE; =20 error: @@ -1037,6 +1040,7 @@ qemuStateCleanup(void) if (qemu_driver->lockFD !=3D -1) virPidFileRelease(qemu_driver->config->stateDir, "driver", qemu_dr= iver->lockFD); =20 + g_slist_free(defaultDeviceACL); virObjectUnref(qemu_driver->config); virMutexDestroy(&qemu_driver->lock); VIR_FREE(qemu_driver); diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index f72da83929..74e2730d2d 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -212,14 +212,14 @@ static int qemuDomainPopulateDevices(virQEMUDriverConfig *cfg, GSList **paths) { - const char *const *devices =3D (const char *const *) cfg->cgroupDevice= ACL; - size_t i; + GSList *devices =3D cfg->cgroupDeviceACL; + GSList *cur =3D NULL; =20 if (!devices) devices =3D defaultDeviceACL; =20 - for (i =3D 0; devices[i]; i++) { - *paths =3D g_slist_prepend(*paths, g_strdup(devices[i])); + for (cur =3D devices; cur; cur =3D g_slist_next(cur)) { + *paths =3D g_slist_prepend(*paths, g_strdup(cur->data)); } =20 return 0; @@ -1459,7 +1459,7 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, if (STRPREFIX(path, QEMU_DEVPREFIX)) { GStrv mount; bool inSubmount =3D false; - const char *const *devices =3D (const char *const *)cfg->cgrou= pDeviceACL; + GSList *devices =3D cfg->cgroupDeviceACL; =20 for (mount =3D devMountsPath; *mount; mount++) { if (STREQ(*mount, "/dev")) @@ -1477,7 +1477,7 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, if (!devices) devices =3D defaultDeviceACL; =20 - if (g_strv_contains(devices, path)) + if (g_slist_find(devices, path)) continue; =20 unlinkPaths =3D g_slist_prepend(unlinkPaths, g_strdup(path)); diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 9926998f85..d3a78266ef 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -3038,7 +3038,7 @@ qemuProcessAllowPostCopyMigration(virDomainObj *vm) qemuDomainObjPrivate *priv =3D vm->privateData; virQEMUDriver *driver =3D priv->driver; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(driver); - const char *const *devices =3D (const char *const *) cfg->cgroupDevice= ACL; + GSList *devices =3D cfg->cgroupDeviceACL; const char *uffd =3D "/dev/userfaultfd"; int rc; =20 @@ -3050,7 +3050,7 @@ qemuProcessAllowPostCopyMigration(virDomainObj *vm) if (!devices) devices =3D defaultDeviceACL; =20 - if (!g_strv_contains(devices, uffd)) { + if (!g_slist_find(devices, uffd)) { VIR_DEBUG("%s is not allowed by device ACL", uffd); return 0; } @@ -8193,6 +8193,8 @@ qemuProcessLaunch(virConnectPtr conn, goto cleanup; } =20 + updateDefaultDeviceACL(vm); + VIR_DEBUG("Building domain mount namespace (if required)"); if (qemuDomainBuildNamespace(cfg, vm) < 0) goto cleanup; diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qe= mu.aug.in index 90012b3f52..82cfec3b4b 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -76,8 +76,7 @@ module Test_libvirtd_qemu =3D { "4" =3D "/dev/random" } { "5" =3D "/dev/urandom" } { "6" =3D "/dev/ptmx" } - { "7" =3D "/dev/kvm" } - { "8" =3D "/dev/userfaultfd" } + { "7" =3D "/dev/userfaultfd" } } { "save_image_format" =3D "raw" } { "dump_image_format" =3D "raw" } --=20 2.51.0