From: Praveen K Paladugu <prapal@linux.microsoft.com>
A domain that runs with TCG emulation does not need kvm device, so drop
it from default device ACL.
Dynamically grant access to /dev/kvm based on domain type.
Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com>
---
src/qemu/qemu.conf.in | 3 +--
src/qemu/qemu_cgroup.c | 10 ++++++++--
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_namespace.c | 9 +++++++--
src/qemu/test_libvirtd_qemu.aug.in | 3 +--
5 files changed, 18 insertions(+), 8 deletions(-)
diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index fc91ba8f08..0a8abd9544 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -618,8 +618,7 @@
#cgroup_device_acl = [
# "/dev/null", "/dev/full", "/dev/zero",
# "/dev/random", "/dev/urandom",
-# "/dev/ptmx", "/dev/kvm",
-# "/dev/userfaultfd"
+# "/dev/ptmx", "/dev/userfaultfd"
#]
#
# RDMA migration requires the following extra files to be added to the list:
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f10976c2b0..46a7dc1d8b 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -41,8 +41,7 @@ VIR_LOG_INIT("qemu.qemu_cgroup");
const char *const defaultDeviceACL[] = {
"/dev/null", "/dev/full", "/dev/zero",
"/dev/random", "/dev/urandom",
- "/dev/ptmx", "/dev/kvm",
- "/dev/userfaultfd",
+ "/dev/ptmx", "/dev/userfaultfd",
NULL,
};
#define DEVICE_PTY_MAJOR 136
@@ -783,6 +782,13 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false) < 0)
return -1;
+ if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+ /* KVM requires access to /dev/kvm */
+ if (qemuCgroupAllowDevicePath(vm, QEMU_DEV_KVM, VIR_CGROUP_DEVICE_RW,
+ false) < 0)
+ return -1;
+ }
+
if (qemuSetupFirmwareCgroup(vm) < 0)
return -1;
diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h
index f4945f598a..fe4ba4fa15 100644
--- a/src/qemu/qemu_domain.h
+++ b/src/qemu/qemu_domain.h
@@ -89,6 +89,7 @@ struct _qemuDomainUnpluggingDevice {
#define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision"
#define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
#define QEMU_DEV_UDMABUF "/dev/udmabuf"
+#define QEMU_DEV_KVM "/dev/kvm"
#define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
index f72da83929..ca12fcf587 100644
--- a/src/qemu/qemu_namespace.c
+++ b/src/qemu/qemu_namespace.c
@@ -210,13 +210,18 @@ qemuDomainGetPreservedMounts(virQEMUDriverConfig *cfg,
static int
qemuDomainPopulateDevices(virQEMUDriverConfig *cfg,
+ virDomainObj *vm,
GSList **paths)
{
const char *const *devices = (const char *const *) cfg->cgroupDeviceACL;
size_t i;
- if (!devices)
+ if (!devices) {
devices = defaultDeviceACL;
+ if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+ *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_KVM));
+ }
+ }
for (i = 0; devices[i]; i++) {
*paths = g_slist_prepend(*paths, g_strdup(devices[i]));
@@ -694,7 +699,7 @@ qemuDomainBuildNamespace(virQEMUDriverConfig *cfg,
return 0;
}
- if (qemuDomainPopulateDevices(cfg, &paths) < 0)
+ if (qemuDomainPopulateDevices(cfg, vm, &paths) < 0)
return -1;
if (qemuDomainSetupAllDisks(vm, &paths) < 0)
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index 90012b3f52..82cfec3b4b 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -76,8 +76,7 @@ module Test_libvirtd_qemu =
{ "4" = "/dev/random" }
{ "5" = "/dev/urandom" }
{ "6" = "/dev/ptmx" }
- { "7" = "/dev/kvm" }
- { "8" = "/dev/userfaultfd" }
+ { "7" = "/dev/userfaultfd" }
}
{ "save_image_format" = "raw" }
{ "dump_image_format" = "raw" }
--
2.51.0