From nobody Sun Feb  8 17:13:04 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1547480905426725.6520592271705;
 Mon, 14 Jan 2019 07:48:25 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 91439A0B42;
	Mon, 14 Jan 2019 15:48:21 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 1E4885D780;
	Mon, 14 Jan 2019 15:48:21 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id B4E5A1800540;
	Mon, 14 Jan 2019 15:48:20 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id x0EFm2GH012855 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 14 Jan 2019 10:48:02 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 08061177F7; Mon, 14 Jan 2019 15:48:02 +0000 (UTC)
Received: from antique-work.brq.redhat.com (unknown [10.43.2.63])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 79E7B61D03
	for <libvir-list@redhat.com>; Mon, 14 Jan 2019 15:48:01 +0000 (UTC)
From: Pavel Hrdina <phrdina@redhat.com>
To: libvir-list@redhat.com
Date: Mon, 14 Jan 2019 16:47:45 +0100
Message-Id: 
 <368c20c10ce648acf74a37f57168a1de3d7bc46f.1547480099.git.phrdina@redhat.com>
In-Reply-To: <cover.1547480099.git.phrdina@redhat.com>
References: <cover.1547480099.git.phrdina@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2 11/17] vircgroup: introduce
	virCgroupV2DenyDevice
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]);
 Mon, 14 Jan 2019 15:48:24 +0000 (UTC)
Content-Type: text/plain; charset="utf-8"

In order to deny device we need to check if there is any entry in BPF
map and we need to load the current value from map if there is already
entry for that device.  If both values are same we can remove that entry
but if they are different we need to update the entry because we don't
have to deny all access, but for example only write access.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 src/util/vircgroupv2.c | 41 +++++++++++++++++++++++++++++++++++++++++
 1 file changed, 41 insertions(+)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 962d41ba0a..b6c09baadc 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -1598,6 +1598,46 @@ virCgroupV2AllowDevice(virCgroupPtr group,
 }
=20
=20
+static int
+virCgroupV2DenyDevice(virCgroupPtr group,
+                      char type,
+                      int major,
+                      int minor,
+                      int perms)
+{
+    uint64_t key =3D virCgroupV2DevicesGetKey(major, minor);
+    uint32_t newval =3D virCgroupV2DevicesGetPerms(perms, type);
+    uint32_t val =3D 0;
+
+    if (virCgroupV2DevicesPrepareProg(group) < 0)
+        return -1;
+
+    if (group->unified.devices.count <=3D 0 ||
+        virBPFLookupElem(group->unified.devices.mapfd, &key, &val) < 0) {
+        VIR_DEBUG("nothing to do, device is not allowed");
+        return 0;
+    }
+
+    if (newval =3D=3D val) {
+        if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to remove device from BPF cgrou=
p map"));
+            return -1;
+        }
+        group->unified.devices.count--;
+    } else {
+        val ^=3D val & newval;
+        if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0=
) {
+            virReportSystemError(errno, "%s",
+                                 _("failed to update device in BPF cgroup =
map"));
+            return -1;
+        }
+    }
+
+    return 0;
+}
+
+
 virCgroupBackend virCgroupV2Backend =3D {
     .type =3D VIR_CGROUP_BACKEND_TYPE_V2,
=20
@@ -1648,6 +1688,7 @@ virCgroupBackend virCgroupV2Backend =3D {
     .getMemSwapUsage =3D virCgroupV2GetMemSwapUsage,
=20
     .allowDevice =3D virCgroupV2AllowDevice,
+    .denyDevice =3D virCgroupV2DenyDevice,
=20
     .setCpuShares =3D virCgroupV2SetCpuShares,
     .getCpuShares =3D virCgroupV2GetCpuShares,
--=20
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list