In case when libvirt runs inside a restricted container it may
not have enough permissions to modify unpriv_sgio. However, it
may have been set beforehand by sysadmin or an orchestration
tool. Therefore, let's check whether the currently set value is
the one we want and if it is refrain from writing to the file.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2010306
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_conf.c | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 916a3d36ee..0451bc70ac 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -1878,9 +1878,17 @@ qemuSetUnprivSGIO(virDomainDeviceDef *dev)
      * whitelist is enabled.  But if requesting unfiltered access, always call
      * virSetDeviceUnprivSGIO, to report an error for unsupported unpriv_sgio.
      */
-    if ((virFileExists(sysfs_path) || val == 1) &&
-        virSetDeviceUnprivSGIO(path, NULL, val) < 0)
-        return -1;
+    if (virFileExists(sysfs_path) || val == 1) {
+        int curr_val;
+
+        if (virGetDeviceUnprivSGIO(path, NULL, &curr_val) < 0)
+            return -1;
+
+        if (curr_val != val &&
+            virSetDeviceUnprivSGIO(path, NULL, val) < 0) {
+            return -1;
+        }
+    }
 
     return 0;
 }
-- 
2.32.0

On a Tuesday in 2021, Michal Privoznik wrote:
>In case when libvirt runs inside a restricted container it may
>not have enough permissions to modify unpriv_sgio. However, it
>may have been set beforehand by sysadmin or an orchestration
>tool. Therefore, let's check whether the currently set value is
>the one we want and if it is refrain from writing to the file.
>
>Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2010306
>Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>---
> src/qemu/qemu_conf.c | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>

Reviewed-by: Ján Tomko <jtomko@redhat.com>

Jano