From nobody Wed May 15 04:51:29 2024
Delivered-To: importer@patchew.org
Received-SPF: pass (zohomail.com: domain of redhat.com designates
 63.128.21.124 as permitted sender) client-ip=63.128.21.124;
 envelope-from=libvir-list-bounces@redhat.com;
 helo=us-smtp-delivery-124.mimecast.com;
Authentication-Results: mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass(p=none dis=none)  header.from=redhat.com
ARC-Seal: i=1; a=rsa-sha256; t=1606720960; cv=none;
	d=zohomail.com; s=zohoarc;
	b=CVhwspT3zc4+viCLlSZLiyOKYHycfH9f29gD/JdoXmIdzA/MGxfU+gITamscOGvZevrnyPw6Pl13E5oU7ALgLZhhZB18MgeFOYlJkH8KTL0qK0ysRp4XGe/8w1/NAJmol0fQS2vlqNSPEU7PcdMPH1aWwKMKSLHHU86kQ6dU0qA=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com;
 s=zohoarc;
	t=1606720960;
 h=Content-Type:Content-Transfer-Encoding:Date:From:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:Sender:Subject:To;
	bh=Ejs2QoCLMkz/vv+3lwirnH9i4Krkb9XcSKpDNGXUBVE=;
	b=hdUIqVRkGsB8xLWvVWFIu2dzU+830p98iadjqpmNDnt6enAudEnbwHPMbtpm2Kqhp7AhEoJHnk/G0sjeBZq4XKRcqm184nXge1C6+Ggy7XjeM/1WaLhrFHMndyVzhlvzzwESvtjzBj9NORGy86vUG/87sRnEkUVHuunl07XNgPw=
ARC-Authentication-Results: i=1; mx.zohomail.com;
	dkim=pass;
	spf=pass (zohomail.com: domain of redhat.com designates 63.128.21.124 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com;
	dmarc=pass header.from=<phrdina@redhat.com> (p=none dis=none)
 header.from=<phrdina@redhat.com>
Return-Path: <libvir-list-bounces@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by mx.zohomail.com
	with SMTPS id 1606720960504787.8444743679752;
 Sun, 29 Nov 2020 23:22:40 -0800 (PST)
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-428-6wzKQTDhMEiuqzYTiiF_tg-1; Mon, 30 Nov 2020 02:22:36 -0500
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3183E1842143;
	Mon, 30 Nov 2020 07:22:30 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id C03C05C1BB;
	Mon, 30 Nov 2020 07:22:27 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 7A1761809C9F;
	Mon, 30 Nov 2020 07:22:22 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com
	[10.5.11.23])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 0AU7MJnQ023035 for <libvir-list@listman.util.phx.redhat.com>;
	Mon, 30 Nov 2020 02:22:19 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id 818D71F067; Mon, 30 Nov 2020 07:22:19 +0000 (UTC)
Received: from antique-work.lan (unknown [10.40.195.79])
	by smtp.corp.redhat.com (Postfix) with ESMTP id F23B91A882
	for <libvir-list@redhat.com>; Mon, 30 Nov 2020 07:22:15 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1606720959;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=Ejs2QoCLMkz/vv+3lwirnH9i4Krkb9XcSKpDNGXUBVE=;
	b=ZH8kCfKnT8ILahNdP5tUcZ++zeKRn6fH8JjC3cwFvK0/bF/gDup3rZVuqPdtvNjvDGJKPl
	oby2Xyaeq2LBSQRWx4LMG/7AyDxx3Mhj9iBsXl1cZzQItG9azk3N2ytZwlUa1hgWIui0zL
	Z34z+eNDaqB93bxFPy3Hi3pFHJhlB1U=
X-MC-Unique: 6wzKQTDhMEiuqzYTiiF_tg-1
From: Pavel Hrdina <phrdina@redhat.com>
To: libvir-list@redhat.com
Subject: [libvirt PATCH] vircgroupv2: fix virCgroupV2DenyDevice
Date: Mon, 30 Nov 2020 08:22:15 +0100
Message-Id: 
 <6ece0beb74c0ca4bf649d4d12714224320ea894c.1606720919.git.phrdina@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23
X-loop: libvir-list@redhat.com
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Transfer-Encoding: quoted-printable
X-ZohoMail-DKIM: pass (identity @redhat.com)
Content-Type: text/plain; charset="utf-8"

The original logic is incorrect. We would delete the device entry
from eBPF map only if the newval would be same as current val in the
map. In case that the device was allowed only as read-only but later
we remove all permissions for that device it would remain in the table
with empty values.

The old code would still deny the device but it's not working as
intended. Instead we will update the value in advance. If the updated
value is 0 it means that we are removing all permissions so it should
be removed from the map, otherwise we will update the value in map.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=3D1810356

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/util/vircgroupv2.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 2b32f614e4..40cfa20376 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -1796,7 +1796,9 @@ virCgroupV2DenyDevice(virCgroupPtr group,
         return 0;
     }
=20
-    if (newval =3D=3D val) {
+    val =3D val & ~newval;
+
+    if (val =3D=3D 0) {
         if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
             virReportSystemError(errno, "%s",
                                  _("failed to remove device from BPF cgrou=
p map"));
@@ -1804,7 +1806,6 @@ virCgroupV2DenyDevice(virCgroupPtr group,
         }
         group->unified.devices.count--;
     } else {
-        val ^=3D val & newval;
         if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0=
) {
             virReportSystemError(errno, "%s",
                                  _("failed to update device in BPF cgroup =
map"));
--=20
2.28.0