From nobody Sun Feb 8 10:03:30 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1556178309; cv=none; d=zoho.com; s=zohoarc; b=XtJlCW/o/3D7hxSnKs6vNgljukvfICL3NUB84ismDMEAxyPlPTsJ1+rqV0a25sDJsNYpF2mtqLl2EF5hGzL05Q/1T/T4atjOqr10ood5w8wfziMzYm0GQrRGmnPM2b2Azuy32gMRdHeeNIeZ01zpV/q2DXUd3zB8fjlm8b62nns= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1556178309; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=TU2OdeHugzCR82UGgTbLAh4fnx8f0nzuMywrJGipt80=; b=EUTHbRMM7T+hf7HYw7iy7Pij5BChHQgKunq5U4KJk3lab7fuGWlVgs6fwVjEpUgmXbT5Fc55/4Fgo4MOwx23ELLxcf/WZaJOowuTDWt08nw8bTLKnKgtcniGUar0mB5LCHdfzRh9L0Bl/4uwBhBuC6PEIZDWVd4y5nLiLM1VIiQ= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1556178309638760.7982125564214; Thu, 25 Apr 2019 00:45:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 1CF742D81A; Thu, 25 Apr 2019 07:45:08 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CBEFC648C9; Thu, 25 Apr 2019 07:45:07 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 578C8181B9F0; Thu, 25 Apr 2019 07:45:07 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x3P7ig2H007923 for ; Thu, 25 Apr 2019 03:44:42 -0400 Received: by smtp.corp.redhat.com (Postfix) id BE0E0648B3; Thu, 25 Apr 2019 07:44:42 +0000 (UTC) Received: from antique-work.brq.redhat.com (unknown [10.43.2.63]) by smtp.corp.redhat.com (Postfix) with ESMTP id 464B1648AE for ; Thu, 25 Apr 2019 07:44:42 +0000 (UTC) From: Pavel Hrdina To: libvir-list@redhat.com Date: Thu, 25 Apr 2019 09:44:28 +0200 Message-Id: <9f82da3a66ca1bcd061d9ef4392cb738846bee95.1556178064.git.phrdina@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v3 11/15] vircgroup: introduce virCgroupV2DenyDevice X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.30]); Thu, 25 Apr 2019 07:45:08 +0000 (UTC) Content-Type: text/plain; charset="utf-8" In order to deny device we need to check if there is any entry in BPF map and we need to load the current value from map if there is already entry for that device. If both values are same we can remove that entry but if they are different we need to update the entry because we don't have to deny all access, but for example only write access. Signed-off-by: Pavel Hrdina Reviewed-by: J=C3=A1n Tomko --- src/util/vircgroupv2.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c index 9f9802bb2f..bf78c33519 100644 --- a/src/util/vircgroupv2.c +++ b/src/util/vircgroupv2.c @@ -1668,6 +1668,46 @@ virCgroupV2AllowDevice(virCgroupPtr group, } =20 =20 +static int +virCgroupV2DenyDevice(virCgroupPtr group, + char type, + int major, + int minor, + int perms) +{ + uint64_t key =3D virCgroupV2DevicesGetKey(major, minor); + uint32_t newval =3D virCgroupV2DevicesGetPerms(perms, type); + uint32_t val =3D 0; + + if (virCgroupV2DevicesPrepareProg(group) < 0) + return -1; + + if (group->unified.devices.count <=3D 0 || + virBPFLookupElem(group->unified.devices.mapfd, &key, &val) < 0) { + VIR_DEBUG("nothing to do, device is not allowed"); + return 0; + } + + if (newval =3D=3D val) { + if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) { + virReportSystemError(errno, "%s", + _("failed to remove device from BPF cgrou= p map")); + return -1; + } + group->unified.devices.count--; + } else { + val ^=3D val & newval; + if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0= ) { + virReportSystemError(errno, "%s", + _("failed to update device in BPF cgroup = map")); + return -1; + } + } + + return 0; +} + + virCgroupBackend virCgroupV2Backend =3D { .type =3D VIR_CGROUP_BACKEND_TYPE_V2, =20 @@ -1718,6 +1758,7 @@ virCgroupBackend virCgroupV2Backend =3D { .getMemSwapUsage =3D virCgroupV2GetMemSwapUsage, =20 .allowDevice =3D virCgroupV2AllowDevice, + .denyDevice =3D virCgroupV2DenyDevice, =20 .setCpuShares =3D virCgroupV2SetCpuShares, .getCpuShares =3D virCgroupV2GetCpuShares, --=20 2.20.1 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list