If we want to allow all devices with all permissions we need to replace
any existing program that has any rule configured, otherwise we just
need to add new rule which will for example allow read access to all
devices.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
 src/util/vircgroupv2.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index aea7ba677f..6c3f2bf522 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -2070,6 +2070,23 @@ virCgroupV2DenyDevice(virCgroupPtr group,
 }
 
 
+static int
+virCgroupV2AllowAllDevices(virCgroupPtr group,
+                           int perms)
+{
+    if (virCgroupV2DevicePrepareProg(group) < 0)
+        return -1;
+
+    if (group->unified.devices.count > 0 &&
+        perms == VIR_CGROUP_DEVICE_RWM &&
+        virCgroupV2DeviceCreateProg(group) < 0) {
+        return -1;
+    }
+
+    return virCgroupV2AllowDevice(group, 'a', -1, -1, perms);
+}
+
+
 virCgroupBackend virCgroupV2Backend = {
     .type = VIR_CGROUP_BACKEND_TYPE_V2,
 
@@ -2121,6 +2138,7 @@ virCgroupBackend virCgroupV2Backend = {
 
     .allowDevice = virCgroupV2AllowDevice,
     .denyDevice = virCgroupV2DenyDevice,
+    .allowAllDevices = virCgroupV2AllowAllDevices,
 
     .setCpuShares = virCgroupV2SetCpuShares,
     .getCpuShares = virCgroupV2GetCpuShares,
-- 
2.20.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list