In order to allow device we need to create key and value which will be
used to update BPF map. virBPFUpdateElem() can override existing
entries in BPF map so we need to check if that entry exists in order to
track number of entries in our map.
This can add rule for specific device but major and minor can be both
-1 which follows the same behavior as in cgroup v1.
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
---
src/util/vircgroupv2.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index ce19169fe7..9f9802bb2f 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -30,6 +30,7 @@
#include "vircgrouppriv.h"
#include "viralloc.h"
+#include "virbpf.h"
#include "vircgroup.h"
#include "vircgroupbackend.h"
#include "vircgroupv2.h"
@@ -1638,6 +1639,35 @@ virCgroupV2GetCpusetCpus(virCgroupPtr group,
}
+static int
+virCgroupV2AllowDevice(virCgroupPtr group,
+ char type,
+ int major,
+ int minor,
+ int perms)
+{
+ uint64_t key = virCgroupV2DevicesGetKey(major, minor);
+ uint32_t val = virCgroupV2DevicesGetPerms(perms, type);
+ int rc;
+
+ if (virCgroupV2DevicesPrepareProg(group) < 0)
+ return -1;
+
+ rc = virBPFLookupElem(group->unified.devices.mapfd, &key, NULL);
+
+ if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) {
+ virReportSystemError(errno, "%s",
+ _("failed to update device in BPF cgroup map"));
+ return -1;
+ }
+
+ if (rc < 0)
+ group->unified.devices.count++;
+
+ return 0;
+}
+
+
virCgroupBackend virCgroupV2Backend = {
.type = VIR_CGROUP_BACKEND_TYPE_V2,
@@ -1687,6 +1717,8 @@ virCgroupBackend virCgroupV2Backend = {
.getMemSwapHardLimit = virCgroupV2GetMemSwapHardLimit,
.getMemSwapUsage = virCgroupV2GetMemSwapUsage,
+ .allowDevice = virCgroupV2AllowDevice,
+
.setCpuShares = virCgroupV2SetCpuShares,
.getCpuShares = virCgroupV2GetCpuShares,
.setCpuCfsPeriod = virCgroupV2SetCpuCfsPeriod,
--
2.20.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list