qemu_cgroup: Two almost trivial cleanups

[PATCH 2/2] qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()

Posted by Michal Privoznik 3 years, 6 months ago

We have qemuCgroupAllowDevicePath() which sets up devices
controller for just one path. And if we have more paths we have
to call it in a loop. So far, we have just one such place, but
soon we'll have another one (for SGX memory). Separate the loop
into its own function so that it can be reused.

And while at it, move setting the default set of devices as the
first thing, right after all devices are disallowed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
---
 src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++-------------
 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index e012ba92c0..8339caeb53 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
 }
 
 
+static int
+qemuCgroupAllowDevicesPaths(virDomainObj *vm,
+                            const char *const *deviceACL,
+                            int perms,
+                            bool ignoreEacces)
+{
+    size_t i;
+
+    for (i = 0; deviceACL[i] != NULL; i++) {
+        int rv;
+
+        if (!virFileExists(deviceACL[i])) {
+            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
+            continue;
+        }
+
+        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
+        if (rv < 0 &&
+            !virLastErrorIsSystemErrno(ENOENT))
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 qemuCgroupDenyDevicePath(virDomainObj *vm,
                          const char *path,
@@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
     if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
         return 0;
 
+    deviceACL = cfg->cgroupDeviceACL ?
+                (const char *const *)cfg->cgroupDeviceACL :
+                defaultDeviceACL;
+
     rv = virCgroupDenyAllDevices(priv->cgroup);
     virDomainAuditCgroup(vm, priv->cgroup, "deny", "all", rv == 0);
     if (rv < 0) {
@@ -671,6 +701,12 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
         return -1;
     }
 
+    if (!deviceACL)
+        deviceACL = defaultDeviceACL;
+
+    if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false) < 0)
+        return -1;
+
     if (qemuSetupFirmwareCgroup(vm) < 0)
         return -1;
 
@@ -686,9 +722,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
     if (rv < 0)
         return -1;
 
-    if (!deviceACL)
-        deviceACL = defaultDeviceACL;
-
     if (vm->def->nsounds &&
         ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) ||
          (vm->def->graphics &&
@@ -703,18 +736,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             return -1;
     }
 
-    for (i = 0; deviceACL[i] != NULL; i++) {
-        if (!virFileExists(deviceACL[i])) {
-            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
-            continue;
-        }
-
-        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVICE_RW, false);
-        if (rv < 0 &&
-            !virLastErrorIsSystemErrno(ENOENT))
-            return -1;
-    }
-
     if (virDomainChrDefForeach(vm->def,
                                true,
                                qemuSetupChardevCgroupCB,
-- 
2.35.1

Re: [PATCH 2/2] qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()

Posted by Michal Prívozník 3 years, 6 months ago

On 7/21/22 12:31, Michal Privoznik wrote:
> We have qemuCgroupAllowDevicePath() which sets up devices
> controller for just one path. And if we have more paths we have
> to call it in a loop. So far, we have just one such place, but
> soon we'll have another one (for SGX memory). Separate the loop
> into its own function so that it can be reused.
> 
> And while at it, move setting the default set of devices as the
> first thing, right after all devices are disallowed.
> 
> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
>  src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++-------------
>  1 file changed, 36 insertions(+), 15 deletions(-)
> 
> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
> index e012ba92c0..8339caeb53 100644
> --- a/src/qemu/qemu_cgroup.c
> +++ b/src/qemu/qemu_cgroup.c
> @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
>  }
>  
>  
> +static int
> +qemuCgroupAllowDevicesPaths(virDomainObj *vm,
> +                            const char *const *deviceACL,
> +                            int perms,
> +                            bool ignoreEacces)
> +{
> +    size_t i;
> +
> +    for (i = 0; deviceACL[i] != NULL; i++) {
> +        int rv;
> +
> +        if (!virFileExists(deviceACL[i])) {
> +            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
> +            continue;
> +        }
> +
> +        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
> +        if (rv < 0 &&
> +            !virLastErrorIsSystemErrno(ENOENT))
> +            return -1;
> +    }
> +
> +    return 0;
> +}
> +
> +
>  static int
>  qemuCgroupDenyDevicePath(virDomainObj *vm,
>                           const char *path,
> @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
>      if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
>          return 0;
>  
> +    deviceACL = cfg->cgroupDeviceACL ?
> +                (const char *const *)cfg->cgroupDeviceACL :
> +                defaultDeviceACL;
> +

OOOps, this hunk does not belong here. I've screwed up conflict
resolution. Consider fixed locally.

Michal

Re: [PATCH 2/2] qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()

Posted by Martin Kletzander 3 years, 6 months ago

On Thu, Jul 21, 2022 at 12:45:29PM +0200, Michal Prívozník wrote:
>On 7/21/22 12:31, Michal Privoznik wrote:
>> We have qemuCgroupAllowDevicePath() which sets up devices
>> controller for just one path. And if we have more paths we have
>> to call it in a loop. So far, we have just one such place, but
>> soon we'll have another one (for SGX memory). Separate the loop
>> into its own function so that it can be reused.
>>
>> And while at it, move setting the default set of devices as the
>> first thing, right after all devices are disallowed.
>>
>> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
>> ---
>>  src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++-------------
>>  1 file changed, 36 insertions(+), 15 deletions(-)
>>
>> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
>> index e012ba92c0..8339caeb53 100644
>> --- a/src/qemu/qemu_cgroup.c
>> +++ b/src/qemu/qemu_cgroup.c
>> @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
>>  }
>>
>>
>> +static int
>> +qemuCgroupAllowDevicesPaths(virDomainObj *vm,
>> +                            const char *const *deviceACL,
>> +                            int perms,
>> +                            bool ignoreEacces)
>> +{
>> +    size_t i;
>> +
>> +    for (i = 0; deviceACL[i] != NULL; i++) {
>> +        int rv;
>> +
>> +        if (!virFileExists(deviceACL[i])) {
>> +            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
>> +            continue;
>> +        }
>> +
>> +        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
>> +        if (rv < 0 &&
>> +            !virLastErrorIsSystemErrno(ENOENT))
>> +            return -1;
>> +    }
>> +
>> +    return 0;
>> +}
>> +
>> +
>>  static int
>>  qemuCgroupDenyDevicePath(virDomainObj *vm,
>>                           const char *path,
>> @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
>>      if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
>>          return 0;
>>
>> +    deviceACL = cfg->cgroupDeviceACL ?
>> +                (const char *const *)cfg->cgroupDeviceACL :
>> +                defaultDeviceACL;
>> +
>
>OOOps, this hunk does not belong here. I've screwed up conflict
>resolution. Consider fixed locally.
>

With this hunk removed

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>