From nobody Wed May 8 23:15:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1658399519; cv=none; d=zohomail.com; s=zohoarc; b=QLUBBoI7OkXu6tmqt4/yxyYQUIBOfJe/Lof00VraVjnHRuHIar1KjP5wxSzQZtpN/xYJlGzRd9MiWVsMVu64e1DasOf9YiP3LpgjAUqqrmX5sMTnD16gVrHK0xROF8QOKPug9ViiZpdV+HxgUEwP5LyhkISS2u49xz2eBkvL+50= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1658399519; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=8gwIWV372jcrcOX+WvXnDcfoyRNRP5HMuXRaiwqkbgk=; b=MXg6eUoMkmCCKdu6HFrGeJGvMiMdhSTe3adyMSZuXJSDxBkj6cWXjdPw96lo8SxAWrfezp/MIY+Mc2zFonqWnqkiBxApe3oXo4fw214V/+4A7XUiHP84aLPSLor0n99Jtnhl56UVtjv5l//zepD0wKOgryfdQfP+YK7A5iS5Geo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1658399519596423.4054795338801; Thu, 21 Jul 2022 03:31:59 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-367-r0vHm_xZP-607XmBiiOhwQ-1; Thu, 21 Jul 2022 06:31:54 -0400 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6E36A29AB416; Thu, 21 Jul 2022 10:31:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 5B6D840357BA; Thu, 21 Jul 2022 10:31:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 6A9031947047; Thu, 21 Jul 2022 10:31:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 88DFB1947043 for ; Thu, 21 Jul 2022 10:31:45 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 590F6C2811A; Thu, 21 Jul 2022 10:31:45 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0430EC27DB3 for ; Thu, 21 Jul 2022 10:31:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658399518; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=8gwIWV372jcrcOX+WvXnDcfoyRNRP5HMuXRaiwqkbgk=; b=U2OcPADpzAnK0nUUBig+7LMxTyY5QzRPRIGrGUefUgqQ/3zHP4G402cs3/abuCfLL5Tnm8 Q9h1eoXuGVRFVWygriMZDTVDnLIYbevwCdk0i8RgpWmd8mcYek74ttz67mOOR6yBW7Ub+H sZ6vCnkYYX23x8KhY5HAtV5PLNsffV0= X-MC-Unique: r0vHm_xZP-607XmBiiOhwQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 1/2] qemu_cgroup: Avoid ternary operator when setting @deviceACL Date: Thu, 21 Jul 2022 12:31:41 +0200 Message-Id: <4e97ea8b532289bccd7f47098f29cc9628771627.1658399401.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.84 on 10.11.54.2 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1658399521746100001 Content-Type: text/plain; charset="utf-8"; x-default="true" Inside of the qemuSetupDevicesCgroup() there's @deviceACL variable, which points to a string list of devices that are allowed in devices controller by default. This list can either come from qemu.conf (cfg->cgroupDeviceACL) or from a builtin @defaultDeviceACL. However, a multiline ternary operator is used when setting the variable which is against our coding style. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/qemu/qemu_cgroup.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 2cc16a69d3..e012ba92c0 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -652,7 +652,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm) { qemuDomainObjPrivate *priv =3D vm->privateData; g_autoptr(virQEMUDriverConfig) cfg =3D virQEMUDriverGetConfig(priv->dr= iver); - const char *const *deviceACL =3D NULL; + const char *const *deviceACL =3D (const char *const *) cfg->cgroupDevi= ceACL; int rv =3D -1; size_t i; =20 @@ -686,9 +686,8 @@ qemuSetupDevicesCgroup(virDomainObj *vm) if (rv < 0) return -1; =20 - deviceACL =3D cfg->cgroupDeviceACL ? - (const char *const *)cfg->cgroupDeviceACL : - defaultDeviceACL; + if (!deviceACL) + deviceACL =3D defaultDeviceACL; =20 if (vm->def->nsounds && ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) || --=20 2.35.1 From nobody Wed May 8 23:15:19 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1658399519; cv=none; d=zohomail.com; s=zohoarc; b=XgI+NHNYkT4VEuj7vtKxSXQi//emOMPURyO8q3B+czMmu1ZIkQQbAc7yn3xauy6h89hQ+Q0yCpLnnc62u+CE4xolShQ6HbTm+7HCaVpoSxDm0XDjQHh92Uu5fJp0fYfoIMdf9mnOlglzK0ohl3OqSrh0DygzEPJBFy/ZGwiRsK4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1658399519; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=cCJaCE7ZQlrDJFa57N9IGqjrCXLNlyJMVSK5oyEViKM=; b=NeN5HPiXqbSc4ZvXhkl+JTsYRzlzU0nrl6O6purXPKw7Z27aiD5F3tRkXpjC55ZY8cWOIZIkYkrfBelHuvNxGIOoau9Bf5ioKdwmZtJ6BMEAt66G9woWmMUAH/Rthq4u14kiRYNmn/9i6XjU9dcpQoyhPNS8tQvvE4rUVF7R60Q= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1658399519739150.83317827502924; Thu, 21 Jul 2022 03:31:59 -0700 (PDT) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-477-GmImvbs_OpeedjNzPyF1pQ-1; Thu, 21 Jul 2022 06:31:54 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 0F60582405F; Thu, 21 Jul 2022 10:31:52 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id EC4341121314; Thu, 21 Jul 2022 10:31:51 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id A67131949763; Thu, 21 Jul 2022 10:31:48 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com [10.11.54.8]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 1F1081947043 for ; Thu, 21 Jul 2022 10:31:46 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id E2FE7C2811A; Thu, 21 Jul 2022 10:31:45 +0000 (UTC) Received: from maggie.redhat.com (unknown [10.43.2.88]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8ED6AC27DB3 for ; Thu, 21 Jul 2022 10:31:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1658399517; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=cCJaCE7ZQlrDJFa57N9IGqjrCXLNlyJMVSK5oyEViKM=; b=d2V+kriCjXcX1Lmeuh+KQyDs9nB7BIXwO524CD4lVKqJQhFkUVu9QqcYX40pgrBhCu2rdF LpQsrMEGohZAMmR/8y67Y7mdvaLJmYWR2h/uR5VcHn4+BVEzVSFPQfWhTRuP4tmmUpvnEV mYYmuegEF+RmTtAnVFgT3JqE1k31HMs= X-MC-Unique: GmImvbs_OpeedjNzPyF1pQ-1 X-Original-To: libvir-list@listman.corp.redhat.com From: Michal Privoznik To: libvir-list@redhat.com Subject: [PATCH 2/2] qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths() Date: Thu, 21 Jul 2022 12:31:42 +0200 Message-Id: <3c9fd89ab554581215e4ce0636b15e41b1b44601.1658399401.git.mprivozn@redhat.com> In-Reply-To: References: MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8 X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libvir-list-bounces@redhat.com Sender: "libvir-list" X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) X-ZM-MESSAGEID: 1658399521758100002 Content-Type: text/plain; charset="utf-8"; x-default="true" We have qemuCgroupAllowDevicePath() which sets up devices controller for just one path. And if we have more paths we have to call it in a loop. So far, we have just one such place, but soon we'll have another one (for SGX memory). Separate the loop into its own function so that it can be reused. And while at it, move setting the default set of devices as the first thing, right after all devices are disallowed. Signed-off-by: Michal Privoznik Reviewed-by: Martin Kletzander --- src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++------------- 1 file changed, 36 insertions(+), 15 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index e012ba92c0..8339caeb53 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm, } =20 =20 +static int +qemuCgroupAllowDevicesPaths(virDomainObj *vm, + const char *const *deviceACL, + int perms, + bool ignoreEacces) +{ + size_t i; + + for (i =3D 0; deviceACL[i] !=3D NULL; i++) { + int rv; + + if (!virFileExists(deviceACL[i])) { + VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]); + continue; + } + + rv =3D qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEa= cces); + if (rv < 0 && + !virLastErrorIsSystemErrno(ENOENT)) + return -1; + } + + return 0; +} + + static int qemuCgroupDenyDevicePath(virDomainObj *vm, const char *path, @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICE= S)) return 0; =20 + deviceACL =3D cfg->cgroupDeviceACL ? + (const char *const *)cfg->cgroupDeviceACL : + defaultDeviceACL; + rv =3D virCgroupDenyAllDevices(priv->cgroup); virDomainAuditCgroup(vm, priv->cgroup, "deny", "all", rv =3D=3D 0); if (rv < 0) { @@ -671,6 +701,12 @@ qemuSetupDevicesCgroup(virDomainObj *vm) return -1; } =20 + if (!deviceACL) + deviceACL =3D defaultDeviceACL; + + if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, f= alse) < 0) + return -1; + if (qemuSetupFirmwareCgroup(vm) < 0) return -1; =20 @@ -686,9 +722,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm) if (rv < 0) return -1; =20 - if (!deviceACL) - deviceACL =3D defaultDeviceACL; - if (vm->def->nsounds && ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) || (vm->def->graphics && @@ -703,18 +736,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm) return -1; } =20 - for (i =3D 0; deviceACL[i] !=3D NULL; i++) { - if (!virFileExists(deviceACL[i])) { - VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]); - continue; - } - - rv =3D qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVI= CE_RW, false); - if (rv < 0 && - !virLastErrorIsSystemErrno(ENOENT)) - return -1; - } - if (virDomainChrDefForeach(vm->def, true, qemuSetupChardevCgroupCB, --=20 2.35.1