<div dir="ltr">Hi<br><div><br><div class="gmail_quote"><div dir="ltr">On Fri, Feb 10, 2017 at 6:57 PM Michal Privoznik <<a href="mailto:mprivozn@redhat.com">mprivozn@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">When enabling virgl, qemu opens /dev/dri/render*. So far, we are<br class="gmail_msg">
not allowing that in devices cgroup nor creating the file in<br class="gmail_msg">
domain's namespace and thus requiring users to set the paths in<br class="gmail_msg">
qemu.conf. This, however, is suboptimal as it allows access to<br class="gmail_msg">
ALL qemu processes even those which don't have virgl configured.<br class="gmail_msg">
<br class="gmail_msg">
Signed-off-by: Michal Privoznik <<a href="mailto:mprivozn@redhat.com" class="gmail_msg" target="_blank">mprivozn@redhat.com</a>><br class="gmail_msg"></blockquote><br><br>Thanks, but that doesn't work :)<br><br>You should loop over the spice/gl graphics nodes (virtio accel3d is not actually using 3d, as of today, if the graphics configuration/layer doesn't provide it)<br><br>See also Ján Tomko "qemu_cgroup: allow access to /dev/dri/render*" patch, which use to work.<br><br></div><div class="gmail_quote">After my series "[PATCH 0/5] Add rendernode selection support", it will further have to narrow the path allowed to the specified rendernode. This can be done in my series or yours, depending on applied order.<br><br></div><div class="gmail_quote">thanks<br>
            </div><div class="gmail_quote"><br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
---<br class="gmail_msg">
 src/qemu/qemu_cgroup.c | 51 ++++++++++++++++++++++++++++++++++++++++<br class="gmail_msg">
 src/qemu/qemu_domain.c | 64 ++++++++++++++++++++++++++++++++++++++++++++++++++<br class="gmail_msg">
 2 files changed, 115 insertions(+)<br class="gmail_msg">
<br class="gmail_msg">
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c<br class="gmail_msg">
index 209cbc275..c667dc12b 100644<br class="gmail_msg">
--- a/src/qemu/qemu_cgroup.c<br class="gmail_msg">
+++ b/src/qemu/qemu_cgroup.c<br class="gmail_msg">
@@ -335,6 +335,52 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm,<br class="gmail_msg">
     return ret;<br class="gmail_msg">
 }<br class="gmail_msg">
<br class="gmail_msg">
+<br class="gmail_msg">
+static int<br class="gmail_msg">
+qemuSetupVideoCgroup(virDomainObjPtr vm,<br class="gmail_msg">
+                     virDomainVideoDefPtr video)<br class="gmail_msg">
+{<br class="gmail_msg">
+    qemuDomainObjPrivatePtr priv = vm->privateData;<br class="gmail_msg">
+    const char *dripath = "/dev/dri";<br class="gmail_msg">
+    char *devpath = NULL;<br class="gmail_msg">
+    struct dirent *ent;<br class="gmail_msg">
+    DIR *dir;<br class="gmail_msg">
+    int rv, rc, ret = -1;<br class="gmail_msg">
+<br class="gmail_msg">
+    if (!video->accel ||<br class="gmail_msg">
+        !video->accel->accel3d)<br class="gmail_msg">
+        return 0;<br class="gmail_msg">
+<br class="gmail_msg">
+    if (virDirOpen(&dir, dripath) < 0)<br class="gmail_msg">
+        return ret;<br class="gmail_msg">
+<br class="gmail_msg">
+    while ((rv = virDirRead(dir, &ent, dripath)) > 0) {<br class="gmail_msg">
+        if (!STRPREFIX(ent->d_name, "render"))<br class="gmail_msg">
+            continue;<br class="gmail_msg">
+<br class="gmail_msg">
+        VIR_FREE(devpath);<br class="gmail_msg">
+        if (virAsprintf(&devpath, "%s/%s", dripath, ent->d_name) < 0)<br class="gmail_msg">
+            goto cleanup;<br class="gmail_msg">
+<br class="gmail_msg">
+        rc = virCgroupAllowDevicePath(priv->cgroup, devpath,<br class="gmail_msg">
+                                      VIR_CGROUP_DEVICE_RW, false);<br class="gmail_msg">
+        virDomainAuditCgroupPath(vm, priv->cgroup, "allow", devpath,<br class="gmail_msg">
+                                 "rw", rc == 0);<br class="gmail_msg">
+        if (rv < 0)<br class="gmail_msg">
+            goto cleanup;<br class="gmail_msg">
+    }<br class="gmail_msg">
+<br class="gmail_msg">
+    if (rv < 0)<br class="gmail_msg">
+        goto cleanup;<br class="gmail_msg">
+<br class="gmail_msg">
+    ret = 0;<br class="gmail_msg">
+ cleanup:<br class="gmail_msg">
+    VIR_FREE(devpath);<br class="gmail_msg">
+    VIR_DIR_CLOSE(dir);<br class="gmail_msg">
+    return ret;<br class="gmail_msg">
+}<br class="gmail_msg">
+<br class="gmail_msg">
+<br class="gmail_msg">
 static int<br class="gmail_msg">
 qemuSetupBlkioCgroup(virDomainObjPtr vm)<br class="gmail_msg">
 {<br class="gmail_msg">
@@ -604,6 +650,11 @@ qemuSetupDevicesCgroup(virQEMUDriverPtr driver,<br class="gmail_msg">
             goto cleanup;<br class="gmail_msg">
     }<br class="gmail_msg">
<br class="gmail_msg">
+    for (i = 0; i < vm->def->nvideos; i++) {<br class="gmail_msg">
+        if (qemuSetupVideoCgroup(vm, vm->def->videos[i]) < 0)<br class="gmail_msg">
+            goto cleanup;<br class="gmail_msg">
+    }<br class="gmail_msg">
+<br class="gmail_msg">
     for (i = 0; i < vm->def->ninputs; i++) {<br class="gmail_msg">
         if (qemuSetupInputCgroup(vm, vm->def->inputs[i]) < 0)<br class="gmail_msg">
             goto cleanup;<br class="gmail_msg">
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c<br class="gmail_msg">
index 515e0052e..06ba1cf00 100644<br class="gmail_msg">
--- a/src/qemu/qemu_domain.c<br class="gmail_msg">
+++ b/src/qemu/qemu_domain.c<br class="gmail_msg">
@@ -7504,6 +7504,67 @@ qemuDomainSetupTPM(virQEMUDriverPtr driver ATTRIBUTE_UNUSED,<br class="gmail_msg">
 }<br class="gmail_msg">
<br class="gmail_msg">
<br class="gmail_msg">
+static int<br class="gmail_msg">
+qemuDomainSetupVideo(virQEMUDriverPtr driver ATTRIBUTE_UNUSED,<br class="gmail_msg">
+                     virDomainVideoDefPtr video,<br class="gmail_msg">
+                     const char *devPath)<br class="gmail_msg">
+{<br class="gmail_msg">
+    const char *dripath = "/dev/dri";<br class="gmail_msg">
+    char *dridevpath = NULL;<br class="gmail_msg">
+    struct dirent *ent;<br class="gmail_msg">
+    DIR *dir;<br class="gmail_msg">
+    int rv, ret = -1;<br class="gmail_msg">
+<br class="gmail_msg">
+    if (!video->accel ||<br class="gmail_msg">
+        !video->accel->accel3d)<br class="gmail_msg">
+        return 0;<br class="gmail_msg">
+<br class="gmail_msg">
+    if (virDirOpen(&dir, dripath) < 0)<br class="gmail_msg">
+        return ret;<br class="gmail_msg">
+<br class="gmail_msg">
+    while ((rv = virDirRead(dir, &ent, dripath)) > 0) {<br class="gmail_msg">
+        if (!STRPREFIX(ent->d_name, "render"))<br class="gmail_msg">
+            continue;<br class="gmail_msg">
+<br class="gmail_msg">
+        VIR_FREE(dridevpath);<br class="gmail_msg">
+        if (virAsprintf(&dridevpath, "%s/%s", dripath, ent->d_name) < 0)<br class="gmail_msg">
+            goto cleanup;<br class="gmail_msg">
+<br class="gmail_msg">
+        if (qemuDomainCreateDevice(dridevpath, devPath, false) < 0)<br class="gmail_msg">
+            goto cleanup;<br class="gmail_msg">
+    }<br class="gmail_msg">
+<br class="gmail_msg">
+    if (rv < 0)<br class="gmail_msg">
+        goto cleanup;<br class="gmail_msg">
+<br class="gmail_msg">
+    ret = 0;<br class="gmail_msg">
+ cleanup:<br class="gmail_msg">
+    VIR_FREE(dridevpath);<br class="gmail_msg">
+    VIR_DIR_CLOSE(dir);<br class="gmail_msg">
+    return ret;<br class="gmail_msg">
+}<br class="gmail_msg">
+<br class="gmail_msg">
+<br class="gmail_msg">
+static int<br class="gmail_msg">
+qemuDomainSetupAllVideos(virQEMUDriverPtr driver,<br class="gmail_msg">
+                         virDomainObjPtr vm,<br class="gmail_msg">
+                         const char *devPath)<br class="gmail_msg">
+{<br class="gmail_msg">
+    size_t i;<br class="gmail_msg">
+<br class="gmail_msg">
+    VIR_DEBUG("Setting up videos");<br class="gmail_msg">
+    for (i = 0; i < vm->def->nvideos; i++) {<br class="gmail_msg">
+        if (qemuDomainSetupVideo(driver,<br class="gmail_msg">
+                                 vm->def->videos[i],<br class="gmail_msg">
+                                 devPath) < 0)<br class="gmail_msg">
+            return -1;<br class="gmail_msg">
+    }<br class="gmail_msg">
+<br class="gmail_msg">
+    VIR_DEBUG("Setup all videos");<br class="gmail_msg">
+    return 0;<br class="gmail_msg">
+}<br class="gmail_msg">
+<br class="gmail_msg">
+<br class="gmail_msg">
 static int<br class="gmail_msg">
 qemuDomainSetupInput(virQEMUDriverPtr driver ATTRIBUTE_UNUSED,<br class="gmail_msg">
                      virDomainInputDefPtr input,<br class="gmail_msg">
@@ -7657,6 +7718,9 @@ qemuDomainBuildNamespace(virQEMUDriverPtr driver,<br class="gmail_msg">
     if (qemuDomainSetupTPM(driver, vm, devPath) < 0)<br class="gmail_msg">
         goto cleanup;<br class="gmail_msg">
<br class="gmail_msg">
+    if (qemuDomainSetupAllVideos(driver, vm, devPath) < 0)<br class="gmail_msg">
+        goto cleanup;<br class="gmail_msg">
+<br class="gmail_msg">
     if (qemuDomainSetupAllInputs(driver, vm, devPath) < 0)<br class="gmail_msg">
         goto cleanup;<br class="gmail_msg">
<br class="gmail_msg">
--<br class="gmail_msg">
2.11.0<br class="gmail_msg">
<br class="gmail_msg">
--<br class="gmail_msg">
libvir-list mailing list<br class="gmail_msg">
<a href="mailto:libvir-list@redhat.com" class="gmail_msg" target="_blank">libvir-list@redhat.com</a><br class="gmail_msg">
<a href="https://www.redhat.com/mailman/listinfo/libvir-list" rel="noreferrer" class="gmail_msg" target="_blank">https://www.redhat.com/mailman/listinfo/libvir-list</a><br class="gmail_msg">
</blockquote></div></div></div><div dir="ltr">-- <br></div><div data-smartmail="gmail_signature"><div dir="ltr">Marc-André Lureau<br></div></div>