[libvirt] [PATCHv2 6/8] cgroup: allow fine-tuning of device ACL permissions
Daniel P. Berrange
berrange at redhat.com
Wed Mar 9 15:24:00 UTC 2011
On Tue, Mar 08, 2011 at 10:13:48PM -0700, Eric Blake wrote:
> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
> index ebf9ad5..83063a9 100644
> --- a/src/qemu/qemu_cgroup.c
> +++ b/src/qemu/qemu_cgroup.c
> @@ -226,7 +229,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
> goto cleanup;
> }
>
> - rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR);
> + rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
> + VIR_CGROUP_DEVICE_RWM);
> qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
> "pty", rc == 0);
> if (rc != 0) {
I'm not entirely sure that we actually need RWM here, rather than
just RW. QEMU doesn't do any mknod in /dev/pts/XXX. The entries
in that filesystem just magically appear from the kernel when
you open /dev/ptmx.
> @@ -240,7 +244,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
> ((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
> driver->vncAllowHostAudio) ||
> (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) {
> - rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR);
> + rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
> + VIR_CGROUP_DEVICE_RWM);
> qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
> "sound", rc == 0);
> if (rc != 0) {
Almost certain we don't need RWM for sound devices, just RW
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list