[libvirt] [PATCH v2 08/10] qemu: cgroup and selinux for scsi hostdev
Osier Yang
jyang at redhat.com
Wed Apr 3 09:53:44 UTC 2013
On 01/04/13 20:01, Han Cheng wrote:
> As libvirt gives guest minimal cgroup, we need to add sg into guest cgroup
> whitelist for scsi hostdev. And we should set and restore selinux label
> correctly for scsi hostdev.
>
> Signed-off-by: Han Cheng <hanc.fnst at cn.fujitsu.com>
> ---
> src/qemu/qemu_cgroup.c | 67 +++++++++++++++++++++++++++++++-------
> src/qemu/qemu_cgroup.h | 3 ++
> src/security/security_selinux.c | 56 ++++++++++++++++++++++++++++++++
> 3 files changed, 113 insertions(+), 13 deletions(-)
>
> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
> index c9b4ca2..ea3d49b 100644
> --- a/src/qemu/qemu_cgroup.c
> +++ b/src/qemu/qemu_cgroup.c
> @@ -194,6 +194,30 @@ int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev ATTRIBUTE_UNUSED,
> return 0;
> }
>
> +int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev,
> + const char *path,
> + void *opaque)
Indentions.
> +{
> + qemuCgroupData *data = opaque;
> + int rc;
> +
> + VIR_DEBUG("Process path '%s' for SCSI device", path);
> + rc = virCgroupAllowDevicePath(data->cgroup, path,
> + (virSCSIDeviceGetReadonly(dev) ? VIR_CGROUP_DEVICE_READ
> + : VIR_CGROUP_DEVICE_RW));
No need for the around ().
> + virDomainAuditCgroupPath(data->vm, data->cgroup, "allow", path,
> + virSCSIDeviceGetReadonly(dev) ? "r" : "rw", rc);
> + if (rc < 0) {
> + virReportSystemError(-rc,
> + _("Unable to allow device %s"),
> + path);
> + return -1;
> + }
> +
> + return 0;
> +
> +}
> +
> int qemuSetupCgroup(virQEMUDriverPtr driver,
> virDomainObjPtr vm,
> virBitmapPtr nodemask)
> @@ -291,26 +315,43 @@ int qemuSetupCgroup(virQEMUDriverPtr driver,
>
> for (i = 0; i < vm->def->nhostdevs; i++) {
> virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i];
> - virUSBDevicePtr usb;
> + virUSBDevicePtr usb = NULL;
> + virSCSIDevicePtr scsi = NULL;
>
> if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS)
> continue;
> - if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB)
> - continue;
> - if (hostdev->missing)
> - continue;
> + switch (hostdev->source.subsys.type) {
> + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB:
> + if (hostdev->missing)
> + continue;
>
> - if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus,
> - hostdev->source.subsys.u.usb.device,
> - NULL)) == NULL)
> - goto cleanup;
> + if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus,
> + hostdev->source.subsys.u.usb.device,
> + NULL)) == NULL)
> + goto cleanup;
>
> - if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup,
> - &data) < 0) {
> + if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup,
> + &data) < 0) {
> + goto cleanup;
> + }
> virUSBDeviceFree(usb);
> - goto cleanup;
> + break;
> + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI:
> + if ((scsi = virSCSIDeviceNew(hostdev->source.subsys.u.scsi.adapter,
> + hostdev->source.subsys.u.scsi.bus,
> + hostdev->source.subsys.u.scsi.target,
> + hostdev->source.subsys.u.scsi.unit,
> + hostdev->readonly))== NULL)
> + goto cleanup;
> +
> + if (virSCSIDeviceFileIterate(scsi, qemuSetupHostScsiDeviceCgroup,
> + &data) < 0) {
> + virSCSIDeviceFree(scsi);
> + goto cleanup;
> + }
> + virSCSIDeviceFree(scsi);
> + break;
> }
> - virUSBDeviceFree(usb);
> }
> }
>
> diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
> index a677d07..b9c6807 100644
> --- a/src/qemu/qemu_cgroup.h
> +++ b/src/qemu/qemu_cgroup.h
> @@ -45,6 +45,9 @@ int qemuTeardownDiskCgroup(virDomainObjPtr vm,
> int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev,
> const char *path,
> void *opaque);
> +int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev,
> + const char *path,
> + void *opaque);
Indention.
Otherwise looks good.
More information about the libvir-list
mailing list