[libvirt PATCH 15/15] qemu-cgroup: drop the need for privileges to use cgroup

Mon Apr 6 21:27:12 UTC 2020

From: Marc-André Lureau <marcandre.lureau at redhat.com>

CGroup delegation can allow various processes or users to use
cgroup. Further checks should be done by the various backends.

With this series, a qemu:///session VM can have basic CGroupv2 support
with machined --user help.

Signed-off-by: Marc-André Lureau <marcandre.lureau at redhat.com>
---
 src/qemu/qemu_cgroup.c | 3 ---
 src/util/vircgroup.c   | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index c288519e62..0f80dd4214 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -914,9 +914,6 @@ qemuInitCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
 
-    if (!virQEMUDriverIsPrivileged(priv->driver))
-        return 0;
-
     if (!virCgroupAvailable())
         return 0;
 
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index 70d85200cb..4e71677994 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1254,6 +1254,11 @@ virCgroupNewMachine(const char *name,
     if (rv == -1)
         return -1;
 
+    if (geteuid() != 0) {
+        errno = EPERM;
+        return 0;
+    }
+
     return virCgroupNewMachineManual(name,
                                      drivername,
                                      pidleader,
-- 
2.26.0.rc2.42.g98cedd0233


