[PATCH] qemu: do not allow /dev/rtc or /dev/hpet access via the devices cgroup

Paolo Bonzini pbonzini at redhat.com
Tue May 19 09:58:13 UTC 2020 

On 19/05/20 10:58, Michal Privoznik wrote:
> 
> Ah, could it be because of the stray comma? From qemu.conf:
> 
> #cgroup_device_acl = [
> #    "/dev/null", "/dev/full", "/dev/zero",
> #    "/dev/random", "/dev/urandom",
> #    "/dev/ptmx", "/dev/kvm",
> #]
> 
> Let me check if removing the comma after /dev/kvm fixes the build.

It does.  I forgot to commit it, sorry. :(

Though perhaps accepting the trailing comma is better, which would be
something like the following untested patch:

diff --git a/src/bhyve/libvirtd_bhyve.aug b/src/bhyve/libvirtd_bhyve.aug
index 66079376c4..9f4e582ab9 100644
--- a/src/bhyve/libvirtd_bhyve.aug
+++ b/src/bhyve/libvirtd_bhyve.aug
@@ -15,7 +15,7 @@ module Libvirtd_bhyve =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
diff --git a/src/libxl/libvirtd_libxl.aug b/src/libxl/libvirtd_libxl.aug
index 58b9af3707..39049cf139 100644
--- a/src/libxl/libvirtd_libxl.aug
+++ b/src/libxl/libvirtd_libxl.aug
@@ -15,7 +15,7 @@ module Libvirtd_libxl =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
diff --git a/src/locking/virtlockd.aug b/src/locking/virtlockd.aug
index 06d508e6e5..66eb4125ad 100644
--- a/src/locking/virtlockd.aug
+++ b/src/locking/virtlockd.aug
@@ -15,7 +15,7 @@ module Virtlockd =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
diff --git a/src/logging/virtlogd.aug b/src/logging/virtlogd.aug
index 04580734d6..60bbf44305 100644
--- a/src/logging/virtlogd.aug
+++ b/src/logging/virtlogd.aug
@@ -15,7 +15,7 @@ module Virtlogd =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
diff --git a/src/lxc/libvirtd_lxc.aug b/src/lxc/libvirtd_lxc.aug
index be6402cc01..e6ab5f0dde 100644
--- a/src/lxc/libvirtd_lxc.aug
+++ b/src/lxc/libvirtd_lxc.aug
@@ -15,7 +15,7 @@ module Libvirtd_lxc =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index 404498b611..aceace7d86 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -15,7 +15,7 @@ module Libvirtd_qemu =
    let bool_val = store /0|1/
    let int_val = store /[0-9]+/
    let str_array_element = [ seq "el" . str_val ] . del /[ \t\n]*/ ""
-   let str_array_val = counter "el" . array_start . ( str_array_element . ( array_sep . str_array_element ) * ) ? . array_end
+   let str_array_val = counter "el" . array_start . ( ( str_array_element . array_sep ) * . str_array_element ? ) ? . array_end
 
    let str_entry       (kw:string) = [ key kw . value_sep . str_val ]
    let bool_entry      (kw:string) = [ key kw . value_sep . bool_val ]

More information about the libvir-list mailing list