[PATCH 2/2] qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()
Martin Kletzander
mkletzan at redhat.com
Thu Jul 21 12:40:49 UTC 2022
On Thu, Jul 21, 2022 at 12:45:29PM +0200, Michal Prívozník wrote:
>On 7/21/22 12:31, Michal Privoznik wrote:
>> We have qemuCgroupAllowDevicePath() which sets up devices
>> controller for just one path. And if we have more paths we have
>> to call it in a loop. So far, we have just one such place, but
>> soon we'll have another one (for SGX memory). Separate the loop
>> into its own function so that it can be reused.
>>
>> And while at it, move setting the default set of devices as the
>> first thing, right after all devices are disallowed.
>>
>> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
>> ---
>> src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++-------------
>> 1 file changed, 36 insertions(+), 15 deletions(-)
>>
>> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
>> index e012ba92c0..8339caeb53 100644
>> --- a/src/qemu/qemu_cgroup.c
>> +++ b/src/qemu/qemu_cgroup.c
>> @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
>> }
>>
>>
>> +static int
>> +qemuCgroupAllowDevicesPaths(virDomainObj *vm,
>> + const char *const *deviceACL,
>> + int perms,
>> + bool ignoreEacces)
>> +{
>> + size_t i;
>> +
>> + for (i = 0; deviceACL[i] != NULL; i++) {
>> + int rv;
>> +
>> + if (!virFileExists(deviceACL[i])) {
>> + VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
>> + continue;
>> + }
>> +
>> + rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
>> + if (rv < 0 &&
>> + !virLastErrorIsSystemErrno(ENOENT))
>> + return -1;
>> + }
>> +
>> + return 0;
>> +}
>> +
>> +
>> static int
>> qemuCgroupDenyDevicePath(virDomainObj *vm,
>> const char *path,
>> @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
>> if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
>> return 0;
>>
>> + deviceACL = cfg->cgroupDeviceACL ?
>> + (const char *const *)cfg->cgroupDeviceACL :
>> + defaultDeviceACL;
>> +
>
>OOOps, this hunk does not belong here. I've screwed up conflict
>resolution. Consider fixed locally.
>
With this hunk removed
Reviewed-by: Martin Kletzander <mkletzan at redhat.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220721/c24c3061/attachment.sig>
More information about the libvir-list
mailing list