2010-12-16 16:10:54 +00:00
|
|
|
/*
|
|
|
|
* qemu_cgroup.c: QEMU cgroup management
|
|
|
|
*
|
2015-03-11 11:17:15 +01:00
|
|
|
* Copyright (C) 2006-2015 Red Hat, Inc.
|
2010-12-16 16:10:54 +00:00
|
|
|
* Copyright (C) 2006 Daniel P. Berrange
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 16:30:55 -06:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 18:06:23 +08:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2010-12-16 16:10:54 +00:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include "qemu_cgroup.h"
|
2011-07-21 10:10:31 +08:00
|
|
|
#include "qemu_domain.h"
|
2018-04-05 15:06:55 -04:00
|
|
|
#include "qemu_extdevice.h"
|
2019-09-17 10:06:26 +02:00
|
|
|
#include "qemu_hostdev.h"
|
2012-12-12 17:59:27 +00:00
|
|
|
#include "virlog.h"
|
2012-12-13 18:21:53 +00:00
|
|
|
#include "virerror.h"
|
Move qemu_audit.h helpers into shared code
The LXC and UML drivers can both make use of auditing. Move
the qemu_audit.{c,h} files to src/conf/domain_audit.{c,h}
* src/conf/domain_audit.c: Rename from src/qemu/qemu_audit.c
* src/conf/domain_audit.h: Rename from src/qemu/qemu_audit.h
* src/Makefile.am: Remove qemu_audit.{c,h}, add domain_audit.{c,h}
* src/qemu/qemu_audit.h, src/qemu/qemu_cgroup.c,
src/qemu/qemu_command.c, src/qemu/qemu_driver.c,
src/qemu/qemu_hotplug.c, src/qemu/qemu_migration.c,
src/qemu/qemu_process.c: Update for changed audit API names
2011-07-04 11:56:13 +01:00
|
|
|
#include "domain_audit.h"
|
2020-02-17 16:29:11 -05:00
|
|
|
#include "domain_cgroup.h"
|
2013-09-13 15:32:43 +02:00
|
|
|
#include "virfile.h"
|
2018-04-05 09:34:25 +02:00
|
|
|
#include "virdevmapper.h"
|
2021-09-20 14:30:59 +02:00
|
|
|
#include "virglibutil.h"
|
2010-12-16 16:10:54 +00:00
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_QEMU
|
|
|
|
|
2014-02-28 12:16:17 +00:00
|
|
|
VIR_LOG_INIT("qemu.qemu_cgroup");
|
|
|
|
|
2016-11-15 11:28:51 +01:00
|
|
|
const char *const defaultDeviceACL[] = {
|
2010-12-16 16:10:54 +00:00
|
|
|
"/dev/null", "/dev/full", "/dev/zero",
|
|
|
|
"/dev/random", "/dev/urandom",
|
2019-02-18 16:13:30 +01:00
|
|
|
"/dev/ptmx", "/dev/kvm",
|
2010-12-16 16:10:54 +00:00
|
|
|
NULL,
|
|
|
|
};
|
|
|
|
#define DEVICE_PTY_MAJOR 136
|
|
|
|
#define DEVICE_SND_MAJOR 116
|
|
|
|
|
2016-02-16 15:46:40 +01:00
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
static int
|
|
|
|
qemuCgroupAllowDevicePath(virDomainObj *vm,
|
|
|
|
const char *path,
|
|
|
|
int perms,
|
|
|
|
bool ignoreEacces)
|
|
|
|
{
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
VIR_DEBUG("Allow path %s, perms: %s",
|
|
|
|
path, virCgroupGetDevicePermsString(perms));
|
|
|
|
|
|
|
|
ret = virCgroupAllowDevicePath(priv->cgroup, path, perms, ignoreEacces);
|
|
|
|
|
|
|
|
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
|
|
|
|
virCgroupGetDevicePermsString(perms), ret);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-07-21 11:06:26 +02:00
|
|
|
static int
|
|
|
|
qemuCgroupAllowDevicesPaths(virDomainObj *vm,
|
|
|
|
const char *const *deviceACL,
|
|
|
|
int perms,
|
|
|
|
bool ignoreEacces)
|
|
|
|
{
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; deviceACL[i] != NULL; i++) {
|
|
|
|
if (!virFileExists(deviceACL[i])) {
|
|
|
|
VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2022-07-27 10:31:03 +02:00
|
|
|
if (qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces) < 0)
|
2022-07-21 11:06:26 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
static int
|
|
|
|
qemuCgroupDenyDevicePath(virDomainObj *vm,
|
|
|
|
const char *path,
|
|
|
|
int perms,
|
|
|
|
bool ignoreEacces)
|
|
|
|
{
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2022-03-15 12:45:54 +01:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
|
|
|
|
const char *const *deviceACL = (const char *const *)cfg->cgroupDeviceACL;
|
2022-03-15 12:41:45 +01:00
|
|
|
int ret;
|
|
|
|
|
2022-03-15 12:45:54 +01:00
|
|
|
if (!deviceACL)
|
|
|
|
deviceACL = defaultDeviceACL;
|
|
|
|
|
|
|
|
if (g_strv_contains(deviceACL, path)) {
|
|
|
|
VIR_DEBUG("Skipping deny of path %s in CGroups because it's in cgroupDeviceACL",
|
|
|
|
path);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
VIR_DEBUG("Deny path %s, perms: %s",
|
|
|
|
path, virCgroupGetDevicePermsString(perms));
|
|
|
|
|
|
|
|
ret = virCgroupDenyDevicePath(priv->cgroup, path, perms, ignoreEacces);
|
|
|
|
|
|
|
|
virDomainAuditCgroupPath(vm, priv->cgroup, "deny", path,
|
|
|
|
virCgroupGetDevicePermsString(perms), ret);
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-06-20 14:05:05 +02:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupImagePathCgroup(virDomainObj *vm,
|
2016-02-16 15:46:40 +01:00
|
|
|
const char *path,
|
|
|
|
bool readonly)
|
2010-12-16 16:10:54 +00:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2014-06-18 13:09:05 +02:00
|
|
|
int perms = VIR_CGROUP_DEVICE_READ;
|
2021-09-20 14:30:59 +02:00
|
|
|
g_autoptr(virGSListString) targetPaths = NULL;
|
|
|
|
GSList *n;
|
2018-04-05 09:34:25 +02:00
|
|
|
int rv;
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2016-02-16 15:46:40 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
2014-06-18 13:09:05 +02:00
|
|
|
return 0;
|
|
|
|
|
2016-02-18 10:19:51 +01:00
|
|
|
if (!readonly)
|
2016-02-16 15:37:01 +01:00
|
|
|
perms |= VIR_CGROUP_DEVICE_WRITE;
|
2014-06-18 13:09:05 +02:00
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
rv = qemuCgroupAllowDevicePath(vm, path, perms, true);
|
2018-04-05 09:34:25 +02:00
|
|
|
if (rv < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2018-04-05 09:34:25 +02:00
|
|
|
|
|
|
|
if (rv > 0) {
|
|
|
|
/* @path is neither character device nor block device. */
|
2020-03-31 21:14:07 +05:30
|
|
|
return 0;
|
2018-04-05 09:34:25 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (virDevMapperGetTargets(path, &targetPaths) < 0 &&
|
2020-07-23 17:08:46 +02:00
|
|
|
errno != ENOSYS) {
|
2018-04-05 09:34:25 +02:00
|
|
|
virReportSystemError(errno,
|
|
|
|
_("Unable to get devmapper targets for %s"),
|
|
|
|
path);
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2018-04-05 09:34:25 +02:00
|
|
|
}
|
2013-07-08 11:08:46 +01:00
|
|
|
|
2021-09-20 14:30:59 +02:00
|
|
|
for (n = targetPaths; n; n = n->next) {
|
2022-03-15 16:08:24 +01:00
|
|
|
if (qemuCgroupAllowDevicePath(vm, n->data, perms, false) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2018-04-05 09:34:25 +02:00
|
|
|
}
|
|
|
|
|
2020-03-31 21:14:07 +05:30
|
|
|
return 0;
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-02-16 15:46:40 +01:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupImageCgroupInternal(virDomainObj *vm,
|
|
|
|
virStorageSource *src,
|
2016-02-16 15:46:40 +01:00
|
|
|
bool forceReadonly)
|
|
|
|
{
|
2019-06-24 12:34:45 +02:00
|
|
|
g_autofree char *path = NULL;
|
|
|
|
bool readonly = src->readonly || forceReadonly;
|
|
|
|
|
|
|
|
if (src->type == VIR_STORAGE_TYPE_NVME) {
|
|
|
|
/* Even though disk is R/O we can't make it so in
|
|
|
|
* CGroups. QEMU will try to do some ioctl()-s over the
|
|
|
|
* device and such operations are considered R/W by the
|
|
|
|
* kernel */
|
|
|
|
readonly = false;
|
|
|
|
|
|
|
|
if (!(path = virPCIDeviceAddressGetIOMMUGroupDev(&src->nvme->pciAddr)))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (qemuSetupImagePathCgroup(vm, QEMU_DEV_VFIO, false) < 0)
|
|
|
|
return -1;
|
|
|
|
} else {
|
|
|
|
if (!src->path || !virStorageSourceIsLocalStorage(src)) {
|
|
|
|
VIR_DEBUG("Not updating cgroups for disk path '%s', type: %s",
|
|
|
|
NULLSTR(src->path), virStorageTypeToString(src->type));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
path = g_strdup(src->path);
|
2016-02-16 15:46:40 +01:00
|
|
|
}
|
|
|
|
|
2018-04-10 08:00:59 +02:00
|
|
|
if (virStoragePRDefIsManaged(src->pr) &&
|
2019-06-25 13:21:39 +02:00
|
|
|
virFileExists(QEMU_DEVICE_MAPPER_CONTROL_PATH) &&
|
|
|
|
qemuSetupImagePathCgroup(vm, QEMU_DEVICE_MAPPER_CONTROL_PATH, false) < 0)
|
2018-04-10 08:00:59 +02:00
|
|
|
return -1;
|
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
return qemuSetupImagePathCgroup(vm, path, readonly);
|
2016-02-16 15:46:40 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2014-06-20 14:05:05 +02:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupImageCgroup(virDomainObj *vm,
|
|
|
|
virStorageSource *src)
|
2014-06-20 14:05:05 +02:00
|
|
|
{
|
2016-02-16 15:37:01 +01:00
|
|
|
return qemuSetupImageCgroupInternal(vm, src, false);
|
2016-02-15 16:15:58 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownImageCgroup(virDomainObj *vm,
|
|
|
|
virStorageSource *src)
|
2016-02-15 16:15:58 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2019-06-24 12:34:45 +02:00
|
|
|
g_autofree char *path = NULL;
|
2018-04-10 08:00:59 +02:00
|
|
|
int perms = VIR_CGROUP_DEVICE_RWM;
|
2019-06-24 12:34:45 +02:00
|
|
|
bool hasPR = false;
|
|
|
|
bool hasNVMe = false;
|
2018-04-10 08:00:59 +02:00
|
|
|
size_t i;
|
2016-02-16 15:37:01 +01:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup,
|
|
|
|
VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
for (i = 0; i < vm->def->ndisks; i++) {
|
2021-03-11 08:16:13 +01:00
|
|
|
virStorageSource *diskSrc = vm->def->disks[i]->src;
|
2016-02-16 15:37:01 +01:00
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
if (src == diskSrc)
|
|
|
|
continue;
|
2018-07-13 14:34:28 +02:00
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
if (virStoragePRDefIsManaged(diskSrc->pr))
|
|
|
|
hasPR = true;
|
2018-07-13 14:34:28 +02:00
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
if (virStorageSourceChainHasNVMe(diskSrc))
|
|
|
|
hasNVMe = true;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (src->type == VIR_STORAGE_TYPE_NVME) {
|
|
|
|
if (!(path = virPCIDeviceAddressGetIOMMUGroupDev(&src->nvme->pciAddr)))
|
|
|
|
return -1;
|
2018-07-13 14:34:28 +02:00
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
if (!hasNVMe &&
|
|
|
|
!qemuDomainNeedsVFIO(vm->def)) {
|
2022-03-15 12:41:45 +01:00
|
|
|
ret = qemuCgroupDenyDevicePath(vm, QEMU_DEV_VFIO, perms, true);
|
|
|
|
|
2018-07-13 14:34:28 +02:00
|
|
|
if (ret < 0)
|
2019-06-24 12:34:45 +02:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
if (!src->path || !virStorageSourceIsLocalStorage(src)) {
|
|
|
|
VIR_DEBUG("Not updating cgroups for disk path '%s', type: %s",
|
|
|
|
NULLSTR(src->path), virStorageTypeToString(src->type));
|
|
|
|
return 0;
|
2018-07-13 14:34:28 +02:00
|
|
|
}
|
2019-06-24 12:34:45 +02:00
|
|
|
|
|
|
|
path = g_strdup(src->path);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!hasPR &&
|
|
|
|
virFileExists(QEMU_DEVICE_MAPPER_CONTROL_PATH)) {
|
2022-03-15 12:41:45 +01:00
|
|
|
ret = qemuCgroupDenyDevicePath(vm, QEMU_DEVICE_MAPPER_CONTROL_PATH,
|
|
|
|
perms, true);
|
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2018-04-10 08:00:59 +02:00
|
|
|
}
|
|
|
|
|
2019-06-24 12:34:45 +02:00
|
|
|
VIR_DEBUG("Deny path %s", path);
|
2016-02-16 15:37:01 +01:00
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
ret = qemuCgroupDenyDevicePath(vm, path, perms, true);
|
2016-02-16 15:37:01 +01:00
|
|
|
|
2018-04-05 09:34:25 +02:00
|
|
|
/* If you're looking for a counter part to
|
|
|
|
* qemuSetupImagePathCgroup you're at the right place.
|
|
|
|
* However, we can't just blindly deny all the device mapper
|
|
|
|
* targets of src->path because they might still be used by
|
|
|
|
* another disk in domain. Just like we are not removing
|
|
|
|
* disks from namespace. */
|
|
|
|
|
2016-02-16 15:37:01 +01:00
|
|
|
return ret;
|
2014-06-20 14:05:05 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-07-18 11:29:27 +02:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupImageChainCgroup(virDomainObj *vm,
|
|
|
|
virStorageSource *src)
|
2010-12-16 16:10:54 +00:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virStorageSource *next;
|
2014-06-20 14:05:05 +02:00
|
|
|
bool forceReadonly = false;
|
2013-07-08 11:08:46 +01:00
|
|
|
|
2019-01-16 15:49:07 +01:00
|
|
|
for (next = src; virStorageSourceIsBacking(next); next = next->backingStore) {
|
2016-02-16 15:37:01 +01:00
|
|
|
if (qemuSetupImageCgroupInternal(vm, next, forceReadonly) < 0)
|
2014-06-18 13:09:05 +02:00
|
|
|
return -1;
|
2014-06-20 14:05:05 +02:00
|
|
|
|
|
|
|
/* setup only the top level image for read-write */
|
|
|
|
forceReadonly = true;
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
2014-06-18 13:09:05 +02:00
|
|
|
|
|
|
|
return 0;
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-07-18 11:29:27 +02:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownImageChainCgroup(virDomainObj *vm,
|
|
|
|
virStorageSource *src)
|
2010-12-16 16:10:54 +00:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virStorageSource *next;
|
2013-03-21 14:40:29 +00:00
|
|
|
|
2019-01-16 15:49:07 +01:00
|
|
|
for (next = src; virStorageSourceIsBacking(next); next = next->backingStore) {
|
2016-02-16 15:37:01 +01:00
|
|
|
if (qemuTeardownImageCgroup(vm, next) < 0)
|
2014-06-18 13:09:05 +02:00
|
|
|
return -1;
|
|
|
|
}
|
2013-03-21 14:40:29 +00:00
|
|
|
|
2014-06-18 13:09:05 +02:00
|
|
|
return 0;
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
|
|
|
|
2014-06-18 13:09:05 +02:00
|
|
|
|
2011-02-15 19:18:40 -07:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupChrSourceCgroup(virDomainObj *vm,
|
|
|
|
virDomainChrSourceDef *source)
|
2010-12-16 16:10:54 +00:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2015-11-19 16:26:56 +01:00
|
|
|
if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
|
2010-12-16 16:10:54 +00:00
|
|
|
return 0;
|
|
|
|
|
2015-11-19 16:26:56 +01:00
|
|
|
VIR_DEBUG("Process path '%s' for device", source->data.file.path);
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, source->data.file.path,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
|
|
|
|
2016-11-18 11:45:44 +01:00
|
|
|
|
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownChrSourceCgroup(virDomainObj *vm,
|
|
|
|
virDomainChrSourceDef *source)
|
2016-11-18 11:45:44 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2016-11-18 11:45:44 +01:00
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2016-11-18 11:45:44 +01:00
|
|
|
if (source->type != VIR_DOMAIN_CHR_TYPE_DEV)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
VIR_DEBUG("Process path '%s' for device", source->data.file.path);
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
return qemuCgroupDenyDevicePath(vm, source->data.file.path,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2016-11-18 11:45:44 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-04-12 16:55:46 -04:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupChardevCgroupCB(virDomainDef *def G_GNUC_UNUSED,
|
|
|
|
virDomainChrDef *dev,
|
2016-11-18 11:45:44 +01:00
|
|
|
void *opaque)
|
2013-04-12 16:55:46 -04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
virDomainObj *vm = opaque;
|
2015-11-19 14:25:44 +01:00
|
|
|
|
2016-10-21 07:45:54 -04:00
|
|
|
return qemuSetupChrSourceCgroup(vm, dev->source);
|
2013-04-12 16:55:46 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupTPMCgroup(virDomainObj *vm,
|
|
|
|
virDomainTPMDef *dev)
|
2013-04-12 16:55:46 -04:00
|
|
|
{
|
|
|
|
switch (dev->type) {
|
|
|
|
case VIR_DOMAIN_TPM_TYPE_PASSTHROUGH:
|
2021-11-23 17:34:36 +01:00
|
|
|
return qemuSetupChrSourceCgroup(vm, dev->data.passthrough.source);
|
2017-04-04 12:22:31 -04:00
|
|
|
case VIR_DOMAIN_TPM_TYPE_EMULATOR:
|
2013-04-12 16:55:46 -04:00
|
|
|
case VIR_DOMAIN_TPM_TYPE_LAST:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2021-11-23 17:34:36 +01:00
|
|
|
return 0;
|
2013-04-12 16:55:46 -04:00
|
|
|
}
|
|
|
|
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2017-11-21 13:33:07 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupInputCgroup(virDomainObj *vm,
|
|
|
|
virDomainInputDef *dev)
|
2015-11-19 14:32:22 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2015-11-19 14:32:22 +01:00
|
|
|
int ret = 0;
|
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2015-11-19 14:32:22 +01:00
|
|
|
switch (dev->type) {
|
|
|
|
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
|
2021-05-21 13:01:07 +02:00
|
|
|
case VIR_DOMAIN_INPUT_TYPE_EVDEV:
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, dev->source.evdev,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2015-11-19 14:32:22 +01:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-11-21 13:33:07 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownInputCgroup(virDomainObj *vm,
|
|
|
|
virDomainInputDef *dev)
|
2017-11-21 13:33:07 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2017-11-21 13:33:07 +01:00
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
switch (dev->type) {
|
|
|
|
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
|
2021-05-21 13:01:07 +02:00
|
|
|
case VIR_DOMAIN_INPUT_TYPE_EVDEV:
|
2022-03-15 12:41:45 +01:00
|
|
|
return qemuCgroupDenyDevicePath(vm, dev->source.evdev,
|
|
|
|
VIR_CGROUP_DEVICE_RWM, false);
|
2017-11-21 13:33:07 +01:00
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
return 0;
|
2017-11-21 13:33:07 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-09-17 10:06:26 +02:00
|
|
|
/**
|
|
|
|
* qemuSetupHostdevCgroup:
|
|
|
|
* vm: domain object
|
|
|
|
* @dev: device to allow
|
|
|
|
*
|
|
|
|
* For given host device @dev allow access to in Cgroups.
|
|
|
|
*
|
|
|
|
* Returns: 0 on success,
|
|
|
|
* -1 otherwise.
|
|
|
|
*/
|
2013-04-29 13:15:26 -04:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupHostdevCgroup(virDomainObj *vm,
|
|
|
|
virDomainHostdevDef *dev)
|
2013-04-29 13:15:26 -04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2019-09-17 11:47:59 +02:00
|
|
|
g_autofree char *path = NULL;
|
|
|
|
int perms;
|
2013-04-29 13:15:26 -04:00
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2019-09-17 11:47:59 +02:00
|
|
|
if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0)
|
2019-09-17 11:57:04 +02:00
|
|
|
return -1;
|
2013-04-29 13:15:26 -04:00
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
if (path &&
|
|
|
|
qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) {
|
|
|
|
return -1;
|
2020-01-09 15:40:14 +01:00
|
|
|
}
|
2013-04-29 13:15:26 -04:00
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
if (qemuHostdevNeedsVFIO(dev) &&
|
|
|
|
qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false) < 0) {
|
|
|
|
return -1;
|
2019-09-17 10:06:26 +02:00
|
|
|
}
|
|
|
|
|
2019-09-17 11:57:04 +02:00
|
|
|
return 0;
|
2013-04-29 13:15:26 -04:00
|
|
|
}
|
|
|
|
|
2019-09-17 10:06:26 +02:00
|
|
|
|
|
|
|
/**
|
|
|
|
* qemuTeardownHostdevCgroup:
|
2022-01-10 15:48:54 +01:00
|
|
|
* @vm: domain object
|
2019-09-17 10:06:26 +02:00
|
|
|
* @dev: device to tear down
|
|
|
|
*
|
|
|
|
* For given host device @dev deny access to it in CGroups.
|
|
|
|
* Note, @dev must not be in @vm's definition.
|
|
|
|
*
|
|
|
|
* Returns: 0 on success,
|
|
|
|
* -1 otherwise.
|
|
|
|
*/
|
2013-04-29 13:15:26 -04:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownHostdevCgroup(virDomainObj *vm,
|
|
|
|
virDomainHostdevDef *dev)
|
2013-04-29 13:15:26 -04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2019-09-17 11:47:59 +02:00
|
|
|
g_autofree char *path = NULL;
|
2013-04-29 13:15:26 -04:00
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2021-01-04 09:54:39 -03:00
|
|
|
/* Skip tearing down Cgroup for hostdevs that represents absent
|
|
|
|
* PCI devices, e.g. SR-IOV virtual functions that were removed from
|
|
|
|
* the host while the domain was still running. */
|
|
|
|
if (virHostdevIsPCIDevice(dev)) {
|
|
|
|
const virDomainHostdevSubsysPCI *pcisrc = &dev->source.subsys.u.pci;
|
|
|
|
|
|
|
|
if (!virPCIDeviceExists(&pcisrc->addr))
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-09-17 11:47:59 +02:00
|
|
|
if (qemuDomainGetHostdevPath(dev, &path, NULL) < 0)
|
2019-09-17 11:57:04 +02:00
|
|
|
return -1;
|
2017-02-09 14:14:09 +01:00
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
if (path &&
|
|
|
|
qemuCgroupDenyDevicePath(vm, path, VIR_CGROUP_DEVICE_RWM, false) < 0) {
|
|
|
|
return -1;
|
2020-01-09 15:40:14 +01:00
|
|
|
}
|
2013-04-29 13:15:26 -04:00
|
|
|
|
2019-09-17 10:06:26 +02:00
|
|
|
if (qemuHostdevNeedsVFIO(dev) &&
|
2022-03-15 12:41:45 +01:00
|
|
|
!qemuDomainNeedsVFIO(vm->def) &&
|
|
|
|
qemuCgroupDenyDevicePath(vm, QEMU_DEV_VFIO,
|
|
|
|
VIR_CGROUP_DEVICE_RWM, false) < 0) {
|
|
|
|
return -1;
|
2019-09-17 10:06:26 +02:00
|
|
|
}
|
|
|
|
|
2019-09-17 11:57:04 +02:00
|
|
|
return 0;
|
2013-04-29 13:15:26 -04:00
|
|
|
}
|
|
|
|
|
2017-02-09 17:53:53 +01:00
|
|
|
|
2017-02-22 16:33:12 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
|
|
|
|
virDomainMemoryDef *mem)
|
2017-02-22 16:33:12 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2017-02-22 16:33:12 +01:00
|
|
|
|
2020-12-09 16:47:15 +01:00
|
|
|
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
|
|
|
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
2017-02-22 16:33:12 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2017-02-22 16:33:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownMemoryDevicesCgroup(virDomainObj *vm,
|
|
|
|
virDomainMemoryDef *mem)
|
2017-02-22 16:33:12 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2017-02-22 16:33:12 +01:00
|
|
|
|
2020-12-09 16:47:15 +01:00
|
|
|
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
|
|
|
|
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
|
2017-02-22 16:33:12 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
return qemuCgroupDenyDevicePath(vm, mem->nvdimmPath,
|
|
|
|
VIR_CGROUP_DEVICE_RWM, false);
|
2017-02-22 16:33:12 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2017-02-09 17:53:53 +01:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupGraphicsCgroup(virDomainObj *vm,
|
|
|
|
virDomainGraphicsDef *gfx)
|
2017-02-09 17:53:53 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2018-11-22 16:12:40 +01:00
|
|
|
const char *rendernode = virDomainGraphicsGetRenderNode(gfx);
|
2017-02-09 17:53:53 +01:00
|
|
|
|
2018-11-22 16:12:40 +01:00
|
|
|
if (!rendernode ||
|
|
|
|
!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
2017-02-09 17:53:53 +01:00
|
|
|
return 0;
|
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, rendernode, VIR_CGROUP_DEVICE_RW, false);
|
2017-02-09 17:53:53 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-09-23 14:44:28 +04:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupVideoCgroup(virDomainObj *vm,
|
|
|
|
virDomainVideoDef *def)
|
2019-09-23 14:44:28 +04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
|
|
virDomainVideoAccelDef *accel = def->accel;
|
2019-09-23 14:44:28 +04:00
|
|
|
|
|
|
|
if (!accel)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!accel->rendernode ||
|
|
|
|
!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, accel->rendernode,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2019-09-23 14:44:28 +04:00
|
|
|
}
|
|
|
|
|
2016-02-16 16:26:01 +01:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupFirmwareCgroup(virDomainObj *vm)
|
2016-02-16 16:26:01 +01:00
|
|
|
{
|
|
|
|
if (!vm->def->os.loader)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (vm->def->os.loader->path &&
|
|
|
|
qemuSetupImagePathCgroup(vm, vm->def->os.loader->path,
|
|
|
|
vm->def->os.loader->readonly == VIR_TRISTATE_BOOL_YES) < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (vm->def->os.loader->nvram &&
|
2022-06-03 13:11:08 +02:00
|
|
|
qemuSetupImageCgroup(vm, vm->def->os.loader->nvram) < 0)
|
2016-02-16 16:26:01 +01:00
|
|
|
return -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-18 11:17:51 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupRNGCgroup(virDomainObj *vm,
|
|
|
|
virDomainRNGDef *rng)
|
2016-11-18 11:17:51 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2016-11-18 11:17:51 +01:00
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM &&
|
|
|
|
qemuCgroupAllowDevicePath(vm, rng->source.file,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false) < 0) {
|
|
|
|
return -1;
|
2016-11-18 11:17:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownRNGCgroup(virDomainObj *vm,
|
|
|
|
virDomainRNGDef *rng)
|
2016-11-18 11:17:51 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2016-11-18 11:17:51 +01:00
|
|
|
|
2017-02-22 15:20:15 +01:00
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 12:41:45 +01:00
|
|
|
if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM &&
|
|
|
|
qemuCgroupDenyDevicePath(vm, rng->source.file,
|
|
|
|
VIR_CGROUP_DEVICE_RW, false) < 0) {
|
|
|
|
return -1;
|
2016-11-18 11:17:51 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-11-18 11:45:44 +01:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupChardevCgroup(virDomainObj *vm,
|
|
|
|
virDomainChrDef *dev)
|
2016-11-18 11:45:44 +01:00
|
|
|
{
|
|
|
|
return qemuSetupChrSourceCgroup(vm, dev->source);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuTeardownChardevCgroup(virDomainObj *vm,
|
|
|
|
virDomainChrDef *dev)
|
2016-11-18 11:45:44 +01:00
|
|
|
{
|
|
|
|
return qemuTeardownChrSourceCgroup(vm, dev->source);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-01-21 14:50:11 +01:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupSEVCgroup(virDomainObj *vm)
|
2019-01-21 14:50:11 +01:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2019-01-21 14:50:11 +01:00
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2022-03-15 16:08:24 +01:00
|
|
|
return qemuCgroupAllowDevicePath(vm, "/dev/sev",
|
|
|
|
VIR_CGROUP_DEVICE_RW, false);
|
2019-01-21 14:50:11 +01:00
|
|
|
}
|
|
|
|
|
2013-05-17 19:59:33 +08:00
|
|
|
static int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupDevicesCgroup(virDomainObj *vm)
|
2013-05-17 19:59:33 +08:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2020-03-31 21:14:07 +05:30
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
|
2022-07-21 12:23:53 +02:00
|
|
|
const char *const *deviceACL = (const char *const *) cfg->cgroupDeviceACL;
|
2013-07-08 11:08:46 +01:00
|
|
|
int rv = -1;
|
Convert 'int i' to 'size_t i' in src/qemu files
Convert the type of loop iterators named 'i', 'j', k',
'ii', 'jj', 'kk', to be 'size_t' instead of 'int' or
'unsigned int', also santizing 'ii', 'jj', 'kk' to use
the normal 'i', 'j', 'k' naming
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2013-07-08 15:09:33 +01:00
|
|
|
size_t i;
|
2013-05-17 19:59:33 +08:00
|
|
|
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
|
|
|
|
return 0;
|
|
|
|
|
2013-07-08 11:08:46 +01:00
|
|
|
rv = virCgroupDenyAllDevices(priv->cgroup);
|
|
|
|
virDomainAuditCgroup(vm, priv->cgroup, "deny", "all", rv == 0);
|
|
|
|
if (rv < 0) {
|
|
|
|
if (virLastErrorIsSystemErrno(EPERM)) {
|
|
|
|
virResetLastError();
|
2020-06-16 11:24:48 +01:00
|
|
|
VIR_WARN("Group devices ACL is not accessible, disabling filtering");
|
2013-05-17 19:59:33 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
}
|
|
|
|
|
2022-07-21 11:06:26 +02:00
|
|
|
if (!deviceACL)
|
|
|
|
deviceACL = defaultDeviceACL;
|
|
|
|
|
|
|
|
if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2016-02-16 16:26:01 +01:00
|
|
|
if (qemuSetupFirmwareCgroup(vm) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2016-02-16 16:26:01 +01:00
|
|
|
|
2013-05-21 15:21:20 +08:00
|
|
|
for (i = 0; i < vm->def->ndisks; i++) {
|
2019-01-16 15:49:07 +01:00
|
|
|
if (qemuSetupImageChainCgroup(vm, vm->def->disks[i]->src) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
}
|
|
|
|
|
2016-02-16 13:57:10 +01:00
|
|
|
rv = virCgroupAllowDevice(priv->cgroup, 'c', DEVICE_PTY_MAJOR, -1,
|
|
|
|
VIR_CGROUP_DEVICE_RW);
|
2013-05-17 19:59:33 +08:00
|
|
|
virDomainAuditCgroupMajor(vm, priv->cgroup, "allow", DEVICE_PTY_MAJOR,
|
2013-07-08 11:08:46 +01:00
|
|
|
"pty", "rw", rv == 0);
|
|
|
|
if (rv < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
|
|
|
|
if (vm->def->nsounds &&
|
2013-08-17 15:30:47 -04:00
|
|
|
((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) ||
|
2013-10-01 07:55:19 -04:00
|
|
|
(vm->def->graphics &&
|
|
|
|
((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
|
2013-05-17 19:59:33 +08:00
|
|
|
cfg->vncAllowHostAudio) ||
|
2013-10-01 07:55:19 -04:00
|
|
|
(vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL))))) {
|
2016-02-16 13:57:10 +01:00
|
|
|
rv = virCgroupAllowDevice(priv->cgroup, 'c', DEVICE_SND_MAJOR, -1,
|
|
|
|
VIR_CGROUP_DEVICE_RW);
|
2013-05-17 19:59:33 +08:00
|
|
|
virDomainAuditCgroupMajor(vm, priv->cgroup, "allow", DEVICE_SND_MAJOR,
|
2013-07-08 11:08:46 +01:00
|
|
|
"sound", "rw", rv == 0);
|
|
|
|
if (rv < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (virDomainChrDefForeach(vm->def,
|
|
|
|
true,
|
2016-11-18 11:45:44 +01:00
|
|
|
qemuSetupChardevCgroupCB,
|
2013-05-17 19:59:33 +08:00
|
|
|
vm) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
|
2020-06-10 15:11:47 -03:00
|
|
|
for (i = 0; i < vm->def->ntpms; i++) {
|
|
|
|
if (qemuSetupTPMCgroup(vm, vm->def->tpms[i]) < 0)
|
|
|
|
return -1;
|
|
|
|
}
|
2013-05-17 19:59:33 +08:00
|
|
|
|
|
|
|
for (i = 0; i < vm->def->nhostdevs; i++) {
|
2019-09-17 10:06:26 +02:00
|
|
|
/* This may allow /dev/vfio/vfio multiple times, but that
|
|
|
|
* is not a problem. Kernel will have only one record. */
|
2015-11-19 14:35:46 +01:00
|
|
|
if (qemuSetupHostdevCgroup(vm, vm->def->hostdevs[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2013-05-17 19:59:33 +08:00
|
|
|
}
|
|
|
|
|
2017-02-22 16:33:12 +01:00
|
|
|
for (i = 0; i < vm->def->nmems; i++) {
|
|
|
|
if (qemuSetupMemoryDevicesCgroup(vm, vm->def->mems[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2017-02-22 16:33:12 +01:00
|
|
|
}
|
|
|
|
|
2017-02-09 17:53:53 +01:00
|
|
|
for (i = 0; i < vm->def->ngraphics; i++) {
|
|
|
|
if (qemuSetupGraphicsCgroup(vm, vm->def->graphics[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2019-09-23 14:44:28 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
for (i = 0; i < vm->def->nvideos; i++) {
|
|
|
|
if (qemuSetupVideoCgroup(vm, vm->def->videos[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2017-02-09 17:53:53 +01:00
|
|
|
}
|
|
|
|
|
2015-11-19 14:32:22 +01:00
|
|
|
for (i = 0; i < vm->def->ninputs; i++) {
|
|
|
|
if (qemuSetupInputCgroup(vm, vm->def->inputs[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2015-11-19 14:32:22 +01:00
|
|
|
}
|
|
|
|
|
2013-02-25 23:31:11 +01:00
|
|
|
for (i = 0; i < vm->def->nrngs; i++) {
|
2016-11-18 11:17:51 +01:00
|
|
|
if (qemuSetupRNGCgroup(vm, vm->def->rngs[i]) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2014-01-16 19:11:17 +05:30
|
|
|
}
|
|
|
|
|
2021-07-21 13:07:51 +02:00
|
|
|
if (vm->def->sec &&
|
|
|
|
vm->def->sec->sectype == VIR_DOMAIN_LAUNCH_SECURITY_SEV &&
|
|
|
|
qemuSetupSEVCgroup(vm) < 0)
|
2020-03-31 21:14:07 +05:30
|
|
|
return -1;
|
2019-01-21 14:50:11 +01:00
|
|
|
|
2020-03-31 21:14:07 +05:30
|
|
|
return 0;
|
2013-05-17 19:59:33 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-08-02 20:26:57 +02:00
|
|
|
static int
|
|
|
|
qemuSetupCgroupAppid(virDomainObj *vm)
|
|
|
|
{
|
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
|
|
|
int inode = -1;
|
|
|
|
const char *path = "/sys/class/fc/fc_udev_device/appid_store";
|
|
|
|
g_autofree char *appid = NULL;
|
|
|
|
virDomainResourceDef *resource = vm->def->resource;
|
|
|
|
|
|
|
|
if (!resource || !resource->appid)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
inode = virCgroupGetInode(priv->cgroup);
|
|
|
|
if (inode < 0)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
appid = g_strdup_printf("%X:%s", inode, resource->appid);
|
|
|
|
|
|
|
|
if (virFileWriteStr(path, appid, 0) < 0) {
|
|
|
|
virReportSystemError(errno,
|
|
|
|
_("Unable to write '%s' to '%s'"), appid, path);
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-07-18 11:29:27 +02:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupCgroup(virDomainObj *vm,
|
2015-01-16 11:25:50 +00:00
|
|
|
size_t nnicindexes,
|
|
|
|
int *nicindexes)
|
2010-12-16 16:10:54 +00:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2022-01-25 16:19:53 +00:00
|
|
|
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2022-01-25 16:19:53 +00:00
|
|
|
if (virDomainCgroupSetupCgroup("qemu",
|
|
|
|
vm,
|
|
|
|
nnicindexes,
|
|
|
|
nicindexes,
|
|
|
|
&priv->cgroup,
|
|
|
|
cfg->cgroupControllers,
|
|
|
|
cfg->maxThreadsPerProc,
|
|
|
|
priv->driver->privileged,
|
|
|
|
priv->machineName) < 0)
|
2013-07-22 15:21:15 +01:00
|
|
|
|
2013-03-21 14:40:29 +00:00
|
|
|
return -1;
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2013-03-21 14:40:29 +00:00
|
|
|
if (!priv->cgroup)
|
2013-05-24 17:08:27 +08:00
|
|
|
return 0;
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2017-07-25 17:49:43 +02:00
|
|
|
if (qemuSetupDevicesCgroup(vm) < 0)
|
2019-11-12 17:46:27 -03:00
|
|
|
return -1;
|
2010-12-16 16:10:54 +00:00
|
|
|
|
2021-08-02 20:26:57 +02:00
|
|
|
if (qemuSetupCgroupAppid(vm) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2019-11-12 17:46:27 -03:00
|
|
|
return 0;
|
2010-12-16 16:10:54 +00:00
|
|
|
}
|
|
|
|
|
2018-04-05 15:06:55 -04:00
|
|
|
int
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuSetupCgroupForExtDevices(virDomainObj *vm,
|
|
|
|
virQEMUDriver *driver)
|
2018-04-05 15:06:55 -04:00
|
|
|
{
|
2021-03-11 08:16:13 +01:00
|
|
|
qemuDomainObjPrivate *priv = vm->privateData;
|
2020-10-09 16:01:07 +02:00
|
|
|
g_autoptr(virCgroup) cgroup_temp = NULL;
|
2018-04-05 15:06:55 -04:00
|
|
|
|
|
|
|
if (!qemuExtDevicesHasDevice(vm->def) ||
|
|
|
|
priv->cgroup == NULL)
|
|
|
|
return 0; /* Not supported, so claim success */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If CPU cgroup controller is not initialized here, then we need
|
|
|
|
* neither period nor quota settings. And if CPUSET controller is
|
|
|
|
* not initialized either, then there's nothing to do anyway.
|
|
|
|
*/
|
|
|
|
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPU) &&
|
|
|
|
!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_CPUSET))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (virCgroupNewThread(priv->cgroup, VIR_CGROUP_THREAD_EMULATOR, 0,
|
|
|
|
false, &cgroup_temp) < 0)
|
2020-10-09 16:01:07 +02:00
|
|
|
return -1;
|
2018-04-05 15:06:55 -04:00
|
|
|
|
2020-10-09 16:01:07 +02:00
|
|
|
return qemuExtDevicesSetupCgroup(driver, vm, cgroup_temp);
|
2018-04-05 15:06:55 -04:00
|
|
|
}
|