qemu: cgroup: Setup only the top level disk image for read-write access

Only the top level gets writes, so the rest of the backing chain requires only read-only access.
2025-04-01 20:05:19 +00:00 · 2014-06-20 14:05:05 +02:00 · 2014-06-20 14:05:05 +02:00 · 1ba14d6df2
commit 1ba14d6df2
parent aa53c77e1d
1 changed files with 20 additions and 6 deletions
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@ -49,10 +49,11 @@ static const char *const defaultDeviceACL[] = {
 #define DEVICE_PTY_MAJOR 136
 #define DEVICE_SND_MAJOR 116

-int
-qemuSetImageCgroup(virDomainObjPtr vm,
-                   virStorageSourcePtr src,
-                   bool deny)
+static int
+qemuSetImageCgroupInternal(virDomainObjPtr vm,
+                           virStorageSourcePtr src,
+                           bool deny,
+                           bool forceReadonly)
 {
    qemuDomainObjPrivatePtr priv = vm->privateData;
    int perms = VIR_CGROUP_DEVICE_READ;
@ -75,7 +76,7 @@ qemuSetImageCgroup(virDomainObjPtr vm,

        ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms);
    } else {
-        if (!src->readonly)
+        if (!src->readonly && !forceReadonly)
            perms |= VIR_CGROUP_DEVICE_WRITE;

        VIR_DEBUG("Allow path %s, perms: %s",
@ -102,15 +103,28 @@ qemuSetImageCgroup(virDomainObjPtr vm,
 }


+int
+qemuSetImageCgroup(virDomainObjPtr vm,
+                   virStorageSourcePtr src,
+                   bool deny)
+{
+    return qemuSetImageCgroupInternal(vm, src, deny, false);
+}
+
+
 int
 qemuSetupDiskCgroup(virDomainObjPtr vm,
                    virDomainDiskDefPtr disk)
 {
    virStorageSourcePtr next;
+    bool forceReadonly = false;

    for (next = disk->src; next; next = next->backingStore) {
-        if (qemuSetImageCgroup(vm, next, false) < 0)
+        if (qemuSetImageCgroupInternal(vm, next, false, forceReadonly) < 0)
            return -1;
+
+        /* setup only the top level image for read-write */
+        forceReadonly = true;
    }

    return 0;