qemu: only request sound cgroup ACL when required

When a SPICE or VNC graphics controller is present, and sound is piggybacked over a channel to the graphics device rather than directly accessing host hardware, then there is no need to grant host hardware access to that qemu process. * src/qemu/qemu_cgroup.c (qemuSetupCgroup): Prevent sound with spice, and with vnc when vnc_allow_host_audio is 0. Reported by Daniel Berrange.
2025-03-07 17:28:15 +00:00 · 2011-02-25 11:55:44 -07:00 · 2011-02-25 11:55:44 -07:00 · 7c6b22c4d5
commit 7c6b22c4d5
parent 3c37a171a2
1 changed files with 5 additions and 1 deletions
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@ -241,7 +241,11 @@ int qemuSetupCgroup(struct qemud_driver *driver,
            goto cleanup;
        }

-        if (vm->def->nsounds) {
+        if (vm->def->nsounds &&
+            (!vm->def->ngraphics ||
+             ((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
+               driver->vncAllowHostAudio) ||
+              (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) {
            rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR);
            qemuDomainCgroupAudit(vm, cgroup, "allow", "major", "sound",
                                  rc == 0);