mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-23 06:05:27 +00:00
audit: prepare qemu for listing vm in cgroup audits
* src/qemu/qemu_cgroup.h (struct qemuCgroupData): New helper type. (qemuSetupDiskPathAllow, qemuSetupChardevCgroup) (qemuTeardownDiskPathDeny): Drop unneeded prototypes. (qemuSetupDiskCgroup, qemuTeardownDiskCgroup): Adjust prototype. * src/qemu/qemu_cgroup.c (qemuSetupDiskPathAllow, qemuSetupChardevCgroup) (qemuTeardownDiskPathDeny): Mark static and use new type. (qemuSetupHostUsbDeviceCgroup): Use new type. (qemuSetupDiskCgroup): Alter signature. (qemuSetupCgroup): Adjust caller. * src/qemu/qemu_hotplug.c (qemuDomainAttachHostUsbDevice) (qemuDomainDetachPciDiskDevice, qemuDomainDetachSCSIDiskDevice): Likewise. * src/qemu/qemu_driver.c (qemudDomainAttachDevice) (qemuDomainUpdateDeviceFlags): Likewise.
This commit is contained in:
parent
061738764d
commit
b4d3434fc2
@ -54,18 +54,18 @@ int qemuCgroupControllerActive(struct qemud_driver *driver,
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
const char *path,
|
||||
size_t depth ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
static int
|
||||
qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
const char *path,
|
||||
size_t depth ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
{
|
||||
virCgroupPtr cgroup = opaque;
|
||||
qemuCgroupData *data = opaque;
|
||||
int rc;
|
||||
|
||||
VIR_DEBUG("Process path %s for disk", path);
|
||||
/* XXX RO vs RW */
|
||||
rc = virCgroupAllowDevicePath(cgroup, path);
|
||||
rc = virCgroupAllowDevicePath(data->cgroup, path);
|
||||
if (rc < 0) {
|
||||
if (rc == -EACCES) { /* Get this for root squash NFS */
|
||||
VIR_DEBUG("Ignoring EACCES for %s", path);
|
||||
@ -81,28 +81,31 @@ int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
|
||||
|
||||
int qemuSetupDiskCgroup(struct qemud_driver *driver,
|
||||
virDomainObjPtr vm,
|
||||
virCgroupPtr cgroup,
|
||||
virDomainDiskDefPtr disk)
|
||||
{
|
||||
qemuCgroupData data = { vm, cgroup };
|
||||
return virDomainDiskDefForeachPath(disk,
|
||||
driver->allowDiskFormatProbing,
|
||||
true,
|
||||
qemuSetupDiskPathAllow,
|
||||
cgroup);
|
||||
&data);
|
||||
}
|
||||
|
||||
|
||||
int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
const char *path,
|
||||
size_t depth ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
static int
|
||||
qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
const char *path,
|
||||
size_t depth ATTRIBUTE_UNUSED,
|
||||
void *opaque)
|
||||
{
|
||||
virCgroupPtr cgroup = opaque;
|
||||
qemuCgroupData *data = opaque;
|
||||
int rc;
|
||||
|
||||
VIR_DEBUG("Process path %s for disk", path);
|
||||
/* XXX RO vs RW */
|
||||
rc = virCgroupDenyDevicePath(cgroup, path);
|
||||
rc = virCgroupDenyDevicePath(data->cgroup, path);
|
||||
if (rc < 0) {
|
||||
if (rc == -EACCES) { /* Get this for root squash NFS */
|
||||
VIR_DEBUG("Ignoring EACCES for %s", path);
|
||||
@ -118,22 +121,25 @@ int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
|
||||
|
||||
|
||||
int qemuTeardownDiskCgroup(struct qemud_driver *driver,
|
||||
virDomainObjPtr vm,
|
||||
virCgroupPtr cgroup,
|
||||
virDomainDiskDefPtr disk)
|
||||
{
|
||||
qemuCgroupData data = { vm, cgroup };
|
||||
return virDomainDiskDefForeachPath(disk,
|
||||
driver->allowDiskFormatProbing,
|
||||
true,
|
||||
qemuTeardownDiskPathDeny,
|
||||
cgroup);
|
||||
&data);
|
||||
}
|
||||
|
||||
|
||||
int qemuSetupChardevCgroup(virDomainDefPtr def,
|
||||
virDomainChrDefPtr dev,
|
||||
void *opaque)
|
||||
static int
|
||||
qemuSetupChardevCgroup(virDomainDefPtr def,
|
||||
virDomainChrDefPtr dev,
|
||||
void *opaque)
|
||||
{
|
||||
virCgroupPtr cgroup = opaque;
|
||||
qemuCgroupData *data = opaque;
|
||||
int rc;
|
||||
|
||||
if (dev->source.type != VIR_DOMAIN_CHR_TYPE_DEV)
|
||||
@ -141,7 +147,7 @@ int qemuSetupChardevCgroup(virDomainDefPtr def,
|
||||
|
||||
|
||||
VIR_DEBUG("Process path '%s' for disk", dev->source.data.file.path);
|
||||
rc = virCgroupAllowDevicePath(cgroup, dev->source.data.file.path);
|
||||
rc = virCgroupAllowDevicePath(data->cgroup, dev->source.data.file.path);
|
||||
if (rc < 0) {
|
||||
virReportSystemError(-rc,
|
||||
_("Unable to allow device %s for %s"),
|
||||
@ -157,11 +163,11 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
|
||||
const char *path,
|
||||
void *opaque)
|
||||
{
|
||||
virCgroupPtr cgroup = opaque;
|
||||
qemuCgroupData *data = opaque;
|
||||
int rc;
|
||||
|
||||
VIR_DEBUG("Process path '%s' for USB device", path);
|
||||
rc = virCgroupAllowDevicePath(cgroup, path);
|
||||
rc = virCgroupAllowDevicePath(data->cgroup, path);
|
||||
if (rc < 0) {
|
||||
virReportSystemError(-rc,
|
||||
_("Unable to allow device %s"),
|
||||
@ -195,6 +201,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
|
||||
}
|
||||
|
||||
if (qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) {
|
||||
qemuCgroupData data = { vm, cgroup };
|
||||
rc = virCgroupDenyAllDevices(cgroup);
|
||||
if (rc != 0) {
|
||||
if (rc == -EPERM) {
|
||||
@ -208,7 +215,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
|
||||
}
|
||||
|
||||
for (i = 0; i < vm->def->ndisks ; i++) {
|
||||
if (qemuSetupDiskCgroup(driver, cgroup, vm->def->disks[i]) < 0)
|
||||
if (qemuSetupDiskCgroup(driver, vm, cgroup, vm->def->disks[i]) < 0)
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
@ -243,7 +250,7 @@ int qemuSetupCgroup(struct qemud_driver *driver,
|
||||
if (virDomainChrDefForeach(vm->def,
|
||||
true,
|
||||
qemuSetupChardevCgroup,
|
||||
cgroup) < 0)
|
||||
&data) < 0)
|
||||
goto cleanup;
|
||||
|
||||
for (i = 0; i < vm->def->nhostdevs; i++) {
|
||||
@ -259,7 +266,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
|
||||
hostdev->source.subsys.u.usb.device)) == NULL)
|
||||
goto cleanup;
|
||||
|
||||
if (usbDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, cgroup) < 0 )
|
||||
if (usbDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup,
|
||||
&data) < 0)
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
|
@ -1,7 +1,7 @@
|
||||
/*
|
||||
* qemu_cgroup.h: QEMU cgroup management
|
||||
*
|
||||
* Copyright (C) 2006-2007, 2009-2010 Red Hat, Inc.
|
||||
* Copyright (C) 2006-2007, 2009-2011 Red Hat, Inc.
|
||||
* Copyright (C) 2006 Daniel P. Berrange
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
@ -28,25 +28,22 @@
|
||||
# include "domain_conf.h"
|
||||
# include "qemu_conf.h"
|
||||
|
||||
struct _qemuCgroupData {
|
||||
virDomainObjPtr vm;
|
||||
virCgroupPtr cgroup;
|
||||
};
|
||||
typedef struct _qemuCgroupData qemuCgroupData;
|
||||
|
||||
int qemuCgroupControllerActive(struct qemud_driver *driver,
|
||||
int controller);
|
||||
int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
|
||||
const char *path,
|
||||
size_t depth,
|
||||
void *opaque);
|
||||
int qemuSetupDiskCgroup(struct qemud_driver *driver,
|
||||
virDomainObjPtr vm,
|
||||
virCgroupPtr cgroup,
|
||||
virDomainDiskDefPtr disk);
|
||||
int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk,
|
||||
const char *path,
|
||||
size_t depth,
|
||||
void *opaque);
|
||||
int qemuTeardownDiskCgroup(struct qemud_driver *driver,
|
||||
virDomainObjPtr vm,
|
||||
virCgroupPtr cgroup,
|
||||
virDomainDiskDefPtr disk);
|
||||
int qemuSetupChardevCgroup(virDomainDefPtr def,
|
||||
virDomainChrDefPtr dev,
|
||||
void *opaque);
|
||||
int qemuSetupHostUsbDeviceCgroup(usbDevice *dev,
|
||||
const char *path,
|
||||
void *opaque);
|
||||
|
@ -3988,7 +3988,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
|
||||
vm->def->name);
|
||||
goto endjob;
|
||||
}
|
||||
if (qemuSetupDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuSetupDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
goto endjob;
|
||||
}
|
||||
|
||||
@ -4034,7 +4034,7 @@ static int qemudDomainAttachDevice(virDomainPtr dom,
|
||||
/* Fallthrough */
|
||||
}
|
||||
if (ret != 0 && cgroup) {
|
||||
if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuTeardownDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
VIR_WARN("Failed to teardown cgroup for disk path %s",
|
||||
NULLSTR(dev->data.disk->src));
|
||||
}
|
||||
@ -4160,7 +4160,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
|
||||
vm->def->name);
|
||||
goto endjob;
|
||||
}
|
||||
if (qemuSetupDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuSetupDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
goto endjob;
|
||||
}
|
||||
|
||||
@ -4184,7 +4184,7 @@ static int qemuDomainUpdateDeviceFlags(virDomainPtr dom,
|
||||
}
|
||||
|
||||
if (ret != 0 && cgroup) {
|
||||
if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuTeardownDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
VIR_WARN("Failed to teardown cgroup for disk path %s",
|
||||
NULLSTR(dev->data.disk->src));
|
||||
}
|
||||
|
@ -893,6 +893,7 @@ int qemuDomainAttachHostUsbDevice(struct qemud_driver *driver,
|
||||
if (qemuCgroupControllerActive(driver, VIR_CGROUP_CONTROLLER_DEVICES)) {
|
||||
virCgroupPtr cgroup = NULL;
|
||||
usbDevice *usb;
|
||||
qemuCgroupData data = { vm, cgroup };
|
||||
|
||||
if (virCgroupForDomain(driver->cgroup, vm->def->name, &cgroup, 0) !=0 ) {
|
||||
qemuReportError(VIR_ERR_INTERNAL_ERROR,
|
||||
@ -905,7 +906,7 @@ int qemuDomainAttachHostUsbDevice(struct qemud_driver *driver,
|
||||
hostdev->source.subsys.u.usb.device)) == NULL)
|
||||
goto error;
|
||||
|
||||
if (usbDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, cgroup) < 0 )
|
||||
if (usbDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, &data) < 0)
|
||||
goto error;
|
||||
}
|
||||
|
||||
@ -1206,7 +1207,7 @@ int qemuDomainDetachPciDiskDevice(struct qemud_driver *driver,
|
||||
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
|
||||
|
||||
if (cgroup != NULL) {
|
||||
if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuTeardownDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
VIR_WARN("Failed to teardown cgroup for disk path %s",
|
||||
NULLSTR(dev->data.disk->src));
|
||||
}
|
||||
@ -1284,7 +1285,7 @@ int qemuDomainDetachSCSIDiskDevice(struct qemud_driver *driver,
|
||||
VIR_WARN("Unable to restore security label on %s", dev->data.disk->src);
|
||||
|
||||
if (cgroup != NULL) {
|
||||
if (qemuTeardownDiskCgroup(driver, cgroup, dev->data.disk) < 0)
|
||||
if (qemuTeardownDiskCgroup(driver, vm, cgroup, dev->data.disk) < 0)
|
||||
VIR_WARN("Failed to teardown cgroup for disk path %s",
|
||||
NULLSTR(dev->data.disk->src));
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user