qemu_cgroup: Allow /dev/mapper/control for PR

Just like in previous commit, qemu-pr-helper might want to open /dev/mapper/control under certain circumstances. Therefore we have to allow it in cgroups. The change virdevmapper.c might look spurious but it isn't. After 6dd84f6850 any path that we're allowing in deivces CGroup is subject to virDevMapperGetTargets() inspection. And libdevmapper returns ENXIO for the path from subject. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
2025-01-10 23:07:44 +00:00 · 2018-04-10 08:00:59 +02:00 · 2018-04-10 08:00:59 +02:00 · d13179fe8d
commit d13179fe8d
parent 5bf89434ff
2 changed files with 36 additions and 4 deletions
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@ -114,6 +114,8 @@ qemuSetupImagePathCgroup(virDomainObjPtr vm,
 }


+#define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
+
 static int
 qemuSetupImageCgroupInternal(virDomainObjPtr vm,
                             virStorageSourcePtr src,
@ -125,6 +127,10 @@ qemuSetupImageCgroupInternal(virDomainObjPtr vm,
        return 0;
    }

+    if (virStoragePRDefIsManaged(src->pr) &&
+        qemuSetupImagePathCgroup(vm, DEVICE_MAPPER_CONTROL_PATH, false) < 0)
+        return -1;
+
    return qemuSetupImagePathCgroup(vm, src->path, src->readonly || forceReadonly);
 }

@ -142,9 +148,8 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
                        virStorageSourcePtr src)
 {
    qemuDomainObjPrivatePtr priv = vm->privateData;
-    int perms = VIR_CGROUP_DEVICE_READ |
-                VIR_CGROUP_DEVICE_WRITE |
-                VIR_CGROUP_DEVICE_MKNOD;
+    int perms = VIR_CGROUP_DEVICE_RWM;
+    size_t i;
    int ret;

    if (!virCgroupHasController(priv->cgroup,
@ -157,6 +162,28 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
        return 0;
    }

+    for (i = 0; i < vm->def->ndisks; i++) {
+        virStorageSourcePtr diskSrc = vm->def->disks[i]->src;
+
+        if (src == diskSrc)
+            continue;
+
+        if (virStoragePRDefIsManaged(diskSrc->pr))
+            break;
+    }
+
+    if (i == vm->def->ndisks) {
+        VIR_DEBUG("Disabling device mapper control");
+        ret = virCgroupDenyDevicePath(priv->cgroup,
+                                      DEVICE_MAPPER_CONTROL_PATH, perms, true);
+        virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
+                                 DEVICE_MAPPER_CONTROL_PATH,
+                                 virCgroupGetDevicePermsString(perms), ret);
+        if (ret < 0)
+            return ret;
+    }
+
+
    VIR_DEBUG("Deny path %s", src->path);

    ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, true);
--- a/src/util/virdevmapper.c
+++ b/src/util/virdevmapper.c
@ -101,8 +101,13 @@ virDevMapperGetTargetsImpl(const char *path,

    dm_task_no_open_count(dmt);

-    if (!dm_task_run(dmt))
+    if (!dm_task_run(dmt)) {
+        if (errno == ENXIO) {
+            /* If @path = "/dev/mapper/control" ENXIO is returned. */
+            ret = 0;
+        }
        goto cleanup;
+    }

    if (!dm_task_get_info(dmt, &info))
        goto cleanup;