External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-31 00:45:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemu_cgroup: Introduce and use qemuCgroupAllowDevicePath()

Browse Source 
In all cases virCgroupAllowDevicePath() is followed by
virDomainAuditCgroupPath(). Might as well pack that into one
function and call it.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
This commit is contained in:
Michal Privoznik 2022-03-15 16:08:24 +01:00
parent bc51dac713
commit f0b3ae98c2
1 changed files with 45 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
src/qemu/qemu_cgroup.c
View File

@ -54,6 +54,26 @@ const char *const defaultDeviceACL[] = {
#define DEVICE_SND_MAJOR 116 #define DEVICE_SND_MAJOR 116
static int
qemuCgroupAllowDevicePath(virDomainObj *vm,
const char *path,
int perms,
bool ignoreEacces)
{
qemuDomainObjPrivate *priv = vm->privateData;
int ret;
VIR_DEBUG("Allow path %s, perms: %s",
path, virCgroupGetDevicePermsString(perms));
ret = virCgroupAllowDevicePath(priv->cgroup, path, perms, ignoreEacces);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
virCgroupGetDevicePermsString(perms), ret);
return ret;
}
static int static int
qemuSetupImagePathCgroup(virDomainObj *vm, qemuSetupImagePathCgroup(virDomainObj *vm,
const char *path, const char *path,
@ -71,14 +91,7 @@ qemuSetupImagePathCgroup(virDomainObj *vm,
if (!readonly) if (!readonly)
perms |= VIR_CGROUP_DEVICE_WRITE; perms |= VIR_CGROUP_DEVICE_WRITE;
VIR_DEBUG("Allow path %s, perms: %s", rv = qemuCgroupAllowDevicePath(vm, path, perms, true);
path, virCgroupGetDevicePermsString(perms));
rv = virCgroupAllowDevicePath(priv->cgroup, path, perms, true);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
virCgroupGetDevicePermsString(perms),
rv);
if (rv < 0) if (rv < 0)
return -1; return -1;
@ -96,12 +109,7 @@ qemuSetupImagePathCgroup(virDomainObj *vm,
} }
for (n = targetPaths; n; n = n->next) { for (n = targetPaths; n; n = n->next) {
rv = virCgroupAllowDevicePath(priv->cgroup, n->data, perms, false); if (qemuCgroupAllowDevicePath(vm, n->data, perms, false) < 0)
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", n->data,
virCgroupGetDevicePermsString(perms),
rv);
if (rv < 0)
return -1; return -1;
} }
@ -278,7 +286,6 @@ qemuSetupChrSourceCgroup(virDomainObj *vm,
virDomainChrSourceDef *source) virDomainChrSourceDef *source)
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
int ret;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
@ -288,12 +295,8 @@ qemuSetupChrSourceCgroup(virDomainObj *vm,
VIR_DEBUG("Process path '%s' for device", source->data.file.path); VIR_DEBUG("Process path '%s' for device", source->data.file.path);
ret = virCgroupAllowDevicePath(priv->cgroup, source->data.file.path, return qemuCgroupAllowDevicePath(vm, source->data.file.path,
VIR_CGROUP_DEVICE_RW, false); VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
source->data.file.path, "rw", ret);
return ret;
} }
@ -361,10 +364,8 @@ qemuSetupInputCgroup(virDomainObj *vm,
switch (dev->type) { switch (dev->type) {
case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH: case VIR_DOMAIN_INPUT_TYPE_PASSTHROUGH:
case VIR_DOMAIN_INPUT_TYPE_EVDEV: case VIR_DOMAIN_INPUT_TYPE_EVDEV:
VIR_DEBUG("Process path '%s' for input device", dev->source.evdev); return qemuCgroupAllowDevicePath(vm, dev->source.evdev,
ret = virCgroupAllowDevicePath(priv->cgroup, dev->source.evdev, VIR_CGROUP_DEVICE_RW, false);
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", dev->source.evdev, "rw", ret);
break; break;
} }
@ -413,7 +414,6 @@ qemuSetupHostdevCgroup(virDomainObj *vm,
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
g_autofree char *path = NULL; g_autofree char *path = NULL;
int perms; int perms;
int rv;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
@ -421,24 +421,15 @@ qemuSetupHostdevCgroup(virDomainObj *vm,
if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0) if (qemuDomainGetHostdevPath(dev, &path, &perms) < 0)
return -1; return -1;
if (path) { if (path &&
VIR_DEBUG("Cgroup allow %s perms=%d", path, perms); qemuCgroupAllowDevicePath(vm, path, perms, false) < 0) {
rv = virCgroupAllowDevicePath(priv->cgroup, path, perms, false); return -1;
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
virCgroupGetDevicePermsString(perms),
rv);
if (rv < 0)
return -1;
} }
if (qemuHostdevNeedsVFIO(dev)) { if (qemuHostdevNeedsVFIO(dev) &&
VIR_DEBUG("Cgroup allow %s perms=%d", QEMU_DEV_VFIO, VIR_CGROUP_DEVICE_RW); qemuCgroupAllowDevicePath(vm, QEMU_DEV_VFIO,
rv = virCgroupAllowDevicePath(priv->cgroup, QEMU_DEV_VFIO, VIR_CGROUP_DEVICE_RW, false) < 0) {
VIR_CGROUP_DEVICE_RW, false); return -1;
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
QEMU_DEV_VFIO, "rw", rv);
if (rv < 0)
return -1;
} }
return 0; return 0;
@ -510,7 +501,6 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
virDomainMemoryDef *mem) virDomainMemoryDef *mem)
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
int rv;
if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM && if (mem->model != VIR_DOMAIN_MEMORY_MODEL_NVDIMM &&
mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM) mem->model != VIR_DOMAIN_MEMORY_MODEL_VIRTIO_PMEM)
@ -519,13 +509,8 @@ qemuSetupMemoryDevicesCgroup(virDomainObj *vm,
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
VIR_DEBUG("Setting devices Cgroup for NVDIMM device: %s", mem->nvdimmPath); return qemuCgroupAllowDevicePath(vm, mem->nvdimmPath,
rv = virCgroupAllowDevicePath(priv->cgroup, mem->nvdimmPath, VIR_CGROUP_DEVICE_RW, false);
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
mem->nvdimmPath, "rw", rv);
return rv;
} }
@ -557,17 +542,12 @@ qemuSetupGraphicsCgroup(virDomainObj *vm,
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
const char *rendernode = virDomainGraphicsGetRenderNode(gfx); const char *rendernode = virDomainGraphicsGetRenderNode(gfx);
int ret;
if (!rendernode || if (!rendernode ||
!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
ret = virCgroupAllowDevicePath(priv->cgroup, rendernode, return qemuCgroupAllowDevicePath(vm, rendernode, VIR_CGROUP_DEVICE_RW, false);
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", rendernode,
"rw", ret);
return ret;
} }
@ -577,7 +557,6 @@ qemuSetupVideoCgroup(virDomainObj *vm,
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
virDomainVideoAccelDef *accel = def->accel; virDomainVideoAccelDef *accel = def->accel;
int ret;
if (!accel) if (!accel)
return 0; return 0;
@ -586,11 +565,8 @@ qemuSetupVideoCgroup(virDomainObj *vm,
!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) !virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
ret = virCgroupAllowDevicePath(priv->cgroup, accel->rendernode, return qemuCgroupAllowDevicePath(vm, accel->rendernode,
VIR_CGROUP_DEVICE_RW, false); VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", accel->rendernode,
"rw", ret);
return ret;
} }
static int static int
@ -617,21 +593,14 @@ qemuSetupRNGCgroup(virDomainObj *vm,
virDomainRNGDef *rng) virDomainRNGDef *rng)
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
int rv;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM) { if (rng->backend == VIR_DOMAIN_RNG_BACKEND_RANDOM &&
VIR_DEBUG("Setting Cgroup ACL for RNG device"); qemuCgroupAllowDevicePath(vm, rng->source.file,
rv = virCgroupAllowDevicePath(priv->cgroup, VIR_CGROUP_DEVICE_RW, false) < 0) {
rng->source.file, return -1;
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
rng->source.file,
"rw", rv);
if (rv < 0)
return -1;
} }
return 0; return 0;
@ -684,16 +653,12 @@ static int
qemuSetupSEVCgroup(virDomainObj *vm) qemuSetupSEVCgroup(virDomainObj *vm)
{ {
qemuDomainObjPrivate *priv = vm->privateData; qemuDomainObjPrivate *priv = vm->privateData;
int ret;
if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
return 0; return 0;
ret = virCgroupAllowDevicePath(priv->cgroup, "/dev/sev", return qemuCgroupAllowDevicePath(vm, "/dev/sev",
VIR_CGROUP_DEVICE_RW, false); VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", "/dev/sev",
"rw", ret);
return ret;
} }
static int static int
@ -759,9 +724,7 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
continue; continue;
} }
rv = virCgroupAllowDevicePath(priv->cgroup, deviceACL[i], rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVICE_RW, false);
VIR_CGROUP_DEVICE_RW, false);
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", deviceACL[i], "rw", rv);
if (rv < 0 && if (rv < 0 &&
!virLastErrorIsSystemErrno(ENOENT)) !virLastErrorIsSystemErrno(ENOENT))
return -1; return -1;