qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()

We have qemuCgroupAllowDevicePath() which sets up devices controller for just one path. And if we have more paths we have to call it in a loop. So far, we have just one such place, but soon we'll have another one (for SGX memory). Separate the loop into its own function so that it can be reused. And while at it, move setting the default set of devices as the first thing, right after all devices are disallowed. Signed-off-by: Michal Privoznik <mprivozn@redhat.com> Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
2024-10-03 12:55:45 +00:00 · 2022-07-21 11:06:26 +02:00 · 2022-07-21 11:06:26 +02:00 · f87dc1c49e
commit f87dc1c49e
parent 086bbbad09
1 changed files with 32 additions and 15 deletions
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
 }


+static int
+qemuCgroupAllowDevicesPaths(virDomainObj *vm,
+                            const char *const *deviceACL,
+                            int perms,
+                            bool ignoreEacces)
+{
+    size_t i;
+
+    for (i = 0; deviceACL[i] != NULL; i++) {
+        int rv;
+
+        if (!virFileExists(deviceACL[i])) {
+            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
+            continue;
+        }
+
+        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
+        if (rv < 0 &&
+            !virLastErrorIsSystemErrno(ENOENT))
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 qemuCgroupDenyDevicePath(virDomainObj *vm,
                         const char *path,
@ -671,6 +697,12 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
        return -1;
    }

+    if (!deviceACL)
+        deviceACL = defaultDeviceACL;
+
+    if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false) < 0)
+        return -1;
+
    if (qemuSetupFirmwareCgroup(vm) < 0)
        return -1;

@ -686,9 +718,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
    if (rv < 0)
        return -1;

-    if (!deviceACL)
-        deviceACL = defaultDeviceACL;
-
    if (vm->def->nsounds &&
        ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) ||
         (vm->def->graphics &&
@ -703,18 +732,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
            return -1;
    }

-    for (i = 0; deviceACL[i] != NULL; i++) {
-        if (!virFileExists(deviceACL[i])) {
-            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
-            continue;
-        }
-
-        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVICE_RW, false);
-        if (rv < 0 &&
-            !virLastErrorIsSystemErrno(ENOENT))
-            return -1;
-    }
-
    if (virDomainChrDefForeach(vm->def,
                               true,
                               qemuSetupChardevCgroupCB,