On 7/21/22 12:31, Michal Privoznik wrote:
> We have qemuCgroupAllowDevicePath() which sets up devices
> controller for just one path. And if we have more paths we have
> to call it in a loop. So far, we have just one such place, but
> soon we'll have another one (for SGX memory). Separate the loop
> into its own function so that it can be reused.
>
> And while at it, move setting the default set of devices as the
> first thing, right after all devices are disallowed.
>
> Signed-off-by: Michal Privoznik <mpriv...@redhat.com>
> ---
> src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++-------------
> 1 file changed, 36 insertions(+), 15 deletions(-)
>
> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
> index e012ba92c0..8339caeb53 100644
> --- a/src/qemu/qemu_cgroup.c
> +++ b/src/qemu/qemu_cgroup.c
> @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
> }
>
>
> +static int
> +qemuCgroupAllowDevicesPaths(virDomainObj *vm,
> + const char *const *deviceACL,
> + int perms,
> + bool ignoreEacces)
> +{
> + size_t i;
> +
> + for (i = 0; deviceACL[i] != NULL; i++) {
> + int rv;
> +
> + if (!virFileExists(deviceACL[i])) {
> + VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
> + continue;
> + }
> +
> + rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms,
> ignoreEacces);
> + if (rv < 0 &&
> + !virLastErrorIsSystemErrno(ENOENT))
> + return -1;
> + }
> +
> + return 0;
> +}
> +
> +
> static int
> qemuCgroupDenyDevicePath(virDomainObj *vm,
> const char *path,
> @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
> if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES))
> return 0;
>
> + deviceACL = cfg->cgroupDeviceACL ?
> + (const char *const *)cfg->cgroupDeviceACL :
> + defaultDeviceACL;
> +
OOOps, this hunk does not belong here. I've screwed up conflict
resolution. Consider fixed locally.
Michal
