Add functions that will allow to set all the required cgroup stuff on
individual images taking a virStorageSourcePtr. Also convert functions
designed to setup whole backing chain to take advantage of the change.
---
 src/qemu/qemu_cgroup.c | 103 ++++++++++++++++++++++++-------------------------
 src/qemu/qemu_cgroup.h |   3 ++
 2 files changed, 54 insertions(+), 52 deletions(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 3394c68..c84a251 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -49,30 +49,55 @@ static const char *const defaultDeviceACL[] = {
 #define DEVICE_PTY_MAJOR 136
 #define DEVICE_SND_MAJOR 116

-static int
-qemuSetupDiskPathAllow(virDomainDiskDefPtr disk,
-                       const char *path,
-                       size_t depth ATTRIBUTE_UNUSED,
-                       void *opaque)
+int
+qemuSetImageCgroup(virDomainObjPtr vm,
+                   virStorageSourcePtr src,
+                   bool deny)
 {
-    virDomainObjPtr vm = opaque;
     qemuDomainObjPrivatePtr priv = vm->privateData;
+    int perms = VIR_CGROUP_DEVICE_READ;
     int ret;

-    VIR_DEBUG("Process path %s for disk", path);
-    ret = virCgroupAllowDevicePath(priv->cgroup, path,
-                                   (disk->src->readonly ? 
VIR_CGROUP_DEVICE_READ
-                                    : VIR_CGROUP_DEVICE_RW));
-    virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
-                             disk->src->readonly ? "r" : "rw", ret == 0);
+    if (!virCgroupHasController(priv->cgroup,
+                                VIR_CGROUP_CONTROLLER_DEVICES))
+        return 0;
+
+    if (!src->path || !virStorageSourceIsLocalStorage(src)) {
+        VIR_DEBUG("Not updating cgroups for disk path '%s', type: %s",
+                  NULLSTR(src->path), virStorageTypeToString(src->type));
+        return 0;
+    }
+
+    if (deny) {
+        perms |= VIR_CGROUP_DEVICE_WRITE | VIR_CGROUP_DEVICE_MKNOD;
+
+        VIR_DEBUG("Deny path %s", src->path);
+
+        ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms);
+    } else {
+        if (!src->readonly)
+            perms |= VIR_CGROUP_DEVICE_WRITE;
+
+        VIR_DEBUG("Allow path %s, perms: %s",
+                  src->path, virCgroupGetDevicePermsString(perms));
+
+        ret = virCgroupAllowDevicePath(priv->cgroup, src->path, perms);
+    }
+
+    virDomainAuditCgroupPath(vm, priv->cgroup,
+                             deny ? "deny" : "allow",
+                             src->path,
+                             virCgroupGetDevicePermsString(perms),
+                             ret == 0);

     /* Get this for root squash NFS */
     if (ret < 0 &&
         virLastErrorIsSystemErrno(EACCES)) {
-        VIR_DEBUG("Ignoring EACCES for %s", path);
+        VIR_DEBUG("Ignoring EACCES for %s", src->path);
         virResetLastError();
         ret = 0;
     }
+
     return ret;
 }

@@ -81,39 +106,14 @@ int
 qemuSetupDiskCgroup(virDomainObjPtr vm,
                     virDomainDiskDefPtr disk)
 {
-    qemuDomainObjPrivatePtr priv = vm->privateData;
-
-    if (!virCgroupHasController(priv->cgroup,
-                                VIR_CGROUP_CONTROLLER_DEVICES))
-        return 0;
-
-    return virDomainDiskDefForeachPath(disk, true, qemuSetupDiskPathAllow, vm);
-}
+    virStorageSourcePtr next;

-
-static int
-qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
-                         const char *path,
-                         size_t depth ATTRIBUTE_UNUSED,
-                         void *opaque)
-{
-    virDomainObjPtr vm = opaque;
-    qemuDomainObjPrivatePtr priv = vm->privateData;
-    int ret;
-
-    VIR_DEBUG("Process path %s for disk", path);
-    ret = virCgroupDenyDevicePath(priv->cgroup, path,
-                                  VIR_CGROUP_DEVICE_RWM);
-    virDomainAuditCgroupPath(vm, priv->cgroup, "deny", path, "rwm", ret == 0);
-
-    /* Get this for root squash NFS */
-    if (ret < 0 &&
-        virLastErrorIsSystemErrno(EACCES)) {
-        VIR_DEBUG("Ignoring EACCES for %s", path);
-        virResetLastError();
-        ret = 0;
+    for (next = disk->src; next; next = next->backingStore) {
+        if (qemuSetImageCgroup(vm, next, false) < 0)
+            return -1;
     }
-    return ret;
+
+    return 0;
 }


@@ -121,18 +121,17 @@ int
 qemuTeardownDiskCgroup(virDomainObjPtr vm,
                        virDomainDiskDefPtr disk)
 {
-    qemuDomainObjPrivatePtr priv = vm->privateData;
+    virStorageSourcePtr next;

-    if (!virCgroupHasController(priv->cgroup,
-                                VIR_CGROUP_CONTROLLER_DEVICES))
-        return 0;
+    for (next = disk->src; next; next = next->backingStore) {
+        if (qemuSetImageCgroup(vm, next, true) < 0)
+            return -1;
+    }

-    return virDomainDiskDefForeachPath(disk,
-                                       true,
-                                       qemuTeardownDiskPathDeny,
-                                       vm);
+    return 0;
 }

+
 static int
 qemuSetupChrSourceCgroup(virDomainDefPtr def ATTRIBUTE_UNUSED,
                          virDomainChrSourceDefPtr dev,
diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h
index 14404d1..732860e 100644
--- a/src/qemu/qemu_cgroup.h
+++ b/src/qemu/qemu_cgroup.h
@@ -29,6 +29,9 @@
 # include "domain_conf.h"
 # include "qemu_conf.h"

+int qemuSetImageCgroup(virDomainObjPtr vm,
+                       virStorageSourcePtr src,
+                       bool deny);
 int qemuSetupDiskCgroup(virDomainObjPtr vm,
                         virDomainDiskDefPtr disk);
 int qemuTeardownDiskCgroup(virDomainObjPtr vm,
-- 
1.9.3

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to