|
|
c480ed |
From 43695c7877a99d12bab96ec17c7d7de250ffc39a Mon Sep 17 00:00:00 2001
|
|
|
c480ed |
Message-Id: <43695c7877a99d12bab96ec17c7d7de250ffc39a@dist-git>
|
|
|
c480ed |
From: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c480ed |
Date: Mon, 1 Jul 2019 17:06:54 +0200
|
|
|
c480ed |
Subject: [PATCH] vircgroup: extract virCgroupV1(Allow|Deny)Device
|
|
|
c480ed |
MIME-Version: 1.0
|
|
|
c480ed |
Content-Type: text/plain; charset=UTF-8
|
|
|
c480ed |
Content-Transfer-Encoding: 8bit
|
|
|
c480ed |
|
|
|
c480ed |
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
|
|
|
c480ed |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
c480ed |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c480ed |
(cherry picked from commit 8cbb0c76ba24878229830c8d53b365cf4dc1b54d)
|
|
|
c480ed |
|
|
|
c480ed |
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1689297
|
|
|
c480ed |
|
|
|
c480ed |
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
|
|
|
c480ed |
Message-Id: <9a4073085dbeb674b24544aa253960bb2b1b53dc.1561993100.git.phrdina@redhat.com>
|
|
|
c480ed |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
c480ed |
---
|
|
|
c480ed |
src/util/vircgroup.c | 68 +++++++-----------------------------
|
|
|
c480ed |
src/util/vircgroupbackend.h | 17 +++++++++
|
|
|
c480ed |
src/util/vircgroupv1.c | 69 +++++++++++++++++++++++++++++++++++++
|
|
|
c480ed |
3 files changed, 98 insertions(+), 56 deletions(-)
|
|
|
c480ed |
|
|
|
c480ed |
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
|
|
|
c480ed |
index 088e97cb3f..a30fc6241d 100644
|
|
|
c480ed |
--- a/src/util/vircgroup.c
|
|
|
c480ed |
+++ b/src/util/vircgroup.c
|
|
|
c480ed |
@@ -1875,29 +1875,7 @@ int
|
|
|
c480ed |
virCgroupAllowDevice(virCgroupPtr group, char type, int major, int minor,
|
|
|
c480ed |
int perms)
|
|
|
c480ed |
{
|
|
|
c480ed |
- VIR_AUTOFREE(char *) devstr = NULL;
|
|
|
c480ed |
- VIR_AUTOFREE(char *) majorstr = NULL;
|
|
|
c480ed |
- VIR_AUTOFREE(char *) minorstr = NULL;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) ||
|
|
|
c480ed |
- (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0))
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) ||
|
|
|
c480ed |
- (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0))
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr,
|
|
|
c480ed |
- virCgroupGetDevicePermsString(perms)) < 0)
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if (virCgroupSetValueStr(group,
|
|
|
c480ed |
- VIR_CGROUP_CONTROLLER_DEVICES,
|
|
|
c480ed |
- "devices.allow",
|
|
|
c480ed |
- devstr) < 0)
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- return 0;
|
|
|
c480ed |
+ VIR_CGROUP_BACKEND_CALL(group, allowDevice, -1, type, major, minor, perms);
|
|
|
c480ed |
}
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
@@ -1936,11 +1914,11 @@ virCgroupAllowDevicePath(virCgroupPtr group,
|
|
|
c480ed |
if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
|
|
|
c480ed |
return 1;
|
|
|
c480ed |
|
|
|
c480ed |
- return virCgroupAllowDevice(group,
|
|
|
c480ed |
- S_ISCHR(sb.st_mode) ? 'c' : 'b',
|
|
|
c480ed |
- major(sb.st_rdev),
|
|
|
c480ed |
- minor(sb.st_rdev),
|
|
|
c480ed |
- perms);
|
|
|
c480ed |
+ VIR_CGROUP_BACKEND_CALL(group, allowDevice, -1,
|
|
|
c480ed |
+ S_ISCHR(sb.st_mode) ? 'c' : 'b',
|
|
|
c480ed |
+ major(sb.st_rdev),
|
|
|
c480ed |
+ minor(sb.st_rdev),
|
|
|
c480ed |
+ perms);
|
|
|
c480ed |
}
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
@@ -1959,29 +1937,7 @@ int
|
|
|
c480ed |
virCgroupDenyDevice(virCgroupPtr group, char type, int major, int minor,
|
|
|
c480ed |
int perms)
|
|
|
c480ed |
{
|
|
|
c480ed |
- VIR_AUTOFREE(char *) devstr = NULL;
|
|
|
c480ed |
- VIR_AUTOFREE(char *) majorstr = NULL;
|
|
|
c480ed |
- VIR_AUTOFREE(char *) minorstr = NULL;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) ||
|
|
|
c480ed |
- (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0))
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) ||
|
|
|
c480ed |
- (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0))
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr,
|
|
|
c480ed |
- virCgroupGetDevicePermsString(perms)) < 0)
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- if (virCgroupSetValueStr(group,
|
|
|
c480ed |
- VIR_CGROUP_CONTROLLER_DEVICES,
|
|
|
c480ed |
- "devices.deny",
|
|
|
c480ed |
- devstr) < 0)
|
|
|
c480ed |
- return -1;
|
|
|
c480ed |
-
|
|
|
c480ed |
- return 0;
|
|
|
c480ed |
+ VIR_CGROUP_BACKEND_CALL(group, denyDevice, -1, type, major, minor, perms);
|
|
|
c480ed |
}
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
@@ -2020,11 +1976,11 @@ virCgroupDenyDevicePath(virCgroupPtr group,
|
|
|
c480ed |
if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
|
|
|
c480ed |
return 1;
|
|
|
c480ed |
|
|
|
c480ed |
- return virCgroupDenyDevice(group,
|
|
|
c480ed |
- S_ISCHR(sb.st_mode) ? 'c' : 'b',
|
|
|
c480ed |
- major(sb.st_rdev),
|
|
|
c480ed |
- minor(sb.st_rdev),
|
|
|
c480ed |
- perms);
|
|
|
c480ed |
+ VIR_CGROUP_BACKEND_CALL(group, denyDevice, -1,
|
|
|
c480ed |
+ S_ISCHR(sb.st_mode) ? 'c' : 'b',
|
|
|
c480ed |
+ major(sb.st_rdev),
|
|
|
c480ed |
+ minor(sb.st_rdev),
|
|
|
c480ed |
+ perms);
|
|
|
c480ed |
}
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
diff --git a/src/util/vircgroupbackend.h b/src/util/vircgroupbackend.h
|
|
|
c480ed |
index 27e6b18ea2..04897b5895 100644
|
|
|
c480ed |
--- a/src/util/vircgroupbackend.h
|
|
|
c480ed |
+++ b/src/util/vircgroupbackend.h
|
|
|
c480ed |
@@ -255,6 +255,20 @@ typedef int
|
|
|
c480ed |
(*virCgroupGetMemSwapUsageCB)(virCgroupPtr group,
|
|
|
c480ed |
unsigned long long *kb);
|
|
|
c480ed |
|
|
|
c480ed |
+typedef int
|
|
|
c480ed |
+(*virCgroupAllowDeviceCB)(virCgroupPtr group,
|
|
|
c480ed |
+ char type,
|
|
|
c480ed |
+ int major,
|
|
|
c480ed |
+ int minor,
|
|
|
c480ed |
+ int perms);
|
|
|
c480ed |
+
|
|
|
c480ed |
+typedef int
|
|
|
c480ed |
+(*virCgroupDenyDeviceCB)(virCgroupPtr group,
|
|
|
c480ed |
+ char type,
|
|
|
c480ed |
+ int major,
|
|
|
c480ed |
+ int minor,
|
|
|
c480ed |
+ int perms);
|
|
|
c480ed |
+
|
|
|
c480ed |
struct _virCgroupBackend {
|
|
|
c480ed |
virCgroupBackendType type;
|
|
|
c480ed |
|
|
|
c480ed |
@@ -304,6 +318,9 @@ struct _virCgroupBackend {
|
|
|
c480ed |
virCgroupSetMemSwapHardLimitCB setMemSwapHardLimit;
|
|
|
c480ed |
virCgroupGetMemSwapHardLimitCB getMemSwapHardLimit;
|
|
|
c480ed |
virCgroupGetMemSwapUsageCB getMemSwapUsage;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ virCgroupAllowDeviceCB allowDevice;
|
|
|
c480ed |
+ virCgroupDenyDeviceCB denyDevice;
|
|
|
c480ed |
};
|
|
|
c480ed |
typedef struct _virCgroupBackend virCgroupBackend;
|
|
|
c480ed |
typedef virCgroupBackend *virCgroupBackendPtr;
|
|
|
c480ed |
diff --git a/src/util/vircgroupv1.c b/src/util/vircgroupv1.c
|
|
|
c480ed |
index 55b1d3ebd0..02cd7ab956 100644
|
|
|
c480ed |
--- a/src/util/vircgroupv1.c
|
|
|
c480ed |
+++ b/src/util/vircgroupv1.c
|
|
|
c480ed |
@@ -1671,6 +1671,72 @@ virCgroupV1GetMemSwapUsage(virCgroupPtr group,
|
|
|
c480ed |
}
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
+static int
|
|
|
c480ed |
+virCgroupV1AllowDevice(virCgroupPtr group,
|
|
|
c480ed |
+ char type,
|
|
|
c480ed |
+ int major,
|
|
|
c480ed |
+ int minor,
|
|
|
c480ed |
+ int perms)
|
|
|
c480ed |
+{
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) devstr = NULL;
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) majorstr = NULL;
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) minorstr = NULL;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) ||
|
|
|
c480ed |
+ (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0))
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) ||
|
|
|
c480ed |
+ (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0))
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr,
|
|
|
c480ed |
+ virCgroupGetDevicePermsString(perms)) < 0)
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if (virCgroupSetValueStr(group,
|
|
|
c480ed |
+ VIR_CGROUP_CONTROLLER_DEVICES,
|
|
|
c480ed |
+ "devices.allow",
|
|
|
c480ed |
+ devstr) < 0)
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ return 0;
|
|
|
c480ed |
+}
|
|
|
c480ed |
+
|
|
|
c480ed |
+
|
|
|
c480ed |
+static int
|
|
|
c480ed |
+virCgroupV1DenyDevice(virCgroupPtr group,
|
|
|
c480ed |
+ char type,
|
|
|
c480ed |
+ int major,
|
|
|
c480ed |
+ int minor,
|
|
|
c480ed |
+ int perms)
|
|
|
c480ed |
+{
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) devstr = NULL;
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) majorstr = NULL;
|
|
|
c480ed |
+ VIR_AUTOFREE(char *) minorstr = NULL;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if ((major < 0 && VIR_STRDUP(majorstr, "*") < 0) ||
|
|
|
c480ed |
+ (major >= 0 && virAsprintf(&majorstr, "%i", major) < 0))
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if ((minor < 0 && VIR_STRDUP(minorstr, "*") < 0) ||
|
|
|
c480ed |
+ (minor >= 0 && virAsprintf(&minorstr, "%i", minor) < 0))
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if (virAsprintf(&devstr, "%c %s:%s %s", type, majorstr, minorstr,
|
|
|
c480ed |
+ virCgroupGetDevicePermsString(perms)) < 0)
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ if (virCgroupSetValueStr(group,
|
|
|
c480ed |
+ VIR_CGROUP_CONTROLLER_DEVICES,
|
|
|
c480ed |
+ "devices.deny",
|
|
|
c480ed |
+ devstr) < 0)
|
|
|
c480ed |
+ return -1;
|
|
|
c480ed |
+
|
|
|
c480ed |
+ return 0;
|
|
|
c480ed |
+}
|
|
|
c480ed |
+
|
|
|
c480ed |
+
|
|
|
c480ed |
virCgroupBackend virCgroupV1Backend = {
|
|
|
c480ed |
.type = VIR_CGROUP_BACKEND_TYPE_V1,
|
|
|
c480ed |
|
|
|
c480ed |
@@ -1718,6 +1784,9 @@ virCgroupBackend virCgroupV1Backend = {
|
|
|
c480ed |
.setMemSwapHardLimit = virCgroupV1SetMemSwapHardLimit,
|
|
|
c480ed |
.getMemSwapHardLimit = virCgroupV1GetMemSwapHardLimit,
|
|
|
c480ed |
.getMemSwapUsage = virCgroupV1GetMemSwapUsage,
|
|
|
c480ed |
+
|
|
|
c480ed |
+ .allowDevice = virCgroupV1AllowDevice,
|
|
|
c480ed |
+ .denyDevice = virCgroupV1DenyDevice,
|
|
|
c480ed |
};
|
|
|
c480ed |
|
|
|
c480ed |
|
|
|
c480ed |
--
|
|
|
c480ed |
2.22.0
|
|
|
c480ed |
|