Re: [libvirt] [PATCHv2 6/8] cgroup: allow fine-tuning of device ACL permissions
On Tue, Mar 08, 2011 at 10:13:48PM -0700, Eric Blake wrote:
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index ebf9ad5..83063a9 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -226,7 +229,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
goto cleanup;
}
- rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR);
+ rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_PTY_MAJOR,
+ VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_PTY_MAJOR,
"pty", rc == 0);
if (rc != 0) {
I'm not entirely sure that we actually need RWM here, rather than
just RW. QEMU doesn't do any mknod in /dev/pts/XXX. The entries
in that filesystem just magically appear from the kernel when
you open /dev/ptmx.
@@ -240,7 +244,8 @@ int qemuSetupCgroup(struct qemud_driver *driver,
((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC
&&
driver->vncAllowHostAudio) ||
(vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL))))
{
- rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR);
+ rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR,
+ VIR_CGROUP_DEVICE_RWM);
qemuAuditCgroupMajor(vm, cgroup, "allow", DEVICE_SND_MAJOR,
"sound", rc == 0);
if (rc != 0) {
Almost certain we don't need RWM for sound devices, just RW
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|