6:02 p.m.
* src/util/cgroup.c (virCgroupAllowDevicePath)
(virCgroupDenyDevicePath): Don't fail with EINVAL for
non-devices.
* src/qemu/qemu_driver.c (qemudDomainSaveFlag): Update caller.
* src/qemu/qemu_cgroup.c (qemuSetupDiskPathAllow)
(qemuSetupChardevCgroup, qemuSetupHostUsbDeviceCgroup)
(qemuSetupCgroup, qemuTeardownDiskPathDeny): Likewise.
---
v2: new patch, reduces audit log clutter in later patches
src/qemu/qemu_cgroup.c | 18 ++++++------------
src/qemu/qemu_driver.c | 6 +++---
src/util/cgroup.c | 7 ++++---
3 files changed, 13 insertions(+), 18 deletions(-)
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index 8cd6ce9..3907a09 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -66,11 +66,8 @@ int qemuSetupDiskPathAllow(virDomainDiskDefPtr disk ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path %s for disk", path);
/* XXX RO vs RW */
rc = virCgroupAllowDevicePath(cgroup, path);
- if (rc != 0) {
- /* Get this for non-block devices */
- if (rc == -EINVAL) {
- VIR_DEBUG("Ignoring EINVAL for %s", path);
- } else if (rc == -EACCES) { /* Get this for root squash NFS */
+ if (rc < 0) {
+ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path);
} else {
virReportSystemError(-rc,
@@ -106,11 +103,8 @@ int qemuTeardownDiskPathDeny(virDomainDiskDefPtr disk
ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path %s for disk", path);
/* XXX RO vs RW */
rc = virCgroupDenyDevicePath(cgroup, path);
- if (rc != 0) {
- /* Get this for non-block devices */
- if (rc == -EINVAL) {
- VIR_DEBUG("Ignoring EINVAL for %s", path);
- } else if (rc == -EACCES) { /* Get this for root squash NFS */
+ if (rc < 0) {
+ if (rc == -EACCES) { /* Get this for root squash NFS */
VIR_DEBUG("Ignoring EACCES for %s", path);
} else {
virReportSystemError(-rc,
@@ -148,7 +142,7 @@ int qemuSetupChardevCgroup(virDomainDefPtr def,
VIR_DEBUG("Process path '%s' for disk",
dev->source.data.file.path);
rc = virCgroupAllowDevicePath(cgroup, dev->source.data.file.path);
- if (rc != 0) {
+ if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
dev->source.data.file.path, def->name);
@@ -168,7 +162,7 @@ int qemuSetupHostUsbDeviceCgroup(usbDevice *dev ATTRIBUTE_UNUSED,
VIR_DEBUG("Process path '%s' for USB device", path);
rc = virCgroupAllowDevicePath(cgroup, path);
- if (rc != 0) {
+ if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s"),
path);
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
index c58c20e..15b9bc0 100644
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -1963,7 +1963,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver,
virDomainPtr dom,
goto endjob;
}
rc = virCgroupAllowDevicePath(cgroup, path);
- if (rc != 0) {
+ if (rc < 0) {
virReportSystemError(-rc,
_("Unable to allow device %s for %s"),
path, vm->def->name);
@@ -2012,7 +2012,7 @@ static int qemudDomainSaveFlag(struct qemud_driver *driver,
virDomainPtr dom,
if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path);
- if (rc != 0)
+ if (rc < 0)
VIR_WARN("Unable to deny device %s for %s %d",
path, vm->def->name, rc);
}
@@ -2043,7 +2043,7 @@ endjob:
if (cgroup != NULL) {
rc = virCgroupDenyDevicePath(cgroup, path);
- if (rc != 0)
+ if (rc < 0)
VIR_WARN("Unable to deny device %s for %s: %d",
path, vm->def->name, rc);
}
diff --git a/src/util/cgroup.c b/src/util/cgroup.c
index b71eef9..00c8828 100644
--- a/src/util/cgroup.c
+++ b/src/util/cgroup.c
@@ -1147,7 +1147,8 @@ int virCgroupAllowDeviceMajor(virCgroupPtr group, char type, int
major)
* Queries the type of device and its major/minor number, and
* adds that to the cgroup ACL
*
- * Returns: 0 on success
+ * Returns: 0 on success, 1 if path exists but is not a device, or
+ * negative errno value on failure
*/
#if defined(major) && defined(minor)
int virCgroupAllowDevicePath(virCgroupPtr group, const char *path)
@@ -1158,7 +1159,7 @@ int virCgroupAllowDevicePath(virCgroupPtr group, const char *path)
return -errno;
if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
- return -EINVAL;
+ return 1;
return virCgroupAllowDevice(group,
S_ISCHR(sb.st_mode) ? 'c' : 'b',
@@ -1242,7 +1243,7 @@ int virCgroupDenyDevicePath(virCgroupPtr group, const char *path)
return -errno;
if (!S_ISCHR(sb.st_mode) && !S_ISBLK(sb.st_mode))
- return -EINVAL;
+ return 1;
return virCgroupDenyDevice(group,
S_ISCHR(sb.st_mode) ? 'c' : 'b',
--
1.7.4