From: Praveen K Paladugu <prapal@linux.microsoft.com> A domain that runs with TCG emulation does not need kvm device, so drop it from default device ACL. Dynamically grant access to /dev/kvm based on domain type. Signed-off-by: Praveen K Paladugu <prapal@linux.microsoft.com> --- src/qemu/qemu.conf.in | 3 +-- src/qemu/qemu_cgroup.c | 9 +++++++-- src/qemu/qemu_domain.h | 1 + src/qemu/qemu_namespace.c | 9 +++++++-- src/qemu/test_libvirtd_qemu.aug.in | 3 +-- 5 files changed, 17 insertions(+), 8 deletions(-) diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in index fc91ba8f08..0a8abd9544 100644 --- a/src/qemu/qemu.conf.in +++ b/src/qemu/qemu.conf.in @@ -618,8 +618,7 @@ #cgroup_device_acl = [ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", -# "/dev/ptmx", "/dev/kvm", -# "/dev/userfaultfd" +# "/dev/ptmx", "/dev/userfaultfd" #] # # RDMA migration requires the following extra files to be added to the list: diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index f10976c2b0..100604fae5 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -41,8 +41,7 @@ VIR_LOG_INIT("qemu.qemu_cgroup"); const char *const defaultDeviceACL[] = { "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", - "/dev/ptmx", "/dev/kvm", - "/dev/userfaultfd", + "/dev/ptmx", "/dev/userfaultfd", NULL, }; #define DEVICE_PTY_MAJOR 136 @@ -86,6 +85,12 @@ qemuCgroupAllowDevicesPaths(virDomainObj *vm, if (qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces) < 0) return -1; } + if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) { + /* KVM requires access to /dev/kvm */ + if (qemuCgroupAllowDevicePath(vm, QEMU_DEV_KVM, VIR_CGROUP_DEVICE_RW, + ignoreEacces) < 0) + return -1; + } return 0; } diff --git a/src/qemu/qemu_domain.h b/src/qemu/qemu_domain.h index f4945f598a..fe4ba4fa15 100644 --- a/src/qemu/qemu_domain.h +++ b/src/qemu/qemu_domain.h @@ -89,6 +89,7 @@ struct _qemuDomainUnpluggingDevice { #define QEMU_DEV_SGX_PROVISION "/dev/sgx_provision" #define QEMU_DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control" #define QEMU_DEV_UDMABUF "/dev/udmabuf" +#define QEMU_DEV_KVM "/dev/kvm" #define QEMU_DOMAIN_AES_IV_LEN 16 /* 16 bytes for 128 bit random */ diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index f72da83929..ca12fcf587 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -210,13 +210,18 @@ qemuDomainGetPreservedMounts(virQEMUDriverConfig *cfg, static int qemuDomainPopulateDevices(virQEMUDriverConfig *cfg, + virDomainObj *vm, GSList **paths) { const char *const *devices = (const char *const *) cfg->cgroupDeviceACL; size_t i; - if (!devices) + if (!devices) { devices = defaultDeviceACL; + if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) { + *paths = g_slist_prepend(*paths, g_strdup(QEMU_DEV_KVM)); + } + } for (i = 0; devices[i]; i++) { *paths = g_slist_prepend(*paths, g_strdup(devices[i])); @@ -694,7 +699,7 @@ qemuDomainBuildNamespace(virQEMUDriverConfig *cfg, return 0; } - if (qemuDomainPopulateDevices(cfg, &paths) < 0) + if (qemuDomainPopulateDevices(cfg, vm, &paths) < 0) return -1; if (qemuDomainSetupAllDisks(vm, &paths) < 0) diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in index 90012b3f52..82cfec3b4b 100644 --- a/src/qemu/test_libvirtd_qemu.aug.in +++ b/src/qemu/test_libvirtd_qemu.aug.in @@ -76,8 +76,7 @@ module Test_libvirtd_qemu = { "4" = "/dev/random" } { "5" = "/dev/urandom" } { "6" = "/dev/ptmx" } - { "7" = "/dev/kvm" } - { "8" = "/dev/userfaultfd" } + { "7" = "/dev/userfaultfd" } } { "save_image_format" = "raw" } { "dump_image_format" = "raw" } -- 2.51.0