[libvirt PATCH 15/15] qemu-cgroup: drop the need for privileges to use cgroup

Monday, 6 April 2020

From: Marc-André Lureau <marcandre.lureau(a)redhat.com&gt;

CGroup delegation can allow various processes or users to use
cgroup. Further checks should be done by the various backends.

With this series, a qemu:///session VM can have basic CGroupv2 support
with machined --user help.

Signed-off-by: Marc-André Lureau <marcandre.lureau(a)redhat.com&gt;
---
 src/qemu/qemu_cgroup.c | 3 ---
 src/util/vircgroup.c   | 5 +++++
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index c288519e62..0f80dd4214 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -914,9 +914,6 @@ qemuInitCgroup(virDomainObjPtr vm,
     qemuDomainObjPrivatePtr priv = vm->privateData;
     g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
 
-    if (!virQEMUDriverIsPrivileged(priv->driver))
-        return 0;
-
     if (!virCgroupAvailable())
         return 0;
 
diff --git a/src/util/vircgroup.c b/src/util/vircgroup.c
index 70d85200cb..4e71677994 100644
--- a/src/util/vircgroup.c
+++ b/src/util/vircgroup.c
@@ -1254,6 +1254,11 @@ virCgroupNewMachine(const char *name,
     if (rv == -1)
         return -1;
 
+    if (geteuid() != 0) {
+        errno = EPERM;
+        return 0;
+    }
+
     return virCgroupNewMachineManual(name,
                                      drivername,
                                      pidleader,
-- 
2.26.0.rc2.42.g98cedd0233


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt PATCH 15/15] qemu-cgroup: drop the need for privileges to use cgroup