In order to deny device we need to check if there is any entry in BPF
map and we need to load the current value from map if there is already
entry for that device. If both values are same we can remove that entry
but if they are different we need to update the entry because we don't
have to deny all access, but for example only write access.
Signed-off-by: Pavel Hrdina <phrdina(a)redhat.com>
---
src/util/vircgroupv2.c | 41 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 41 insertions(+)
diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index e579464ff3..aea7ba677f 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -2030,6 +2030,46 @@ virCgroupV2AllowDevice(virCgroupPtr group,
}
+static int
+virCgroupV2DenyDevice(virCgroupPtr group,
+ char type,
+ int major,
+ int minor,
+ int perms)
+{
+ __u64 key = virCgroupV2DeviceGetKey(major, minor);
+ __u32 newval = virCgroupV2DeviceGetPerms(perms, type);
+ __u32 val = 0;
+
+ if (virCgroupV2DevicePrepareProg(group) < 0)
+ return -1;
+
+ if (group->unified.devices.count <= 0 ||
+ virBPFLookupElem(group->unified.devices.mapfd, &key, &val) < 0) {
+ VIR_DEBUG("nothing to do, device is not allowed");
+ return 0;
+ }
+
+ if (newval == val) {
+ if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
+ virReportSystemError(errno, "%s",
+ _("failed to remove device from BPF cgroup
map"));
+ return -1;
+ }
+ group->unified.devices.count--;
+ } else {
+ val ^= val & newval;
+ if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0)
{
+ virReportSystemError(errno, "%s",
+ _("failed to update device in BPF cgroup
map"));
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
+
virCgroupBackend virCgroupV2Backend = {
.type = VIR_CGROUP_BACKEND_TYPE_V2,
@@ -2080,6 +2120,7 @@ virCgroupBackend virCgroupV2Backend = {
.getMemSwapUsage = virCgroupV2GetMemSwapUsage,
.allowDevice = virCgroupV2AllowDevice,
+ .denyDevice = virCgroupV2DenyDevice,
.setCpuShares = virCgroupV2SetCpuShares,
.getCpuShares = virCgroupV2GetCpuShares,
--
2.20.1