Re: [libvirt] [PATCH v2 08/10] qemu: cgroup and selinux for scsi hostdev

On 01/04/13 20:01, Han Cheng wrote:

As libvirt gives guest minimal cgroup, we need to add sg into guest cgroup whitelist for scsi hostdev. And we should set and restore selinux label correctly for scsi hostdev.

Signed-off-by: Han Cheng <hanc.fnst@cn.fujitsu.com> --- src/qemu/qemu_cgroup.c | 67 +++++++++++++++++++++++++++++++------- src/qemu/qemu_cgroup.h | 3 ++ src/security/security_selinux.c | 56 ++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 13 deletions(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index c9b4ca2..ea3d49b 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -194,6 +194,30 @@ int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev ATTRIBUTE_UNUSED, return 0; }

+int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev, + const char *path, + void *opaque)

Indentions.

+{ + qemuCgroupData *data = opaque; + int rc; + + VIR_DEBUG("Process path '%s' for SCSI device", path); + rc = virCgroupAllowDevicePath(data->cgroup, path, + (virSCSIDeviceGetReadonly(dev) ? VIR_CGROUP_DEVICE_READ + : VIR_CGROUP_DEVICE_RW));

No need for the around ().

+ virDomainAuditCgroupPath(data->vm, data->cgroup, "allow", path, + virSCSIDeviceGetReadonly(dev) ? "r" : "rw", rc); + if (rc < 0) { + virReportSystemError(-rc, + _("Unable to allow device %s"), + path); + return -1; + } + + return 0; + +} + int qemuSetupCgroup(virQEMUDriverPtr driver, virDomainObjPtr vm, virBitmapPtr nodemask) @@ -291,26 +315,43 @@ int qemuSetupCgroup(virQEMUDriverPtr driver,

for (i = 0; i < vm->def->nhostdevs; i++) { virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i]; - virUSBDevicePtr usb; + virUSBDevicePtr usb = NULL; + virSCSIDevicePtr scsi = NULL;

if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) continue; - if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB) - continue; - if (hostdev->missing) - continue; + switch (hostdev->source.subsys.type) { + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: + if (hostdev->missing) + continue;

- if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus, - hostdev->source.subsys.u.usb.device, - NULL)) == NULL) - goto cleanup; + if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus, + hostdev->source.subsys.u.usb.device, + NULL)) == NULL) + goto cleanup;

- if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, - &data) < 0) { + if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, + &data) < 0) { + goto cleanup; + } virUSBDeviceFree(usb); - goto cleanup; + break; + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: + if ((scsi = virSCSIDeviceNew(hostdev->source.subsys.u.scsi.adapter, + hostdev->source.subsys.u.scsi.bus, + hostdev->source.subsys.u.scsi.target, + hostdev->source.subsys.u.scsi.unit, + hostdev->readonly))== NULL) + goto cleanup; + + if (virSCSIDeviceFileIterate(scsi, qemuSetupHostScsiDeviceCgroup, + &data) < 0) { + virSCSIDeviceFree(scsi); + goto cleanup; + } + virSCSIDeviceFree(scsi); + break; } - virUSBDeviceFree(usb); } }

diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h index a677d07..b9c6807 100644 --- a/src/qemu/qemu_cgroup.h +++ b/src/qemu/qemu_cgroup.h @@ -45,6 +45,9 @@ int qemuTeardownDiskCgroup(virDomainObjPtr vm, int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev, const char *path, void *opaque); +int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev, + const char *path, + void *opaque);

Indention. Otherwise looks good.