Re: [libvirt] [PATCH v2 08/10] qemu: cgroup and selinux for scsi hostdev

As libvirt gives guest minimal cgroup, we need to add sg into guest cgroup whitelist for scsi hostdev. And we should set and restore selinux label correctly for scsi hostdev. Signed-off-by: Han Cheng <hanc.fnst(a)cn.fujitsu.com&gt; --- src/qemu/qemu_cgroup.c | 67 +++++++++++++++++++++++++++++++------- src/qemu/qemu_cgroup.h | 3 ++ src/security/security_selinux.c | 56 ++++++++++++++++++++++++++++++++ 3 files changed, 113 insertions(+), 13 deletions(-) diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index c9b4ca2..ea3d49b 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -194,6 +194,30 @@ int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev ATTRIBUTE_UNUSED, return 0; } +int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev, + const char *path, + void *opaque)

+{ + qemuCgroupData *data = opaque; + int rc; + + VIR_DEBUG("Process path '%s' for SCSI device", path); + rc = virCgroupAllowDevicePath(data->cgroup, path, + (virSCSIDeviceGetReadonly(dev) ? VIR_CGROUP_DEVICE_READ + : VIR_CGROUP_DEVICE_RW));

+ virDomainAuditCgroupPath(data->vm, data->cgroup, "allow", path, + virSCSIDeviceGetReadonly(dev) ? "r" : "rw", rc); + if (rc < 0) { + virReportSystemError(-rc, + _("Unable to allow device %s"), + path); + return -1; + } + + return 0; + +} + int qemuSetupCgroup(virQEMUDriverPtr driver, virDomainObjPtr vm, virBitmapPtr nodemask) @@ -291,26 +315,43 @@ int qemuSetupCgroup(virQEMUDriverPtr driver, for (i = 0; i < vm->def->nhostdevs; i++) { virDomainHostdevDefPtr hostdev = vm->def->hostdevs[i]; - virUSBDevicePtr usb; + virUSBDevicePtr usb = NULL; + virSCSIDevicePtr scsi = NULL; if (hostdev->mode != VIR_DOMAIN_HOSTDEV_MODE_SUBSYS) continue; - if (hostdev->source.subsys.type != VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB) - continue; - if (hostdev->missing) - continue; + switch (hostdev->source.subsys.type) { + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_USB: + if (hostdev->missing) + continue; - if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus, - hostdev->source.subsys.u.usb.device, - NULL)) == NULL) - goto cleanup; + if ((usb = virUSBDeviceNew(hostdev->source.subsys.u.usb.bus, + hostdev->source.subsys.u.usb.device, + NULL)) == NULL) + goto cleanup; - if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, - &data) < 0) { + if (virUSBDeviceFileIterate(usb, qemuSetupHostUsbDeviceCgroup, + &data) < 0) { + goto cleanup; + } virUSBDeviceFree(usb); - goto cleanup; + break; + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_SCSI: + if ((scsi = virSCSIDeviceNew(hostdev->source.subsys.u.scsi.adapter, + hostdev->source.subsys.u.scsi.bus, + hostdev->source.subsys.u.scsi.target, + hostdev->source.subsys.u.scsi.unit, + hostdev->readonly))== NULL) + goto cleanup; + + if (virSCSIDeviceFileIterate(scsi, qemuSetupHostScsiDeviceCgroup, + &data) < 0) { + virSCSIDeviceFree(scsi); + goto cleanup; + } + virSCSIDeviceFree(scsi); + break; } - virUSBDeviceFree(usb); } } diff --git a/src/qemu/qemu_cgroup.h b/src/qemu/qemu_cgroup.h index a677d07..b9c6807 100644 --- a/src/qemu/qemu_cgroup.h +++ b/src/qemu/qemu_cgroup.h @@ -45,6 +45,9 @@ int qemuTeardownDiskCgroup(virDomainObjPtr vm, int qemuSetupHostUsbDeviceCgroup(virUSBDevicePtr dev, const char *path, void *opaque); +int qemuSetupHostScsiDeviceCgroup(virSCSIDevicePtr dev, + const char *path, + void *opaque);