From 7c6b22c4d5343f8f635aa5c820778b09636f9beb Mon Sep 17 00:00:00 2001
From: Eric Blake <eblake@redhat.com>
Date: Fri, 25 Feb 2011 11:55:44 -0700
Subject: [PATCH] qemu: only request sound cgroup ACL when required

When a SPICE or VNC graphics controller is present, and sound is
piggybacked over a channel to the graphics device rather than
directly accessing host hardware, then there is no need to grant
host hardware access to that qemu process.

* src/qemu/qemu_cgroup.c (qemuSetupCgroup): Prevent sound with
spice, and with vnc when vnc_allow_host_audio is 0.
Reported by Daniel Berrange.
---
 src/qemu/qemu_cgroup.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index b39b5e13bd..e71d3fa7fb 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -241,7 +241,11 @@ int qemuSetupCgroup(struct qemud_driver *driver,
             goto cleanup;
         }
 
-        if (vm->def->nsounds) {
+        if (vm->def->nsounds &&
+            (!vm->def->ngraphics ||
+             ((vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
+               driver->vncAllowHostAudio) ||
+              (vm->def->graphics[0]->type == VIR_DOMAIN_GRAPHICS_TYPE_SDL)))) {
             rc = virCgroupAllowDeviceMajor(cgroup, 'c', DEVICE_SND_MAJOR);
             qemuDomainCgroupAudit(vm, cgroup, "allow", "major", "sound",
                                   rc == 0);
-- 
GitLab