qemu: don't request cgroup ACL access for /dev/net/tun

Since libvirt always passes /dev/net/tun to qemu via fd, we should never trigger the cases where qemu tries to directly open the device. Therefore, it is safer to deny the cgroup device ACL. * src/qemu/qemu_cgroup.c (defaultDeviceACL): Remove /dev/net/tun. * src/qemu/qemu.conf (cgroup_device_acl): Reflect this change.

qemu: don't request cgroup ACL access for /dev/net/tun
Since libvirt always passes /dev/net/tun to qemu via fd, we should never trigger the cases where qemu tries to directly open the device. Therefore, it is safer to deny the cgroup device ACL. * src/qemu/qemu_cgroup.c (defaultDeviceACL): Remove /dev/net/tun. * src/qemu/qemu.conf (cgroup_device_acl): Reflect this change.
c52cbe48 · Eric Blake · 5d091513 · c52cbe48 · c52cbe48
隐藏空白更改
内联并排

Showing with 2 addition and 2 deletion

src/qemu/qemu.conf src/qemu/qemu.conf +1 -1

src/qemu/qemu_cgroup.c src/qemu/qemu_cgroup.c +1 -1

未找到文件。
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -182,7 +182,7 @@
 #    "/dev/null", "/dev/full", "/dev/zero",
 #    "/dev/random", "/dev/urandom",
 #    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
-#    "/dev/rtc", "/dev/hpet", "/dev/net/tun",
+#    "/dev/rtc", "/dev/hpet",
 #]



--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -37,7 +37,7 @@ static const char *const defaultDeviceACL[] = {
    "/dev/null", "/dev/full", "/dev/zero",
    "/dev/random", "/dev/urandom",
    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
-    "/dev/rtc", "/dev/hpet", "/dev/net/tun",
+    "/dev/rtc", "/dev/hpet",
    NULL,
 };
 #define DEVICE_PTY_MAJOR 136