提交 d5b09ce5 编写于 作者: P Pavel Hrdina

vircgroup: introduce virCgroupV2DenyDevice

In order to deny device we need to check if there is any entry in BPF
map and we need to load the current value from map if there is already
entry for that device.  If both values are same we can remove that entry
but if they are different we need to update the entry because we don't
have to deny all access, but for example only write access.
Signed-off-by: NPavel Hrdina <phrdina@redhat.com>
Reviewed-by: NJán Tomko <jtomko@redhat.com>
上级 5d496519
...@@ -1767,6 +1767,46 @@ virCgroupV2AllowDevice(virCgroupPtr group, ...@@ -1767,6 +1767,46 @@ virCgroupV2AllowDevice(virCgroupPtr group,
} }
static int
virCgroupV2DenyDevice(virCgroupPtr group,
char type,
int major,
int minor,
int perms)
{
uint64_t key = virCgroupV2DevicesGetKey(major, minor);
uint32_t newval = virCgroupV2DevicesGetPerms(perms, type);
uint32_t val = 0;
if (virCgroupV2DevicesPrepareProg(group) < 0)
return -1;
if (group->unified.devices.count <= 0 ||
virBPFLookupElem(group->unified.devices.mapfd, &key, &val) < 0) {
VIR_DEBUG("nothing to do, device is not allowed");
return 0;
}
if (newval == val) {
if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
virReportSystemError(errno, "%s",
_("failed to remove device from BPF cgroup map"));
return -1;
}
group->unified.devices.count--;
} else {
val ^= val & newval;
if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) {
virReportSystemError(errno, "%s",
_("failed to update device in BPF cgroup map"));
return -1;
}
}
return 0;
}
virCgroupBackend virCgroupV2Backend = { virCgroupBackend virCgroupV2Backend = {
.type = VIR_CGROUP_BACKEND_TYPE_V2, .type = VIR_CGROUP_BACKEND_TYPE_V2,
...@@ -1817,6 +1857,7 @@ virCgroupBackend virCgroupV2Backend = { ...@@ -1817,6 +1857,7 @@ virCgroupBackend virCgroupV2Backend = {
.getMemSwapUsage = virCgroupV2GetMemSwapUsage, .getMemSwapUsage = virCgroupV2GetMemSwapUsage,
.allowDevice = virCgroupV2AllowDevice, .allowDevice = virCgroupV2AllowDevice,
.denyDevice = virCgroupV2DenyDevice,
.setCpuShares = virCgroupV2SetCpuShares, .setCpuShares = virCgroupV2SetCpuShares,
.getCpuShares = virCgroupV2GetCpuShares, .getCpuShares = virCgroupV2GetCpuShares,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册