qemu_cgroup: Introduce qemuCgroupAllowDevicesPaths()

We have qemuCgroupAllowDevicePath() which sets up devices
controller for just one path. And if we have more paths we have
to call it in a loop. So far, we have just one such place, but
soon we'll have another one (for SGX memory). Separate the loop
into its own function so that it can be reused.

And while at it, move setting the default set of devices as the
first thing, right after all devices are disallowed.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index e012ba92c0e65b951f397bf591ce1fd2a3920362..51702b52e1a993dddfcb7c0fb9a614c9dc213624 100644 (file)
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm,
 }
 
 
+static int
+qemuCgroupAllowDevicesPaths(virDomainObj *vm,
+                            const char *const *deviceACL,
+                            int perms,
+                            bool ignoreEacces)
+{
+    size_t i;
+
+    for (i = 0; deviceACL[i] != NULL; i++) {
+        int rv;
+
+        if (!virFileExists(deviceACL[i])) {
+            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
+            continue;
+        }
+
+        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces);
+        if (rv < 0 &&
+            !virLastErrorIsSystemErrno(ENOENT))
+            return -1;
+    }
+
+    return 0;
+}
+
+
 static int
 qemuCgroupDenyDevicePath(virDomainObj *vm,
                          const char *path,
@@ -671,6 +697,12 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
         return -1;
     }
 
+    if (!deviceACL)
+        deviceACL = defaultDeviceACL;
+
+    if (qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false) < 0)
+        return -1;
+
     if (qemuSetupFirmwareCgroup(vm) < 0)
         return -1;
 
@@ -686,9 +718,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
     if (rv < 0)
         return -1;
 
-    if (!deviceACL)
-        deviceACL = defaultDeviceACL;
-
     if (vm->def->nsounds &&
         ((!vm->def->ngraphics && cfg->nogfxAllowHostAudio) ||
          (vm->def->graphics &&
@@ -703,18 +732,6 @@ qemuSetupDevicesCgroup(virDomainObj *vm)
             return -1;
     }
 
-    for (i = 0; deviceACL[i] != NULL; i++) {
-        if (!virFileExists(deviceACL[i])) {
-            VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]);
-            continue;
-        }
-
-        rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], VIR_CGROUP_DEVICE_RW, false);
-        if (rv < 0 &&
-            !virLastErrorIsSystemErrno(ENOENT))
-            return -1;
-    }
-
     if (virDomainChrDefForeach(vm->def,
                                true,
                                qemuSetupChardevCgroupCB,