From 0cbcd21b1f981dcca7879130a6653725db87d33a Mon Sep 17 00:00:00 2001 From: Pavel Hrdina Date: Wed, 25 Nov 2020 17:21:49 +0100 Subject: [PATCH] vircgroupv2: fix virCgroupV2DenyDevice The original logic is incorrect. We would delete the device entry from eBPF map only if the newval would be same as current val in the map. In case that the device was allowed only as read-only but later we remove all permissions for that device it would remain in the table with empty values. The old code would still deny the device but it's not working as intended. Instead we will update the value in advance. If the updated value is 0 it means that we are removing all permissions so it should be removed from the map, otherwise we will update the value in map. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1810356 Signed-off-by: Pavel Hrdina Reviewed-by: Michal Privoznik --- src/util/vircgroupv2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c index 22da3a5c6a..4a239f067a 100644 --- a/src/util/vircgroupv2.c +++ b/src/util/vircgroupv2.c @@ -1797,7 +1797,9 @@ virCgroupV2DenyDevice(virCgroupPtr group, return 0; } - if (newval == val) { + val = val & ~newval; + + if (val == 0) { if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) { virReportSystemError(errno, "%s", _("failed to remove device from BPF cgroup map")); @@ -1805,7 +1807,6 @@ virCgroupV2DenyDevice(virCgroupPtr group, } group->unified.devices.count--; } else { - val ^= val & newval; if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) { virReportSystemError(errno, "%s", _("failed to update device in BPF cgroup map")); -- 2.47.3