vircgroupv2: fix virCgroupV2DenyDevice

The original logic is incorrect. We would delete the device entry
from eBPF map only if the newval would be same as current val in the
map. In case that the device was allowed only as read-only but later
we remove all permissions for that device it would remain in the table
with empty values.

The old code would still deny the device but it's not working as
intended. Instead we will update the value in advance. If the updated
value is 0 it means that we are removing all permissions so it should
be removed from the map, otherwise we will update the value in map.

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1810356

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 22da3a5c6a148e7781766140de42a6e8cc5f0871..4a239f067a645b851b9da94f35a24988b9998887 100644 (file)
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -1797,7 +1797,9 @@ virCgroupV2DenyDevice(virCgroupPtr group,
         return 0;
     }
 
-    if (newval == val) {
+    val = val & ~newval;
+
+    if (val == 0) {
         if (virBPFDeleteElem(group->unified.devices.mapfd, &key) < 0) {
             virReportSystemError(errno, "%s",
                                  _("failed to remove device from BPF cgroup map"));
@@ -1805,7 +1807,6 @@ virCgroupV2DenyDevice(virCgroupPtr group,
         }
         group->unified.devices.count--;
     } else {
-        val ^= val & newval;
         if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) {
             virReportSystemError(errno, "%s",
                                  _("failed to update device in BPF cgroup map"));