From: Pavel Hrdina <phrdina@redhat.com>
Date: Fri, 11 Jan 2019 13:56:48 +0000 (+0100)
Subject: vircgroup: introduce virCgroupV2DenyAllDevices
X-Git-Tag: v5.10.0-rc1~167
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=884479b42b857dc3dce6b3bd1dec4d8e971dee3c;p=thirdparty%2Flibvirt.git

vircgroup: introduce virCgroupV2DenyAllDevices

If we want to deny all devices we just need to replace any existing
program with new program with empty map.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 109b64f1c2..84d8e38a59 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -1824,6 +1824,16 @@ virCgroupV2AllowAllDevices(virCgroupPtr group,
 }
 
 
+static int
+virCgroupV2DenyAllDevices(virCgroupPtr group)
+{
+    if (virCgroupV2DevicesDetectProg(group) < 0)
+        return -1;
+
+    return virCgroupV2DevicesCreateProg(group);
+}
+
+
 virCgroupBackend virCgroupV2Backend = {
     .type = VIR_CGROUP_BACKEND_TYPE_V2,
 
@@ -1876,6 +1886,7 @@ virCgroupBackend virCgroupV2Backend = {
     .allowDevice = virCgroupV2AllowDevice,
     .denyDevice = virCgroupV2DenyDevice,
     .allowAllDevices = virCgroupV2AllowAllDevices,
+    .denyAllDevices = virCgroupV2DenyAllDevices,
 
     .setCpuShares = virCgroupV2SetCpuShares,
     .getCpuShares = virCgroupV2GetCpuShares,