From: Michal Privoznik <mprivozn@redhat.com>
Date: Tue, 10 Apr 2018 06:00:59 +0000 (+0200)
Subject: qemu_cgroup: Allow /dev/mapper/control for PR
X-Git-Tag: v4.4.0-rc1~234
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d13179fe8d91100aa7f637e0e234138738b530e6;p=thirdparty%2Flibvirt.git

qemu_cgroup: Allow /dev/mapper/control for PR

Just like in previous commit, qemu-pr-helper might want to open
/dev/mapper/control under certain circumstances. Therefore we
have to allow it in cgroups.

The change virdevmapper.c might look spurious but it isn't. After
6dd84f6850ca437 any path that we're allowing in deivces CGroup is
subject to virDevMapperGetTargets() inspection. And libdevmapper
returns ENXIO for the path from subject.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: John Ferlan <jferlan@redhat.com>
---

diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index d88eb7881f..546a4c8e63 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -114,6 +114,8 @@ qemuSetupImagePathCgroup(virDomainObjPtr vm,
 }
 
 
+#define DEVICE_MAPPER_CONTROL_PATH "/dev/mapper/control"
+
 static int
 qemuSetupImageCgroupInternal(virDomainObjPtr vm,
                              virStorageSourcePtr src,
@@ -125,6 +127,10 @@ qemuSetupImageCgroupInternal(virDomainObjPtr vm,
         return 0;
     }
 
+    if (virStoragePRDefIsManaged(src->pr) &&
+        qemuSetupImagePathCgroup(vm, DEVICE_MAPPER_CONTROL_PATH, false) < 0)
+        return -1;
+
     return qemuSetupImagePathCgroup(vm, src->path, src->readonly || forceReadonly);
 }
 
@@ -142,9 +148,8 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
                         virStorageSourcePtr src)
 {
     qemuDomainObjPrivatePtr priv = vm->privateData;
-    int perms = VIR_CGROUP_DEVICE_READ |
-                VIR_CGROUP_DEVICE_WRITE |
-                VIR_CGROUP_DEVICE_MKNOD;
+    int perms = VIR_CGROUP_DEVICE_RWM;
+    size_t i;
     int ret;
 
     if (!virCgroupHasController(priv->cgroup,
@@ -157,6 +162,28 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
         return 0;
     }
 
+    for (i = 0; i < vm->def->ndisks; i++) {
+        virStorageSourcePtr diskSrc = vm->def->disks[i]->src;
+
+        if (src == diskSrc)
+            continue;
+
+        if (virStoragePRDefIsManaged(diskSrc->pr))
+            break;
+    }
+
+    if (i == vm->def->ndisks) {
+        VIR_DEBUG("Disabling device mapper control");
+        ret = virCgroupDenyDevicePath(priv->cgroup,
+                                      DEVICE_MAPPER_CONTROL_PATH, perms, true);
+        virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
+                                 DEVICE_MAPPER_CONTROL_PATH,
+                                 virCgroupGetDevicePermsString(perms), ret);
+        if (ret < 0)
+            return ret;
+    }
+
+
     VIR_DEBUG("Deny path %s", src->path);
 
     ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, true);
diff --git a/src/util/virdevmapper.c b/src/util/virdevmapper.c
index d2c25af003..b365f20145 100644
--- a/src/util/virdevmapper.c
+++ b/src/util/virdevmapper.c
@@ -101,8 +101,13 @@ virDevMapperGetTargetsImpl(const char *path,
 
     dm_task_no_open_count(dmt);
 
-    if (!dm_task_run(dmt))
+    if (!dm_task_run(dmt)) {
+        if (errno == ENXIO) {
+            /* If @path = "/dev/mapper/control" ENXIO is returned. */
+            ret = 0;
+        }
         goto cleanup;
+    }
 
     if (!dm_task_get_info(dmt, &info))
         goto cleanup;