From 285aefb31cb126ae7f7d49db17ffcebaf3bec496 Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Fri, 11 Jan 2019 14:56:17 +0100
Subject: [PATCH] vircgroup: introduce virCgroupV2AllowAllDevices
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

If we want to allow all devices with all permissions we need to replace
any existing program that has any rule configured, otherwise we just
need to add new rule which will for example allow read access to all
devices.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/util/vircgroupv2.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index d38da04d6f..109b64f1c2 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -1807,6 +1807,23 @@ virCgroupV2DenyDevice(virCgroupPtr group,
 }
 
 
+static int
+virCgroupV2AllowAllDevices(virCgroupPtr group,
+                           int perms)
+{
+    if (virCgroupV2DevicesPrepareProg(group) < 0)
+        return -1;
+
+    if (group->unified.devices.count > 0 &&
+        perms == VIR_CGROUP_DEVICE_RWM &&
+        virCgroupV2DevicesCreateProg(group) < 0) {
+        return -1;
+    }
+
+    return virCgroupV2AllowDevice(group, 'a', -1, -1, perms);
+}
+
+
 virCgroupBackend virCgroupV2Backend = {
     .type = VIR_CGROUP_BACKEND_TYPE_V2,
 
@@ -1858,6 +1875,7 @@ virCgroupBackend virCgroupV2Backend = {
 
     .allowDevice = virCgroupV2AllowDevice,
     .denyDevice = virCgroupV2DenyDevice,
+    .allowAllDevices = virCgroupV2AllowAllDevices,
 
     .setCpuShares = virCgroupV2SetCpuShares,
     .getCpuShares = virCgroupV2GetCpuShares,
-- 
2.47.2