From 9d749998b300acacd34e1b5b195c78ccee4ceced Mon Sep 17 00:00:00 2001 From: Michal Privoznik Date: Mon, 14 Mar 2022 15:05:11 +0100 Subject: [PATCH] qemu_namespace: Don't unlink paths from cgroupDeviceACL MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When building namespace for a domain there are couple of devices that are created independent of domain config (see qemuDomainPopulateDevices()). The idea behind is that these devices are crucial for QEMU or one of its libraries, or user is passing through a device and wants us to create it in the namespace too. That's the reason that these devices are allowed in the devices CGroup controller as well. However, during unplug it may happen that a device is configured to use one of such devices and since we remove /dev nodes on hotplug we would remove such device too. For example, /dev/urandom belongs onto the list of implicit devices and users can hotplug and hotunplug an RNG device with /dev/urandom as backend. The fix is fortunately simple - just consult the list of implicit devices before removing the device from the namespace. Signed-off-by: Michal Privoznik Reviewed-by: Ján Tomko --- src/qemu/qemu_namespace.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c index 3b41d72630..9528112338 100644 --- a/src/qemu/qemu_namespace.c +++ b/src/qemu/qemu_namespace.c @@ -1364,6 +1364,7 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, if (STRPREFIX(path, QEMU_DEVPREFIX)) { GStrv mount; bool inSubmount = false; + const char *const *devices = (const char *const *)cfg->cgroupDeviceACL; for (mount = devMountsPath; *mount; mount++) { if (STREQ(*mount, "/dev")) @@ -1375,8 +1376,16 @@ qemuNamespaceUnlinkPaths(virDomainObj *vm, } } - if (!inSubmount) - unlinkPaths = g_slist_prepend(unlinkPaths, g_strdup(path)); + if (inSubmount) + continue; + + if (!devices) + devices = defaultDeviceACL; + + if (g_strv_contains(devices, path)) + continue; + + unlinkPaths = g_slist_prepend(unlinkPaths, g_strdup(path)); } } -- 2.47.2