On Mon, Oct 20, 2025 at 03:07:34PM +0200, Michal Prívozník via Devel wrote: > On 10/17/25 18:54, Praveen K Paladugu wrote: > > A domain that runs with TCG emulation does not need kvm device, so drop > > it from default device ACL. > > > > To dynamically add devices to defaultDeviceACL, make it a GSList. This > > variable will be initialized when qemu driver is initalized. > > > > Lastly, dynamically append /dev/kvm to default ACL only if the domain is > > of type VIR_DOMAIN_VIRT_KVM. > > > > Signed-off-by: Praveen K Paladugu <[email protected]> > > --- > > src/qemu/qemu.conf.in | 3 +- > > src/qemu/qemu_cgroup.c | 52 ++++++++++++++++++++++-------- > > src/qemu/qemu_cgroup.h | 5 ++- > > src/qemu/qemu_conf.c | 14 ++++++-- > > src/qemu/qemu_conf.h | 2 +- > > src/qemu/qemu_driver.c | 4 +++ > > src/qemu/qemu_namespace.c | 12 +++---- > > src/qemu/qemu_process.c | 6 ++-- > > src/qemu/test_libvirtd_qemu.aug.in | 3 +- > > 9 files changed, 71 insertions(+), 30 deletions(-) > > > > diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in > > index fc91ba8f08..0a8abd9544 100644 > > --- a/src/qemu/qemu.conf.in > > +++ b/src/qemu/qemu.conf.in > > @@ -618,8 +618,7 @@ > > #cgroup_device_acl = [ > > # "/dev/null", "/dev/full", "/dev/zero", > > # "/dev/random", "/dev/urandom", > > -# "/dev/ptmx", "/dev/kvm", > > -# "/dev/userfaultfd" > > +# "/dev/ptmx", "/dev/userfaultfd" > > #] > > # > > # RDMA migration requires the following extra files to be added to the > > list: > > diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c > > index f10976c2b0..b2dcefd81e 100644 > > --- a/src/qemu/qemu_cgroup.c > > +++ b/src/qemu/qemu_cgroup.c > > @@ -38,17 +38,38 @@ > > > > VIR_LOG_INIT("qemu.qemu_cgroup"); > > > > -const char *const defaultDeviceACL[] = { > > +GSList *defaultDeviceACL; > > + > > +const char *const _defaultDeviceACL[] = { > > "/dev/null", "/dev/full", "/dev/zero", > > "/dev/random", "/dev/urandom", > > - "/dev/ptmx", "/dev/kvm", > > - "/dev/userfaultfd", > > + "/dev/ptmx", "/dev/userfaultfd", > > NULL, > > }; > > #define DEVICE_PTY_MAJOR 136 > > #define DEVICE_SND_MAJOR 116 > > > > > > +void > > +initDefaultDeviceACL(void) > > +{ > > + size_t i; > > + > > + for (i = 0; _defaultDeviceACL[i] != NULL; i++) { > > + defaultDeviceACL = g_slist_append(defaultDeviceACL, > > + > > g_strdup(_defaultDeviceACL[i])); > > + } > > +} > > + > > +void > > +updateDefaultDeviceACL(virDomainObj *vm) > > +{ > > + if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) { > > + defaultDeviceACL = g_slist_append(defaultDeviceACL, > > + g_strdup("/dev/kvm")); > > + } > > +} > > So if this function is called multiple times then "/dev/kvm" will appear > multiple times on the list. Worse, if the first VM is of KVM type, then > /dev/kvm is added onto the list and the accelerator of the second one is > irrelevant as /dev/kvm will be allowed in its devices CGroup controller. > > What you want to do is: > > 1) remove "/dev/kvm" from the defaultDeviceACL array, > 2) audit and fix all users of defaultDeviceACL and let them act > accordingly if domain is of KVM type. For instance, > qemuSetupDevicesCgroup() will need to have something like: > > qemuSetupDevicesCgroup(vm) > { > ... > qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false); > > if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) { > qemuCgroupAllowDevicePath(vm, "/dev/kvm", VIR_CGROUP_DEVICE_RW, false); > }
These 3 lines of code should simply be inside qemuCgroupAllowDevicesPaths, either before/after the for() loop. Then no code needs changing beyond removing /dev/kvm from the device default list config. > ... > } With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
