Re: [PATCH] qemu: Drop /dev/kvm from default device ACL

Mon, 20 Oct 2025 08:36:36 -0700 



On 10/20/2025 9:55 AM, Daniel P. Berrangé wrote:

On Mon, Oct 20, 2025 at 03:07:34PM +0200, Michal Prívozník via Devel wrote:

On 10/17/25 18:54, Praveen K Paladugu wrote:

A domain that runs with TCG emulation does not need kvm device, so drop
it from default device ACL.

To dynamically add devices to defaultDeviceACL, make it a GSList. This
variable will be initialized when qemu driver is initalized.

Lastly, dynamically append /dev/kvm to default ACL only if the domain is
of type VIR_DOMAIN_VIRT_KVM.

Signed-off-by: Praveen K Paladugu <[email protected]>
---
  src/qemu/qemu.conf.in              |  3 +-
  src/qemu/qemu_cgroup.c             | 52 ++++++++++++++++++++++--------
  src/qemu/qemu_cgroup.h             |  5 ++-
  src/qemu/qemu_conf.c               | 14 ++++++--
  src/qemu/qemu_conf.h               |  2 +-
  src/qemu/qemu_driver.c             |  4 +++
  src/qemu/qemu_namespace.c          | 12 +++----
  src/qemu/qemu_process.c            |  6 ++--
  src/qemu/test_libvirtd_qemu.aug.in |  3 +-
  9 files changed, 71 insertions(+), 30 deletions(-)

diff --git a/src/qemu/qemu.conf.in b/src/qemu/qemu.conf.in
index fc91ba8f08..0a8abd9544 100644
--- a/src/qemu/qemu.conf.in
+++ b/src/qemu/qemu.conf.in
@@ -618,8 +618,7 @@
  #cgroup_device_acl = [
  #    "/dev/null", "/dev/full", "/dev/zero",
  #    "/dev/random", "/dev/urandom",
-#    "/dev/ptmx", "/dev/kvm",
-#    "/dev/userfaultfd"
+#    "/dev/ptmx", "/dev/userfaultfd"
  #]
  #
  # RDMA migration requires the following extra files to be added to the list:
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
index f10976c2b0..b2dcefd81e 100644
--- a/src/qemu/qemu_cgroup.c
+++ b/src/qemu/qemu_cgroup.c
@@ -38,17 +38,38 @@

  
  VIR_LOG_INIT("qemu.qemu_cgroup");
  
-const char *const defaultDeviceACL[] = {

+GSList *defaultDeviceACL;
+
+const char *const _defaultDeviceACL[] = {
      "/dev/null", "/dev/full", "/dev/zero",
      "/dev/random", "/dev/urandom",
-    "/dev/ptmx", "/dev/kvm",
-    "/dev/userfaultfd",
+    "/dev/ptmx", "/dev/userfaultfd",
      NULL,
  };
  #define DEVICE_PTY_MAJOR 136
  #define DEVICE_SND_MAJOR 116

  
  
+void

+initDefaultDeviceACL(void)
+{
+    size_t i;
+
+    for (i = 0; _defaultDeviceACL[i] != NULL; i++) {
+        defaultDeviceACL = g_slist_append(defaultDeviceACL,
+                                            g_strdup(_defaultDeviceACL[i]));
+    }
+}
+
+void
+updateDefaultDeviceACL(virDomainObj *vm)
+{
+    if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) {
+        defaultDeviceACL = g_slist_append(defaultDeviceACL,
+                                                g_strdup("/dev/kvm"));
+    }
+}


So if this function is called multiple times then "/dev/kvm" will appear
multiple times on the list. Worse, if the first VM is of KVM type, then
/dev/kvm is added onto the list and the accelerator of the second one is
irrelevant as /dev/kvm will be allowed in its devices CGroup controller.

What you want to do is:

1) remove "/dev/kvm" from the defaultDeviceACL array,
2) audit and fix all users of defaultDeviceACL and let them act
    accordingly if domain is of KVM type. For instance,
    qemuSetupDevicesCgroup() will need to have something like:

qemuSetupDevicesCgroup(vm)
{
   ...
   qemuCgroupAllowDevicesPaths(vm, deviceACL, VIR_CGROUP_DEVICE_RW, false);

   if (vm->def->virtType == VIR_DOMAIN_VIRT_KVM) {
     qemuCgroupAllowDevicePath(vm, "/dev/kvm", VIR_CGROUP_DEVICE_RW, false);
   }


These 3 lines of code should simply be inside qemuCgroupAllowDevicesPaths,
either before/after the for() loop.

Then no code needs changing beyond removing /dev/kvm from the device
default list config.




In my testing I discovered that I had to append /dev/kvm to *paths in 
qemuDomainPopulateDevices method while building a namespace for the domain.


Without this change the domain fails to start.



   ...
}



With regards,
Daniel


--
Regards,
Praveen K Paladugu























					Reply via email to