From 5d4965191291ae0fb216196043ad33ca058bdc8e Mon Sep 17 00:00:00 2001
From: Pavel Hrdina <phrdina@redhat.com>
Date: Wed, 24 Apr 2019 12:10:08 +0200
Subject: [PATCH] vircgroup: introduce virCgroupV2AllowDevice
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In order to allow device we need to create key and value which will be
used to update BPF map.  virBPFUpdateElem() can override existing
entries in BPF map so we need to check if that entry exists in order to
track number of entries in our map.

This can add rule for specific device but major and minor can be both
-1 which follows the same behavior as in cgroup v1.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
---
 src/util/vircgroupv2.c | 32 ++++++++++++++++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 6bce9012ae..5396972d80 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -30,6 +30,7 @@
 #include "vircgrouppriv.h"
 
 #include "viralloc.h"
+#include "virbpf.h"
 #include "vircgroup.h"
 #include "vircgroupbackend.h"
 #include "vircgroupv2.h"
@@ -1737,6 +1738,35 @@ virCgroupV2GetCpusetCpus(virCgroupPtr group,
 }
 
 
+static int
+virCgroupV2AllowDevice(virCgroupPtr group,
+                       char type,
+                       int major,
+                       int minor,
+                       int perms)
+{
+    uint64_t key = virCgroupV2DevicesGetKey(major, minor);
+    uint32_t val = virCgroupV2DevicesGetPerms(perms, type);
+    int rc;
+
+    if (virCgroupV2DevicesPrepareProg(group) < 0)
+        return -1;
+
+    rc = virBPFLookupElem(group->unified.devices.mapfd, &key, NULL);
+
+    if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) {
+        virReportSystemError(errno, "%s",
+                             _("failed to update device in BPF cgroup map"));
+        return -1;
+    }
+
+    if (rc < 0)
+        group->unified.devices.count++;
+
+    return 0;
+}
+
+
 virCgroupBackend virCgroupV2Backend = {
     .type = VIR_CGROUP_BACKEND_TYPE_V2,
 
@@ -1786,6 +1816,8 @@ virCgroupBackend virCgroupV2Backend = {
     .getMemSwapHardLimit = virCgroupV2GetMemSwapHardLimit,
     .getMemSwapUsage = virCgroupV2GetMemSwapUsage,
 
+    .allowDevice = virCgroupV2AllowDevice,
+
     .setCpuShares = virCgroupV2SetCpuShares,
     .getCpuShares = virCgroupV2GetCpuShares,
     .setCpuCfsPeriod = virCgroupV2SetCpuCfsPeriod,