[PATCH] qemu: do not allow /dev/rtc or /dev/hpet access via the devices cgroup
Michal Privoznik
mprivozn at redhat.com
Tue May 19 08:58:42 UTC 2020
On 5/19/20 10:55 AM, Daniel P. Berrangé wrote:
> On Tue, May 19, 2020 at 10:10:54AM +0200, Michal Privoznik wrote:
>> On 5/19/20 1:06 AM, Paolo Bonzini wrote:
>>> The RTC and HPET modes for the QEMU emulation tick have been dropped almost 9 years
>>> ago, in commit 25f3151ece1d5881826232bebccc21b588d4e03e. Do not allow them in the
>>
>> qemu.git $ git describe --tags 25f3151ece1d5881826232bebccc21b588d4e03e
>> v0.14.0-rc0-1169-g25f3151ece
>>
>> and the minimum supported version is 1.5.0 so this is safe to merge from min
>> version POV.
>>
>>> devices cgroup policy.
>>>
>>> Signed-off-by: Paolo Bonzini <pbonzini at redhat.com>
>>> ---
>>> docs/drvqemu.html.in | 1 -
>>> src/qemu/qemu.conf | 1 -
>>> src/qemu/qemu_cgroup.c | 1 -
>>> src/qemu/test_libvirtd_qemu.aug.in | 2 --
>>> 4 files changed, 5 deletions(-)
>>
>> It's not only QEMU that might use these but also a library that is linking
>> with. However, quick strace showed no access to either of the files so:
>>
>> Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
>>
>> And pushed.
>
> This broke make check
>
> https://ci.centos.org/view/libvirt/job/libvirt-check/systems=libvirt-fedora-32/1170/console
>
> though I don't understand why as it looks like it removed all the
> right pieces. I wonder if we had a bad dependancy in make rules
> meaning we didn't regenerate
Ah, could it be because of the stray comma? From qemu.conf:
#cgroup_device_acl = [
# "/dev/null", "/dev/full", "/dev/zero",
# "/dev/random", "/dev/urandom",
# "/dev/ptmx", "/dev/kvm",
#]
Let me check if removing the comma after /dev/kvm fixes the build.
Michal
More information about the libvir-list
mailing list