|
|
e6dfe8 |
From d25881180ef0b8b11bb5a51317cb49a194e37a76 Mon Sep 17 00:00:00 2001
|
|
|
e6dfe8 |
Message-Id: <d25881180ef0b8b11bb5a51317cb49a194e37a76@dist-git>
|
|
|
e6dfe8 |
From: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
e6dfe8 |
Date: Mon, 9 Apr 2018 15:46:47 +0200
|
|
|
e6dfe8 |
Subject: [PATCH] qemu_cgroup: Fix 'rc' argument on virDomainAuditCgroupPath()
|
|
|
e6dfe8 |
calls
|
|
|
e6dfe8 |
MIME-Version: 1.0
|
|
|
e6dfe8 |
Content-Type: text/plain; charset=UTF-8
|
|
|
e6dfe8 |
Content-Transfer-Encoding: 8bit
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
https://bugzilla.redhat.com/show_bug.cgi?id=1564996
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
All calls to virDomainAuditCgroupPath() were passing 'rc == 0' as
|
|
|
e6dfe8 |
argument, when it was supposed to pass the 'rc' value directly.
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
As a consequence, the audit events that were supposed to be
|
|
|
e6dfe8 |
logged (actual cgroup changes) were never being logged, and bogus
|
|
|
e6dfe8 |
audit events were logged when using regular files as disk image.
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
Fix all calls to use the return value of
|
|
|
e6dfe8 |
virCgroup{Allow,Deny}Device*() directly as the 'rc' argument.
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
Signed-off-by: Eduardo Habkost <ehabkost@redhat.com>
|
|
|
e6dfe8 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
e6dfe8 |
(cherry picked from commit 9a22251bbe6a4ff8dab90da53a1c0df82d8d29fc)
|
|
|
e6dfe8 |
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
e6dfe8 |
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
|
|
|
e6dfe8 |
Reviewed-by: Ján Tomko <jtomko@redhat.com>
|
|
|
e6dfe8 |
---
|
|
|
e6dfe8 |
src/qemu/qemu_cgroup.c | 28 ++++++++++++++--------------
|
|
|
e6dfe8 |
1 file changed, 14 insertions(+), 14 deletions(-)
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
|
|
|
e6dfe8 |
index 41e27c21e2..b604edb31c 100644
|
|
|
e6dfe8 |
--- a/src/qemu/qemu_cgroup.c
|
|
|
e6dfe8 |
+++ b/src/qemu/qemu_cgroup.c
|
|
|
e6dfe8 |
@@ -75,7 +75,7 @@ qemuSetupImagePathCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path,
|
|
|
e6dfe8 |
virCgroupGetDevicePermsString(perms),
|
|
|
e6dfe8 |
- ret == 0);
|
|
|
e6dfe8 |
+ ret);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
return ret;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -129,7 +129,7 @@ qemuTeardownImageCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
ret = virCgroupDenyDevicePath(priv->cgroup, src->path, perms, true);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "deny", src->path,
|
|
|
e6dfe8 |
- virCgroupGetDevicePermsString(perms), ret == 0);
|
|
|
e6dfe8 |
+ virCgroupGetDevicePermsString(perms), ret);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
return ret;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -187,7 +187,7 @@ qemuSetupChrSourceCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
ret = virCgroupAllowDevicePath(priv->cgroup, source->data.file.path,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
|
|
|
e6dfe8 |
- source->data.file.path, "rw", ret == 0);
|
|
|
e6dfe8 |
+ source->data.file.path, "rw", ret);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
return ret;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -211,7 +211,7 @@ qemuTeardownChrSourceCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
ret = virCgroupDenyDevicePath(priv->cgroup, source->data.file.path,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
|
|
|
e6dfe8 |
- source->data.file.path, "rw", ret == 0);
|
|
|
e6dfe8 |
+ source->data.file.path, "rw", ret);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
return ret;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -261,7 +261,7 @@ qemuSetupInputCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
|
|
|
e6dfe8 |
ret = virCgroupAllowDevicePath(priv->cgroup, dev->source.evdev,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
- virDomainAuditCgroupPath(vm, priv->cgroup, "allow", dev->source.evdev, "rw", ret == 0);
|
|
|
e6dfe8 |
+ virDomainAuditCgroupPath(vm, priv->cgroup, "allow", dev->source.evdev, "rw", ret);
|
|
|
e6dfe8 |
break;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
@@ -284,7 +284,7 @@ qemuTeardownInputCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
VIR_DEBUG("Process path '%s' for input device", dev->source.evdev);
|
|
|
e6dfe8 |
ret = virCgroupDenyDevicePath(priv->cgroup, dev->source.evdev,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RWM, false);
|
|
|
e6dfe8 |
- virDomainAuditCgroupPath(vm, priv->cgroup, "deny", dev->source.evdev, "rwm", ret == 0);
|
|
|
e6dfe8 |
+ virDomainAuditCgroupPath(vm, priv->cgroup, "deny", dev->source.evdev, "rwm", ret);
|
|
|
e6dfe8 |
break;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
@@ -313,7 +313,7 @@ qemuSetupHostdevCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
rv = virCgroupAllowDevicePath(priv->cgroup, path[i], perms[i], false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", path[i],
|
|
|
e6dfe8 |
virCgroupGetDevicePermsString(perms[i]),
|
|
|
e6dfe8 |
- ret == 0);
|
|
|
e6dfe8 |
+ rv);
|
|
|
e6dfe8 |
if (rv < 0)
|
|
|
e6dfe8 |
goto cleanup;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -357,7 +357,7 @@ qemuTeardownHostdevCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
rv = virCgroupDenyDevicePath(priv->cgroup, path[i],
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RWM, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup,
|
|
|
e6dfe8 |
- "deny", path[i], "rwm", rv == 0);
|
|
|
e6dfe8 |
+ "deny", path[i], "rwm", rv);
|
|
|
e6dfe8 |
if (rv < 0)
|
|
|
e6dfe8 |
goto cleanup;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -388,7 +388,7 @@ qemuSetupMemoryDevicesCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
rv = virCgroupAllowDevicePath(priv->cgroup, mem->nvdimmPath,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
|
|
|
e6dfe8 |
- mem->nvdimmPath, "rw", rv == 0);
|
|
|
e6dfe8 |
+ mem->nvdimmPath, "rw", rv);
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
return rv;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
@@ -410,7 +410,7 @@ qemuTeardownMemoryDevicesCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
rv = virCgroupDenyDevicePath(priv->cgroup, mem->nvdimmPath,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RWM, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup,
|
|
|
e6dfe8 |
- "deny", mem->nvdimmPath, "rwm", rv == 0);
|
|
|
e6dfe8 |
+ "deny", mem->nvdimmPath, "rwm", rv);
|
|
|
e6dfe8 |
return rv;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
@@ -434,7 +434,7 @@ qemuSetupGraphicsCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
ret = virCgroupAllowDevicePath(priv->cgroup, rendernode,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow", rendernode,
|
|
|
e6dfe8 |
- "rw", ret == 0);
|
|
|
e6dfe8 |
+ "rw", ret);
|
|
|
e6dfe8 |
return ret;
|
|
|
e6dfe8 |
}
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
@@ -573,7 +573,7 @@ qemuSetupRNGCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "allow",
|
|
|
e6dfe8 |
rng->source.file,
|
|
|
e6dfe8 |
- "rw", rv == 0);
|
|
|
e6dfe8 |
+ "rw", rv);
|
|
|
e6dfe8 |
if (rv < 0 &&
|
|
|
e6dfe8 |
!virLastErrorIsSystemErrno(ENOENT))
|
|
|
e6dfe8 |
return -1;
|
|
|
e6dfe8 |
@@ -600,7 +600,7 @@ qemuTeardownRNGCgroup(virDomainObjPtr vm,
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
virDomainAuditCgroupPath(vm, priv->cgroup, "deny",
|
|
|
e6dfe8 |
rng->source.file,
|
|
|
e6dfe8 |
- "rw", rv == 0);
|
|
|
e6dfe8 |
+ "rw", rv);
|
|
|
e6dfe8 |
if (rv < 0 &&
|
|
|
e6dfe8 |
!virLastErrorIsSystemErrno(ENOENT))
|
|
|
e6dfe8 |
return -1;
|
|
|
e6dfe8 |
@@ -693,7 +693,7 @@ qemuSetupDevicesCgroup(virDomainObjPtr vm)
|
|
|
e6dfe8 |
|
|
|
e6dfe8 |
rv = virCgroupAllowDevicePath(priv->cgroup, deviceACL[i],
|
|
|
e6dfe8 |
VIR_CGROUP_DEVICE_RW, false);
|
|
|
e6dfe8 |
- virDomainAuditCgroupPath(vm, priv->cgroup, "allow", deviceACL[i], "rw", rv == 0);
|
|
|
e6dfe8 |
+ virDomainAuditCgroupPath(vm, priv->cgroup, "allow", deviceACL[i], "rw", rv);
|
|
|
e6dfe8 |
if (rv < 0 &&
|
|
|
e6dfe8 |
!virLastErrorIsSystemErrno(ENOENT))
|
|
|
e6dfe8 |
goto cleanup;
|
|
|
e6dfe8 |
--
|
|
|
e6dfe8 |
2.17.0
|
|
|
e6dfe8 |
|