If we want to deny all devices we just need to replace any existing
program with new program with empty map.
Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx>
---
src/util/vircgroupv2.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c
index 6c3f2bf522..4bcdd16814 100644
--- a/src/util/vircgroupv2.c
+++ b/src/util/vircgroupv2.c
@@ -2087,6 +2087,16 @@ virCgroupV2AllowAllDevices(virCgroupPtr group,
}
+static int
+virCgroupV2DenyAllDevices(virCgroupPtr group)
+{
+ if (virCgroupV2DeviceDetectProg(group) < 0)
+ return -1;
+
+ return virCgroupV2DeviceCreateProg(group);
+}
+
+
virCgroupBackend virCgroupV2Backend = {
.type = VIR_CGROUP_BACKEND_TYPE_V2,
@@ -2139,6 +2149,7 @@ virCgroupBackend virCgroupV2Backend = {
.allowDevice = virCgroupV2AllowDevice,
.denyDevice = virCgroupV2DenyDevice,
.allowAllDevices = virCgroupV2AllowAllDevices,
+ .denyAllDevices = virCgroupV2DenyAllDevices,
.setCpuShares = virCgroupV2SetCpuShares,
.getCpuShares = virCgroupV2GetCpuShares,
--
2.20.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
