In order to allow device we need to create key and value which will be used to update BPF map. virBPFUpdateElem() can override existing entries in BPF map so we need to check if that entry exists in order to track number of entries in our map. This can add rule for specific device but major and minor can be both -1 which follows the same behavior as in cgroup v1. Signed-off-by: Pavel Hrdina <phrdina@xxxxxxxxxx> --- src/util/vircgroupv2.c | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/src/util/vircgroupv2.c b/src/util/vircgroupv2.c index 198d2ea03e..e579464ff3 100644 --- a/src/util/vircgroupv2.c +++ b/src/util/vircgroupv2.c @@ -2001,6 +2001,35 @@ virCgroupV2DeviceGetKey(int major, } +static int +virCgroupV2AllowDevice(virCgroupPtr group, + char type, + int major, + int minor, + int perms) +{ + __u64 key = virCgroupV2DeviceGetKey(major, minor); + __u32 val = virCgroupV2DeviceGetPerms(perms, type); + int rc; + + if (virCgroupV2DevicePrepareProg(group) < 0) + return -1; + + rc = virBPFLookupElem(group->unified.devices.mapfd, &key, NULL); + + if (virBPFUpdateElem(group->unified.devices.mapfd, &key, &val) < 0) { + virReportSystemError(errno, "%s", + _("failed to update device in BPF cgroup map")); + return -1; + } + + if (rc < 0) + group->unified.devices.count++; + + return 0; +} + + virCgroupBackend virCgroupV2Backend = { .type = VIR_CGROUP_BACKEND_TYPE_V2, @@ -2050,6 +2079,8 @@ virCgroupBackend virCgroupV2Backend = { .getMemSwapHardLimit = virCgroupV2GetMemSwapHardLimit, .getMemSwapUsage = virCgroupV2GetMemSwapUsage, + .allowDevice = virCgroupV2AllowDevice, + .setCpuShares = virCgroupV2SetCpuShares, .getCpuShares = virCgroupV2GetCpuShares, .setCpuCfsPeriod = virCgroupV2SetCpuCfsPeriod, -- 2.20.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list