On 7/21/22 12:31, Michal Privoznik wrote: > We have qemuCgroupAllowDevicePath() which sets up devices > controller for just one path. And if we have more paths we have > to call it in a loop. So far, we have just one such place, but > soon we'll have another one (for SGX memory). Separate the loop > into its own function so that it can be reused. > > And while at it, move setting the default set of devices as the > first thing, right after all devices are disallowed. > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/qemu/qemu_cgroup.c | 51 +++++++++++++++++++++++++++++------------- > 1 file changed, 36 insertions(+), 15 deletions(-) > > diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c > index e012ba92c0..8339caeb53 100644 > --- a/src/qemu/qemu_cgroup.c > +++ b/src/qemu/qemu_cgroup.c > @@ -67,6 +67,32 @@ qemuCgroupAllowDevicePath(virDomainObj *vm, > } > > > +static int > +qemuCgroupAllowDevicesPaths(virDomainObj *vm, > + const char *const *deviceACL, > + int perms, > + bool ignoreEacces) > +{ > + size_t i; > + > + for (i = 0; deviceACL[i] != NULL; i++) { > + int rv; > + > + if (!virFileExists(deviceACL[i])) { > + VIR_DEBUG("Ignoring non-existent device %s", deviceACL[i]); > + continue; > + } > + > + rv = qemuCgroupAllowDevicePath(vm, deviceACL[i], perms, ignoreEacces); > + if (rv < 0 && > + !virLastErrorIsSystemErrno(ENOENT)) > + return -1; > + } > + > + return 0; > +} > + > + > static int > qemuCgroupDenyDevicePath(virDomainObj *vm, > const char *path, > @@ -659,6 +685,10 @@ qemuSetupDevicesCgroup(virDomainObj *vm) > if (!virCgroupHasController(priv->cgroup, VIR_CGROUP_CONTROLLER_DEVICES)) > return 0; > > + deviceACL = cfg->cgroupDeviceACL ? > + (const char *const *)cfg->cgroupDeviceACL : > + defaultDeviceACL; > + OOOps, this hunk does not belong here. I've screwed up conflict resolution. Consider fixed locally. Michal