qemu_cgroup: Don't deny devices from cgroupDeviceACL

On domain startup a couple of devices are allowed in the devices
controller no matter the domain configuration. The aim is to
allow devices crucial for QEMU or one of its libraries, or user
is passing through a device (e.g. through additional cmd line
arguments) and wants QEMU to access it.

However, during unplug it may happen that a device is configured
to use one of such devices and since we deny /dev nodes on
hotplug we would deny such device too. For example,
/dev/urandom belongs onto the list of implicit devices and users
can hotplug and hotunplug an RNG device with /dev/urandom as
backend.

The fix is fortunately simple - just consult the list of implicit
devices before removing the device from the namespace.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>

src/qemu/qemu_cgroup.c

@@ -81,8 +81,19 @@ qemuCgroupDenyDevicePath(virDomainObj *vm,
                          bool ignoreEacces)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
+    g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
+    const char *const *deviceACL = (const char *const *)cfg->cgroupDeviceACL;
     int ret;
 
+    if (!deviceACL)
+        deviceACL = defaultDeviceACL;
+
+    if (g_strv_contains(deviceACL, path)) {
+        VIR_DEBUG("Skipping deny of path %s in CGroups because it's in cgroupDeviceACL",
+                  path);
+        return 0;
+    }
+
     VIR_DEBUG("Deny path %s, perms: %s",
               path, virCgroupGetDevicePermsString(perms));