+static int bdrv_child_check_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ GSList *ignore_children, Error **errp);
+static void bdrv_child_abort_perm_update(BdrvChild *c);
+static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared);
+
+/*
+ * Check whether permissions on this node can be changed in a way that
+ * @cumulative_perms and @cumulative_shared_perms are the new cumulative
+ * permissions of all its parents. This involves checking whether all necessary
+ * permission changes to child nodes can be performed.
+ *
+ * A call to this function must always be followed by a call to bdrv_set_perm()
+ * or bdrv_abort_perm_update().
+ */
+static int bdrv_check_perm(BlockDriverState *bs, uint64_t cumulative_perms,
+ uint64_t cumulative_shared_perms,
+ GSList *ignore_children, Error **errp)
+{
+ BlockDriver *drv = bs->drv;
+ BdrvChild *c;
+ int ret;
+
+ /* Write permissions never work with read-only images */
+ if ((cumulative_perms & (BLK_PERM_WRITE | BLK_PERM_WRITE_UNCHANGED)) &&
+ bdrv_is_read_only(bs))
+ {
+ error_setg(errp, "Block node is read-only");
+ return -EPERM;
+ }
+
+ /* Check this node */
+ if (!drv) {
+ return 0;
+ }
+
+ if (drv->bdrv_check_perm) {
+ return drv->bdrv_check_perm(bs, cumulative_perms,
+ cumulative_shared_perms, errp);
+ }
+
+ /* Drivers that never have children can omit .bdrv_child_perm() */
+ if (!drv->bdrv_child_perm) {
+ assert(QLIST_EMPTY(&bs->children));
+ return 0;
+ }
+
+ /* Check all children */
+ QLIST_FOREACH(c, &bs->children, next) {
+ uint64_t cur_perm, cur_shared;
+ drv->bdrv_child_perm(bs, c, c->role,
+ cumulative_perms, cumulative_shared_perms,
+ &cur_perm, &cur_shared);
+ ret = bdrv_child_check_perm(c, cur_perm, cur_shared, ignore_children,
+ errp);
+ if (ret < 0) {
+ return ret;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * Notifies drivers that after a previous bdrv_check_perm() call, the
+ * permission update is not performed and any preparations made for it (e.g.
+ * taken file locks) need to be undone.
+ *
+ * This function recursively notifies all child nodes.
+ */
+static void bdrv_abort_perm_update(BlockDriverState *bs)
+{
+ BlockDriver *drv = bs->drv;
+ BdrvChild *c;
+
+ if (!drv) {
+ return;
+ }
+
+ if (drv->bdrv_abort_perm_update) {
+ drv->bdrv_abort_perm_update(bs);
+ }
+
+ QLIST_FOREACH(c, &bs->children, next) {
+ bdrv_child_abort_perm_update(c);
+ }
+}
+
+static void bdrv_set_perm(BlockDriverState *bs, uint64_t cumulative_perms,
+ uint64_t cumulative_shared_perms)
+{
+ BlockDriver *drv = bs->drv;
+ BdrvChild *c;
+
+ if (!drv) {
+ return;
+ }
+
+ /* Update this node */
+ if (drv->bdrv_set_perm) {
+ drv->bdrv_set_perm(bs, cumulative_perms, cumulative_shared_perms);
+ }
+
+ /* Drivers that never have children can omit .bdrv_child_perm() */
+ if (!drv->bdrv_child_perm) {
+ assert(QLIST_EMPTY(&bs->children));
+ return;
+ }
+
+ /* Update all children */
+ QLIST_FOREACH(c, &bs->children, next) {
+ uint64_t cur_perm, cur_shared;
+ drv->bdrv_child_perm(bs, c, c->role,
+ cumulative_perms, cumulative_shared_perms,
+ &cur_perm, &cur_shared);
+ bdrv_child_set_perm(c, cur_perm, cur_shared);
+ }
+}
+
+static void bdrv_get_cumulative_perm(BlockDriverState *bs, uint64_t *perm,
+ uint64_t *shared_perm)
+{
+ BdrvChild *c;
+ uint64_t cumulative_perms = 0;
+ uint64_t cumulative_shared_perms = BLK_PERM_ALL;
+
+ QLIST_FOREACH(c, &bs->parents, next_parent) {
+ cumulative_perms |= c->perm;
+ cumulative_shared_perms &= c->shared_perm;
+ }
+
+ *perm = cumulative_perms;
+ *shared_perm = cumulative_shared_perms;
+}
+
+static char *bdrv_child_user_desc(BdrvChild *c)
+{
+ if (c->role->get_parent_desc) {
+ return c->role->get_parent_desc(c);
+ }
+
+ return g_strdup("another user");
+}
+
+static char *bdrv_perm_names(uint64_t perm)
+{
+ struct perm_name {
+ uint64_t perm;
+ const char *name;
+ } permissions[] = {
+ { BLK_PERM_CONSISTENT_READ, "consistent read" },
+ { BLK_PERM_WRITE, "write" },
+ { BLK_PERM_WRITE_UNCHANGED, "write unchanged" },
+ { BLK_PERM_RESIZE, "resize" },
+ { BLK_PERM_GRAPH_MOD, "change children" },
+ { 0, NULL }
+ };
+
+ char *result = g_strdup("");
+ struct perm_name *p;
+
+ for (p = permissions; p->name; p++) {
+ if (perm & p->perm) {
+ char *old = result;
+ result = g_strdup_printf("%s%s%s", old, *old ? ", " : "", p->name);
+ g_free(old);
+ }
+ }
+
+ return result;
+}
+
+/*
+ * Checks whether a new reference to @bs can be added if the new user requires
+ * @new_used_perm/@new_shared_perm as its permissions. If @ignore_children is
+ * set, the BdrvChild objects in this list are ignored in the calculations;
+ * this allows checking permission updates for an existing reference.
+ *
+ * Needs to be followed by a call to either bdrv_set_perm() or
+ * bdrv_abort_perm_update(). */
+static int bdrv_check_update_perm(BlockDriverState *bs, uint64_t new_used_perm,
+ uint64_t new_shared_perm,
+ GSList *ignore_children, Error **errp)
+{
+ BdrvChild *c;
+ uint64_t cumulative_perms = new_used_perm;
+ uint64_t cumulative_shared_perms = new_shared_perm;
+
+ /* There is no reason why anyone couldn't tolerate write_unchanged */
+ assert(new_shared_perm & BLK_PERM_WRITE_UNCHANGED);
+
+ QLIST_FOREACH(c, &bs->parents, next_parent) {
+ if (g_slist_find(ignore_children, c)) {
+ continue;
+ }
+
+ if ((new_used_perm & c->shared_perm) != new_used_perm) {
+ char *user = bdrv_child_user_desc(c);
+ char *perm_names = bdrv_perm_names(new_used_perm & ~c->shared_perm);
+ error_setg(errp, "Conflicts with use by %s as '%s', which does not "
+ "allow '%s' on %s",
+ user, c->name, perm_names, bdrv_get_node_name(c->bs));
+ g_free(user);
+ g_free(perm_names);
+ return -EPERM;
+ }
+
+ if ((c->perm & new_shared_perm) != c->perm) {
+ char *user = bdrv_child_user_desc(c);
+ char *perm_names = bdrv_perm_names(c->perm & ~new_shared_perm);
+ error_setg(errp, "Conflicts with use by %s as '%s', which uses "
+ "'%s' on %s",
+ user, c->name, perm_names, bdrv_get_node_name(c->bs));
+ g_free(user);
+ g_free(perm_names);
+ return -EPERM;
+ }
+
+ cumulative_perms |= c->perm;
+ cumulative_shared_perms &= c->shared_perm;
+ }
+
+ return bdrv_check_perm(bs, cumulative_perms, cumulative_shared_perms,
+ ignore_children, errp);
+}
+
+/* Needs to be followed by a call to either bdrv_child_set_perm() or
+ * bdrv_child_abort_perm_update(). */
+static int bdrv_child_check_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ GSList *ignore_children, Error **errp)
+{
+ int ret;
+
+ ignore_children = g_slist_prepend(g_slist_copy(ignore_children), c);
+ ret = bdrv_check_update_perm(c->bs, perm, shared, ignore_children, errp);
+ g_slist_free(ignore_children);
+
+ return ret;
+}
+
+static void bdrv_child_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared)
+{
+ uint64_t cumulative_perms, cumulative_shared_perms;
+
+ c->perm = perm;
+ c->shared_perm = shared;
+
+ bdrv_get_cumulative_perm(c->bs, &cumulative_perms,
+ &cumulative_shared_perms);
+ bdrv_set_perm(c->bs, cumulative_perms, cumulative_shared_perms);
+}
+
+static void bdrv_child_abort_perm_update(BdrvChild *c)
+{
+ bdrv_abort_perm_update(c->bs);
+}
+
+int bdrv_child_try_set_perm(BdrvChild *c, uint64_t perm, uint64_t shared,
+ Error **errp)
+{
+ int ret;
+
+ ret = bdrv_child_check_perm(c, perm, shared, NULL, errp);
+ if (ret < 0) {
+ bdrv_child_abort_perm_update(c);
+ return ret;
+ }
+
+ bdrv_child_set_perm(c, perm, shared);
+
+ return 0;
+}
+
+#define DEFAULT_PERM_PASSTHROUGH (BLK_PERM_CONSISTENT_READ \
+ | BLK_PERM_WRITE \
+ | BLK_PERM_WRITE_UNCHANGED \
+ | BLK_PERM_RESIZE)
+#define DEFAULT_PERM_UNCHANGED (BLK_PERM_ALL & ~DEFAULT_PERM_PASSTHROUGH)
+
+void bdrv_filter_default_perms(BlockDriverState *bs, BdrvChild *c,
+ const BdrvChildRole *role,
+ uint64_t perm, uint64_t shared,
+ uint64_t *nperm, uint64_t *nshared)
+{
+ if (c == NULL) {
+ *nperm = perm & DEFAULT_PERM_PASSTHROUGH;
+ *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) | DEFAULT_PERM_UNCHANGED;
+ return;
+ }
+
+ *nperm = (perm & DEFAULT_PERM_PASSTHROUGH) |
+ (c->perm & DEFAULT_PERM_UNCHANGED);
+ *nshared = (shared & DEFAULT_PERM_PASSTHROUGH) |
+ (c->shared_perm & DEFAULT_PERM_UNCHANGED);
+}
+
+void bdrv_format_default_perms(BlockDriverState *bs, BdrvChild *c,
+ const BdrvChildRole *role,
+ uint64_t perm, uint64_t shared,
+ uint64_t *nperm, uint64_t *nshared)
+{
+ bool backing = (role == &child_backing);
+ assert(role == &child_backing || role == &child_file);
+
+ if (!backing) {
+ /* Apart from the modifications below, the same permissions are
+ * forwarded and left alone as for filters */
+ bdrv_filter_default_perms(bs, c, role, perm, shared, &perm, &shared);
+
+ /* Format drivers may touch metadata even if the guest doesn't write */
+ if (!bdrv_is_read_only(bs)) {
+ perm |= BLK_PERM_WRITE | BLK_PERM_RESIZE;
+ }
+
+ /* bs->file always needs to be consistent because of the metadata. We
+ * can never allow other users to resize or write to it. */
+ perm |= BLK_PERM_CONSISTENT_READ;
+ shared &= ~(BLK_PERM_WRITE | BLK_PERM_RESIZE);
+ } else {
+ /* We want consistent read from backing files if the parent needs it.
+ * No other operations are performed on backing files. */
+ perm &= BLK_PERM_CONSISTENT_READ;
+
+ /* If the parent can deal with changing data, we're okay with a
+ * writable and resizable backing file. */
+ /* TODO Require !(perm & BLK_PERM_CONSISTENT_READ), too? */
+ if (shared & BLK_PERM_WRITE) {
+ shared = BLK_PERM_WRITE | BLK_PERM_RESIZE;
+ } else {
+ shared = 0;
+ }
+
+ shared |= BLK_PERM_CONSISTENT_READ | BLK_PERM_GRAPH_MOD |
+ BLK_PERM_WRITE_UNCHANGED;
+ }
+
+ *nperm = perm;
+ *nshared = shared;
+}
+
+static void bdrv_replace_child_noperm(BdrvChild *child,
+ BlockDriverState *new_bs)