Re: [PATCH v1 05/21] virfile: Introduce ACL helpers

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Dec 05, 2016 at 02:56:12PM +0100, Michal Privoznik wrote:
> On 05.12.2016 13:36, Daniel P. Berrange wrote:
> > On Thu, Nov 24, 2016 at 03:47:54PM +0100, Michal Privoznik wrote:
> >> Namely, virFileGetACLs, virFileSetACLs, virFileFreeACLs and
> >> virFileCopyACLs. These functions are going to be required when we
> >> are creating /dev for qemu. We have copy anything that's in
> >> host's /dev exactly as is. Including ACLs.
> > 
> > Do we really ?
> > 
> > IIUC, udev uses ACLs on /dev in order to grant end users in the desktop
> > session permission on certain device nodes, without chowning the whole
> > device.
> > 
> > The device nodes in our private /dev only need to be accessible to the
> > QEMU process we're about to run.
> > 
> > So neither existing ownership, group, permissions, nor ACLs matter at
> > all. Our security driver code will chown/grp the device to grant
> > QEMU access and that's all that's needed AFAICT.
> > 
> > What am I missing that requires us to preserve ACLs ?
> 
> Admins may set ACLs on say /dev/sdb to grant access to some users and
> then use relabel='no' in domain XMLs so that libvirt doesn't mess it up.
> If we want to honour no-relabel flag we must create the device exactly
> as is.

Ah ha. I totally forgot about the no-relabel case.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]
  Powered by Linux