On Wed, Dec 07, 2016 at 09:36:22AM +0100, Michal Privoznik wrote: > Instead of trying to fix our security drivers, we can use a > simple trick to relabel paths in both namespace and the host. > I mean, if we enter the namespace some paths are still shared > with the host so any change done to them is visible from the host > too. > Therefore, we can just enter the namespace and call > SetAllLabel()/RestoreAllLabel() from there. Yes, it has slight > overhead because we have to fork in order to enter the namespace. > But on the other hand, no complexity is added to our code. > > Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > --- > src/Makefile.am | 3 +- > src/qemu/qemu_process.c | 15 +++--- > src/qemu/qemu_security.c | 132 +++++++++++++++++++++++++++++++++++++++++++++++ > src/qemu/qemu_security.h | 39 ++++++++++++++ > 4 files changed, 181 insertions(+), 8 deletions(-) > create mode 100644 src/qemu/qemu_security.c > create mode 100644 src/qemu/qemu_security.h ACK Regards, Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://entangle-photo.org -o- http://search.cpan.org/~danberr/ :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
