On Fri, Nov 09, 2018 at 19:39:37 -0500, John Ferlan wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=1631622 > > If polkit authentication is enabled, an attempt to open > the connection failed during virAccessDriverPolkitGetCaller > when the call to virIdentityGetCurrent returned NULL resulting > in the errors: > > virAccessDriverPolkitGetCaller:87 : access denied from: > Policy kit denied action org.libvirt.api.connect.getattr from <anonymous> > > virAccessManagerSanitizeError:204 : access denied from: nwfilter > > Because qemuProcessReconnect runs in a thread during > daemonRunStateInit processing it doesn't have the thread > local identity. Thus when the virGetConnectNWFilter is > called as part of the qemuProcessFiltersInstantiate when > virDomainConfNWFilterInstantiate is run the attempt to get > the idenity fails and results in the anonymous error above. > > To fix this, let's grab/use the virIdenityPtr of the process > that will be creating the thread, e.g. what daemonRunStateInit > has set and use that for our thread. That way any other similar > processing that uses/requires an identity for any other call > that would have previously been successfully run won't fail in > a similar manner. > > Signed-off-by: John Ferlan <jferlan@xxxxxxxxxx> > --- > src/qemu/qemu_process.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c > index 06a65b44e4..93f6a2279a 100644 > --- a/src/qemu/qemu_process.c > +++ b/src/qemu/qemu_process.c > @@ -81,6 +81,7 @@ > #include "netdev_bandwidth_conf.h" > #include "virresctrl.h" > #include "virvsock.h" > +#include "viridentity.h" > > #define VIR_FROM_THIS VIR_FROM_QEMU > > @@ -7716,6 +7717,7 @@ qemuProcessRefreshCPU(virQEMUDriverPtr driver, > struct qemuProcessReconnectData { > virQEMUDriverPtr driver; > virDomainObjPtr obj; > + virIdentityPtr identity; > }; > /* > * Open an existing VM's monitor, re-detect VCPU threads > @@ -7753,6 +7755,7 @@ qemuProcessReconnect(void *opaque) > bool retry = true; > bool tryMonReconn = false; > > + virIdentitySetCurrent(data->identity); This takes it's own reference to the identity. The reference in data->identity is then leaked. > VIR_FREE(data); > > qemuDomainObjRestoreJob(obj, &oldjob); > @@ -7979,6 +7982,7 @@ qemuProcessReconnect(void *opaque) > virObjectUnref(cfg); > virObjectUnref(caps); > virNWFilterUnlockFilterUpdates(); > + virIdentitySetCurrent(NULL); > return; > > error: > @@ -8022,6 +8026,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj, > > memcpy(data, src, sizeof(*data)); > data->obj = obj; > + data->identity = virIdentityGetCurrent(); In addition to the leak from the thread, the reference is also leaked if the thread creation fails.
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
