Re: [PATCH] qemu: Label uniqDir when probing capabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Apr 12, 2019 at 02:45:32PM +0100, Daniel P. Berrangé wrote:
On Fri, Apr 12, 2019 at 03:32:21PM +0200, Martin Kletzander wrote:
This does not cause a problem in usual scenarios thanks to us allowing
CAP_DAC_OVERRIDE for the qemu process, however in some scenarios this might be
an issue because the directory is created with mkdtemp(3) which explicitly
creates that with 0700 permissions and qemu running as non-root cannot access
that.

The scenarios include:
 - Builds without CAPNG

This makes sense, since we're unable to give QEMU CAP_DAC_OVERRIDE

 - Running libvirtd in a container [1]

I'm rather puzzelled why this is a problem unless libvirtd itself
lacks permissions to give CAP_DAC_OVERRIDE, but if that was the
case I would have expected an error from capng when trying to
grant it/.

 - and possibly others.

[1] https://github.com/kubevirt/kubevirt/pull/2181#issuecomment-481840304

Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
 src/qemu/qemu_process.c | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 47d8ca2ff163..2e2c4812fef7 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -8447,6 +8447,19 @@ qemuProcessQMPNew(const char *binary,
 }


+static int
+qemuProcessQEMULabelUniqPath(qemuProcessQMPPtr proc) {

The bracket spacing is fixed locally in my branch and will be pushed as part of
this commit if this gets reviewed.

Attachment: signature.asc
Description: PGP signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux