On Fri, Apr 12, 2019 at 03:32:21PM +0200, Martin Kletzander wrote: > This does not cause a problem in usual scenarios thanks to us allowing > CAP_DAC_OVERRIDE for the qemu process, however in some scenarios this might be > an issue because the directory is created with mkdtemp(3) which explicitly > creates that with 0700 permissions and qemu running as non-root cannot access > that. > > The scenarios include: > - Builds without CAPNG > - Running libvirtd in a container [1] s/in a container/in certain container configurations/ since I'm sceptical this is todo with containers in general, as opposed to some configuration choice of the container used by kubevirt. > - and possibly others. > > [1] https://github.com/kubevirt/kubevirt/pull/2181#issuecomment-481840304 > > Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx> > --- > src/qemu/qemu_process.c | 16 ++++++++++++++++ > 1 file changed, 16 insertions(+) Reviewed-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > > diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c > index 47d8ca2ff163..2e2c4812fef7 100644 > --- a/src/qemu/qemu_process.c > +++ b/src/qemu/qemu_process.c > @@ -8447,6 +8447,19 @@ qemuProcessQMPNew(const char *binary, > } > > > +static int > +qemuProcessQEMULabelUniqPath(qemuProcessQMPPtr proc) { > + /* We cannot use the security driver here, but we should not need to. */ > + if (chown(proc->uniqDir, proc->runUid, -1) < 0) { > + virReportSystemError(errno, > + "Cannot chown uniq path: %s", proc->uniqDir); > + return -1; > + } > + > + return 0; > +} > + > + > static int > qemuProcessQMPInit(qemuProcessQMPPtr proc) > { > @@ -8466,6 +8479,9 @@ qemuProcessQMPInit(qemuProcessQMPPtr proc) > goto cleanup; > } > > + if (qemuProcessQEMULabelUniqPath(proc) < 0) > + goto cleanup; > + > if (virAsprintf(&proc->monpath, "%s/%s", proc->uniqDir, > "qmp.monitor") < 0) > goto cleanup; > -- > 2.21.0 > > -- > libvir-list mailing list > libvir-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/libvir-list Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
