On Mon, Feb 08, 2010 at 11:05:50AM -0600, Jamie Strandboge wrote: > The calls to virExec() in security_apparmor.c when invoking > virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, > this is not a problem (it's effectively a no-op) but with libcap-ng this > causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to > manipulate apparmor profiles and without it VMs will not start[1]. This > patch calls virExec with the default VIR_EXEC_NONE instead. > > [1] https://bugs.launchpad.net/ubuntu/+source/libvirt/+bug/517714 > > -- > Jamie Strandboge | http://www.canonical.com > Author: Jamie Strandboge <jamie@xxxxxxxxxx> > Description: Don't clear capabilities when calling virt-aa-helper. When built > with libcap-ng, clearing caps makes virt-aa-helper lose MAC_ADMIN, which is > (obviously) needed by apparmor_parser. This restores libcap-ng behavior to > what it was when not built with libcap-ng. > diff -Nur libvirt-0.7.5/src/security/security_apparmor.c libvirt-0.7.5.new/src/security/security_apparmor.c > --- libvirt-0.7.5/src/security/security_apparmor.c 2009-12-22 03:37:57.000000000 -0600 > +++ libvirt-0.7.5.new/src/security/security_apparmor.c 2010-02-05 16:32:53.588796032 -0600 > @@ -174,19 +174,19 @@ > VIRT_AA_HELPER, "-c", "-u", profile, NULL > }; > ret = virExec(conn, argv, NULL, NULL, &child, > - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); > + pipefd[0], NULL, NULL, VIR_EXEC_NONE); > } else if (disk && disk->src) { > const char *const argv[] = { > VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL > }; > ret = virExec(conn, argv, NULL, NULL, &child, > - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); > + pipefd[0], NULL, NULL, VIR_EXEC_NONE); > } else { > const char *const argv[] = { > VIRT_AA_HELPER, "-r", "-u", profile, NULL > }; > ret = virExec(conn, argv, NULL, NULL, &child, > - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); > + pipefd[0], NULL, NULL, VIR_EXEC_NONE); > } > if (ret < 0) > goto clean; ACK, though it'd be nice to make this use virExecHook and provide a hook that drops all the capabilities it does not need. eg everything except for MAC_ADMIN ? If it needs CAP_SYS_ADMIN though it wouldn't be worthwhile Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :| -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list