Re: [PATCH 2/2] Set labelling for character devices in security drivers

"Daniel P. Berrange" <berrange@xxxxxxxxxx> · Fri, 25 Jun 2010 14:53:49 +0100



On Thu, Jun 24, 2010 at 06:36:36PM +0200, Matthias Bolte wrote:
> 2010/6/24 Daniel P. Berrange <berrange@xxxxxxxxxx>:
> > When configuring serial, parallel, console or channel devices
> > with a file, dev or pipe backend type, it is neccessary to label
> > the file path in the security drivers. For char devices of type
> > file, it is neccessary to pre-create (touch) the file if it does
> > not already exist since QEMU won't be allowed todo so itself.
> > dev/pipe configs already require the admin to pre-create before
> > starting the guest.
> 
> Two typos: s/neccessary/necessary
> 
> > * src/qemu/qemu_security_dac.c: set file ownership for character
> >  devices
> > * src/security/security_selinux.c: Set file labelling for character
> 
> Another typo: s/labelling/labeling
> 
> >  devices
> > * src/qemu/qemu_driver.c: Add character devices to cgroup ACL
> > ---
> >  src/qemu/qemu_driver.c          |   59 +++++++++++++++++++
> >  src/qemu/qemu_security_dac.c    |  117 ++++++++++++++++++++++++++++++++++++++
> >  src/security/security_selinux.c |  119 +++++++++++++++++++++++++++++++++++++++
> >  src/util/cgroup.c               |    2 +-
> >  4 files changed, 296 insertions(+), 1 deletions(-)
> >
> > diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
> > index a7b3f25..6274d4c 100644
> > --- a/src/qemu/qemu_driver.c
> > +++ b/src/qemu/qemu_driver.c
> > @@ -2950,6 +2950,28 @@ qemuPrepareHostDevices(struct qemud_driver *driver,
> >  }
> >
> >
> > +static int
> > +qemuPrepareChardevDevice(virDomainDefPtr def ATTRIBUTE_UNUSED,
> > +                         virDomainChrDefPtr dev,
> > +                         void *opaque ATTRIBUTE_UNUSED)
> > +{
> > +    int fd;
> > +    if (dev->type != VIR_DOMAIN_CHR_TYPE_FILE)
> > +        return 0;
> > +
> > +    if ((fd = open(dev->data.file.path, O_CREAT | O_APPEND, S_IRUSR|S_IWUSR)) < 0) {
> > +        virReportSystemError(errno,
> > +                             _("Unable to pre-create chardev file %s"),
> 
> Maybe use '%s' here instead of plain %s.

Yep, added this and the others


Daniel
-- 
|: Red Hat, Engineering, London    -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org        -o-         http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list