This patch revises qemuProcessStart() function for qemu
processes to retain CAP_SYS_RAWIO if needed.
And in case of that, add taint flag to domain.
Signed-off-by: Taku Izumi <izumi.taku@xxxxxxxxxxxxxx>
Signed-off-by: Shota Hirae <m11g1401@xxxxxxxxxxxxxx>
---
src/qemu/qemu_domain.c | 3 +++
src/qemu/qemu_process.c | 8 ++++++++
2 files changed, 11 insertions(+)
Index: libvirt/src/qemu/qemu_process.c
===================================================================
--- libvirt.orig/src/qemu/qemu_process.c
+++ libvirt/src/qemu/qemu_process.c
@@ -27,6 +27,7 @@
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
+#include <linux/capability.h>
#include "qemu_process.h"
#include "qemu_domain.h"
@@ -3083,6 +3084,7 @@ int qemuProcessStart(virConnectPtr conn,
virCommandPtr cmd = NULL;
struct qemuProcessHookData hookData;
unsigned long cur_balloon;
+ int i;
hookData.conn = conn;
hookData.vm = vm;
@@ -3335,6 +3337,12 @@ int qemuProcessStart(virConnectPtr conn,
if (driver->clearEmulatorCapabilities)
virCommandClearCaps(cmd);
+ /* in case a certain disk is desirous of CAP_SYS_RAWIO, add this */
+ for (i = 0; i < vm->def->ndisks; i++) {
+ if (vm->def->disks[i]->rawio == 1)
+ virCommandAllowCap(cmd, CAP_SYS_RAWIO);
+ }
+
virCommandSetPreExecHook(cmd, qemuProcessHook, &hookData);
virCommandSetOutputFD(cmd, &logfile);
Index: libvirt/src/qemu/qemu_domain.c
===================================================================
--- libvirt.orig/src/qemu/qemu_domain.c
+++ libvirt/src/qemu/qemu_domain.c
@@ -1259,6 +1259,9 @@ void qemuDomainObjCheckDiskTaint(struct
if (!disk->driverType &&
driver->allowDiskFormatProbing)
qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_DISK_PROBING, logFD);
+
+ if (disk->rawio)
+ qemuDomainObjTaint(driver, obj, VIR_DOMAIN_TAINT_HIGH_PRIVILEGES, logFD);
}
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list