On 02/12/2013 01:15 PM, Laine Stump wrote: > virCommand was previously calling virSetUIDGID() to change the uid and > gid of the child process, then separately calling > virSetCapabilities(). This did not work if the desired uid was != 0, > since a setuid to anything other than 0 normally clears all > capabilities bits. > > The solution is to use the new virSetUIDGIDWithCaps(), sending it the > uid, gid, and capabilities bits. This will get the new process setup > properly. > > Since the static functions virSetCapabilities() and > virClearCapabilities are no longer called, they have been removed. > > NOTE: When combined with "filecap $path-to-qemu sys_rawio", this patch > will make CAP_SYS_RAWIO (which is required for passthrough of generic > scsi commands to a guest - see commits e8daeeb, 177db08, 397e6a7, and > 74e0349) be retained by qemu when necessary. Apparently that > capability has been broken for non-root qemu every since it was s/every/ever/ > originally added. > --- > Change from V1: s/todo/to do/ in comment > > I didn't do anything about issuing a warning if CAPNG isn't present, > because we previously haven't done that, and I think it would clutter > the log terribly on any platform that didn't have libcapng. Fair enough. Maybe if there were a way to do a one-shot logging it might be helpful; but as there is no change in logging behavior (not logging either before or after this patch), that could be deferred to a later patch if we ever want it. ACK. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list