Re: [PATCH] security_dac: compute supplemental groups before fork

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/15/2013 06:14 AM, Daniel P. Berrange wrote:
> On Fri, Jul 12, 2013 at 03:13:48PM -0600, Eric Blake wrote:
>> @@ -146,8 +149,12 @@ virSecurityManagerPtr virSecurityManagerNewDAC(const char *virtDriver,
>>      if (!mgr)
>>          return NULL;
>>
>> -    virSecurityDACSetUser(mgr, user);
>> -    virSecurityDACSetGroup(mgr, group);
>> +    if ((ngroups = virGetGroupList(user, group, &groups)) < 0) {
>> +        virObjectUnref(mgr);
>> +        return NULL;
>> +    }
>> +
>> +    virSecurityDACSetUIDGID(mgr, user, group, groups, ngroups);
> 
> Hmm, the virSecurityManagerNewDAC method is run once at libvirtd startup.
> Previously if you edited /etc/group to change a user's groups it would
> take effect the very next time a VM is started. With this change, it will
> only take effect if libvirtd is restarted, which is a regression in
> behaviour.

But we still want to avoid the deadlock possible when probing the group
database between fork and exec.  I guess that means I need to change
virSecurityManagerPreFork() to be the entry point where we probe
supplemental groups, so that the probe is done as late as possible
before the fork (and thus picks up the latest /etc changes).  I'll try
that for a v2.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list

[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]