Re: [PATCH 5/7] security: framework for driver PreFork handler

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/23/2013 11:03 AM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=964358
> 
> A future patch wants the DAC security manager to be able to safely
> get the supplemental group list for a given uid, but at the time
> of a fork rather than during initialization so as to pick up on
> live changes to the system's group database.  This patch adds the
> framework, including the possibility of a pre-fork callback
> failing.
> 
> For now, any driver that implements a prefork callback must be
> robust against the possibility of being part of a security stack
> where a later element in the chain fails prefork.  This means
> that drivers cannot do any action that requires a call to postfork
> for proper cleanup (no grabbing a mutex, for example).  If this
> is too prohibitive in the future, we would have to switch to a
> transactioning sequence, where each driver has (up to) 3 callbacks:
> PreForkPrepare, PreForkCommit, and PreForkAbort, to either clean
> up or commit changes made during prepare.
> 
> * src/security/security_driver.h (virSecurityDriverPreFork): New
> callback.
> * src/security/security_manager.h (virSecurityManagerPreFork):
> Change signature.
> * src/security/security_manager.c (virSecurityManagerPreFork):
> Optionally call into driver, and allow returning failure.
> * src/security/security_stack.c (virSecurityDriverStack):
> Wrap the handler for the stack driver.
> * src/qemu/qemu_process.c (qemuProcessStart): Adjust caller.
> 
> Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
> (cherry picked from commit fdb3bde31ccf8ff172abf00ef5aa974b87af2794)
> 
> Conflicts:
> 	src/security/security_manager.c - context from previous backport differences

ACK

- Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]