On 07/23/2013 11:03 AM, Eric Blake wrote: > https://bugzilla.redhat.com/show_bug.cgi?id=964358 > > Commit 75c1256 states that virGetGroupList must not be called > between fork and exec, then commit ee777e99 promptly violated > that for lxc's use of virSecurityManagerSetProcessLabel. Hoist > the supplemental group detection to the time that the security > manager needs to fork. Qemu is safe, as it uses > virSecurityManagerSetChildProcessLabel which in turn uses > virCommand to determine supplemental groups. > > This does not fix the fact that virSecurityManagerSetProcessLabel > calls virSecurityDACParseIds calls parseIds which eventually > calls getpwnam_r, which also violates fork/exec async-signal-safe > safety rules, but so far no one has complained of hitting > deadlock in that case. > > * src/security/security_dac.c (_virSecurityDACData): Track groups > in private data. > (virSecurityDACPreFork): New function, to set them. > (virSecurityDACClose): Clean up new fields. > (virSecurityDACGetIds): Alter signature. > (virSecurityDACSetSecurityHostdevLabelHelper) > (virSecurityDACSetChardevLabel, virSecurityDACSetProcessLabel) > (virSecurityDACSetChildProcessLabel): Update callers. > > Signed-off-by: Eric Blake <eblake@xxxxxxxxxx> > (cherry picked from commit 29fe5d745fbe207ec2415441d4807ae76be05974) > > Conflicts: > src/security/security_dac.c - virSecurityDACSetSecurityUSBLabel needed similar treatment; no virSecurityDACSetChildPrcessLabel ACK - Cole -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list