Re: [PATCH 7/7] security: fix deadlock with prefork

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 07/23/2013 11:04 AM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=964358
> 
> Attempts to start a domain with both SELinux and DAC security
> modules loaded will deadlock; latent problem introduced in commit
> fdb3bde and exposed in commit 29fe5d7.  Basically, when recursing
> into the security manager for other driver's prefork, we have to
> undo the asymmetric lock taken at the manager level.
> 
> Reported by Jiri Denemark, with diagnosis help from Dan Berrange.
> 
> * src/security/security_stack.c (virSecurityStackPreFork): Undo
> extra lock grabbed during recursion.
> 
> Signed-off-by: Eric Blake <eblake@xxxxxxxxxx>
> (cherry picked from commit bfc183c1e377b24cebf5cede4c00f3dc0d1b3486)
> ---
>  src/security/security_stack.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/src/security/security_stack.c b/src/security/security_stack.c
> index e8133c4..38fe8b5 100644
> --- a/src/security/security_stack.c
> +++ b/src/security/security_stack.c
> @@ -129,6 +129,11 @@ virSecurityStackPreFork(virSecurityManagerPtr mgr)
>              rc = -1;
>              break;
>          }
> +        /* Undo the unbalanced locking left behind after recursion; if
> +         * PostFork ever delegates to driver callbacks, we'd instead
> +         * need to recurse to an internal method that does not regrab
> +         * a lock. */
> +        virSecurityManagerPostFork(item->securityManager);
>      }
> 
>      return rc;
> 

ACK

- Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]