On 02/07/2014 10:53 AM, Peter Krempa wrote:
> The code took into account only the global permissions. The domains now
> support per-vm DAC lables and per-image DAC labels. Use the most
s/lables/labels/
> specific label available.
> ---
> src/qemu/qemu_domain.c | 35 +++++++++++++++++++++++++++++++++--
> src/qemu/qemu_domain.h | 1 +
> src/qemu/qemu_driver.c | 8 ++++----
> src/qemu/qemu_hotplug.c | 2 +-
> src/qemu/qemu_process.c | 2 +-
> 5 files changed, 40 insertions(+), 8 deletions(-)
> +static void
> +qemuDomainGetImageIds(virQEMUDriverConfigPtr cfg,
> + virDomainObjPtr vm,
> + virDomainDiskDefPtr disk,
> + uid_t *uid, gid_t *gid)
> +{
> + virSecurityLabelDefPtr vmlabel;
> + virSecurityDeviceLabelDefPtr disklabel;
Here, I'd add:
if (uid)
*uid = -1;
if (gid)
*gid = -1;
> +
> + if (cfg) {
> + if (uid)
> + *uid = cfg->user;
> +
> + if (gid)
> + *gid = cfg->group;
> + }
> +
> + if (vm && (vmlabel = virDomainDefGetSecurityLabelDef(vm->def, "dac")))
> + virParseOwnershipIds(vmlabel->label, uid, gid);
> +
> + if ((disklabel = virDomainDiskDefGetSecurityLabelDef(disk, "dac")))
> + virParseOwnershipIds(disklabel->label, uid, gid);
since all three of these more-specific overrides could all be missing,
but ideally, you want to guarantee that we picked the best-possible
uid/gid by the end of this method.
ACK with that fixed - it means that all disks are now being opened by
the same credentials as what we tell qemu to open with.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list