Re: [libvirt] [PATCH] qemu: Label master key file

On 04/13/2016 11:17 AM, Martin Kletzander wrote: > When creating the master key, we used mode 0600 (which we should) but > because we were creating it as root, the file is not readable by any > qemu running as non-root. Fortunately, it's just a matter of labelling > the file. We are generating the file path few times already, so let's > label it in the same function that has access to the path already. > > Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com&gt; > --- > src/qemu/qemu_domain.c | 15 ++++++++++++--- > src/qemu/qemu_domain.h | 3 ++- > src/qemu/qemu_process.c | 2 +- > 3 files changed, 15 insertions(+), 5 deletions(-) > ACK, makes sense and fixes things for me. One comment below > diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c > index 5d54fffcfb98..83e765ef6868 100644 > --- a/src/qemu/qemu_domain.c > +++ b/src/qemu/qemu_domain.c > @@ -504,11 +504,13 @@ qemuDomainGetMasterKeyFilePath(const char *libDir) > * Returns 0 on success, -1 on failure with error message indicating failure > */ > static int > -qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv) > +qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver, > + virDomainObjPtr vm) > { > char *path; > int fd = -1; > int ret = -1; > + qemuDomainObjPrivatePtr priv = vm->privateData; > > if (!(path = qemuDomainGetMasterKeyFilePath(priv->libDir))) > return -1; > @@ -525,6 +527,10 @@ qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv) > goto cleanup; > } > > + if (virSecurityManagerDomainSetDirLabel(driver->securityManager, > + vm->def, path) < 0) > + goto cleanup; > + > ret = 0; > I looked briefly at fixing this but know if there was a function to ask the security driver 'just set a on this arbitrary path'. I saw DirLabel but was thrown off by the 'Dir' name. Maybe change it to something more generic?