Re: [libvirt] [PATCH] qemu: Use correct permissions when determining the image chain
On 02/07/2014 10:53 AM, Peter Krempa wrote:
The code took into account only the global permissions. The domains
now
support per-vm DAC lables and per-image DAC labels. Use the most
s/lables/labels/
specific label available.
---
src/qemu/qemu_domain.c | 35 +++++++++++++++++++++++++++++++++--
src/qemu/qemu_domain.h | 1 +
src/qemu/qemu_driver.c | 8 ++++----
src/qemu/qemu_hotplug.c | 2 +-
src/qemu/qemu_process.c | 2 +-
5 files changed, 40 insertions(+), 8 deletions(-)
+static void
+qemuDomainGetImageIds(virQEMUDriverConfigPtr cfg,
+ virDomainObjPtr vm,
+ virDomainDiskDefPtr disk,
+ uid_t *uid, gid_t *gid)
+{
+ virSecurityLabelDefPtr vmlabel;
+ virSecurityDeviceLabelDefPtr disklabel;
Here, I'd add:
if (uid)
*uid = -1;
if (gid)
*gid = -1;
+
+ if (cfg) {
+ if (uid)
+ *uid = cfg->user;
+
+ if (gid)
+ *gid = cfg->group;
+ }
+
+ if (vm && (vmlabel = virDomainDefGetSecurityLabelDef(vm->def,
"dac")))
+ virParseOwnershipIds(vmlabel->label, uid, gid);
+
+ if ((disklabel = virDomainDiskDefGetSecurityLabelDef(disk, "dac")))
+ virParseOwnershipIds(disklabel->label, uid, gid);
since all three of these more-specific overrides could all be missing,
but ideally, you want to guarantee that we picked the best-possible
uid/gid by the end of this method.
ACK with that fixed - it means that all disks are now being opened by
the same credentials as what we tell qemu to open with.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 604 bytes)