On Thu, Oct 27, 2016 at 08:37:02AM +0200, Jiri Denemark wrote:
On Wed, Oct 26, 2016 at 17:39:35 +0200, Daniel P. Berrange wrote:
> On Wed, Oct 26, 2016 at 02:36:58PM +0200, Michal Privoznik wrote:
> > This is a small helper intended to be run by udev. On its input
> > (either as the only command line argument or in DEVNODE
> > environment vairable) it is given a device and on the output it
> > will either put nothing (meaning the device is not used by any of
> > the libvirt domains), or it will print out security labels in the
> > following form:
> >
> > UID GID SELABEL
>
> How is this intended to be actually used ? ie what udev rule are
> you creating along with this ?
Yeah, the rule should really be part of this series.
> IMHO we just want the helper to indicate that udev should not do
> anything to the device - we should not need udev to ever set labels
> itself as libvirt has already set them - we just don't want udev to
> remove them. IOW, I don't see the need to print out this info at all.
That would be nice, but unfortunately there's no way to tell udev not to
touch a specific device (I discussed this stuff with Michal Sekletar).
Other udev rules might have already set UID/GID/SELABEL for the device
and we can only change it to contain the required content; we can't
reset them to "don't change any of these".
I think we need to prevent those rules from running - any situation
in which somes rules change permissions and our other rule needs to
change them back is still very badly race prone.
My expectation was that the standard udev provided rule which resets
permissions on file close would be modified to have an extra condition
in its match rule:
ENV{EXTERNALLY_MANAGED}!="yes"
libvirt would then drop in the rule runs libvirt_udevhelper and if that
returns 1, then we set ENV{EXTERNALLY_MANAGED}. This provides a general
solution that other (non-libvirt) apps can use to prevent the perms
changing behind their back
Regards,
Daniel
--
|:
http://berrange.com -o-
http://www.flickr.com/photos/dberrange/ :|
|:
http://libvirt.org -o-
http://virt-manager.org :|
|:
http://entangle-photo.org -o-
http://search.cpan.org/~danberr/ :|