There were some places in the code, where files were being opened with
uid:gid of the daemon instead of the qemu process related to the file.
First patch exposes the parseIds() function in order for it to be used
somewhere else in the code than in the DAC security driver. The next
patch fixes how the files are opened and the last one fixes occurences
of open() that should use different uid:gid for opening files.
There maybe should be a check for whether the file being opened is an
image and whether the label used to open the file should be imagelabel
or not. But, the QEMU process opening the file is running as the
label (not imagelabel) and accessing the files as such.
Martin Kletzander (3):
Expose ownership ID parsing
Make qemuOpenFile aware of per-VM DAC seclabel.
Use qemuOpenFile in qemu_driver.c
src/libvirt_private.syms | 1 +
src/qemu/qemu_driver.c | 87 +++++++++++++++++++++++++++++++--------------
src/security/security_dac.c | 51 ++------------------------
src/util/virutil.c | 56 +++++++++++++++++++++++++++++
src/util/virutil.h | 2 ++
5 files changed, 122 insertions(+), 75 deletions(-)
--
1.8.2.1