The remember owner feature uses XATTRs to store original
seclabels. But that means we don't want a regular user to be able
to change what we stored and thus trick us into setting different
seclabel. Therefore, we use namespaces that are reserved to
CAP_SYS_ADMIN only. Such namespaces exist on Linux and FreeBSD.
That also means, that the whole feature is enabled only for
qemu:///system. Now, while the secdriver code is capable of
dealing with XATTRs being unsupported (it has to, not all
filesystems support them) if the feature is enabled users will
get an harmless error message in the logs and the feature
disables itself.
Since we have virSecurityXATTRNamespaceDefined() we can use it to
make a wiser decision on the default state of the feature.
Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com>
---
src/qemu/qemu_conf.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index ead9d1ee99..923aea8bd7 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -49,6 +49,7 @@
#include "storage_conf.h"
#include "virutil.h"
#include "configmake.h"
+#include "security/security_util.h"
#define VIR_FROM_THIS VIR_FROM_QEMU
@@ -131,7 +132,11 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged,
cfg->group = (gid_t)-1;
}
cfg->dynamicOwnership = privileged;
- cfg->rememberOwner = privileged;
+
+ if (privileged)
+ cfg->rememberOwner = virSecurityXATTRNamespaceDefined();
+ else
+ cfg->rememberOwner = false;
cfg->cgroupControllers = -1; /* -1 == auto-detect */
--
2.26.2