Re: [libvirt] [PATCH v1 05/21] virfile: Introduce ACL helpers

On 05.12.2016 13:36, Daniel P. Berrange wrote: > On Thu, Nov 24, 2016 at 03:47:54PM +0100, Michal Privoznik wrote: >> Namely, virFileGetACLs, virFileSetACLs, virFileFreeACLs and >> virFileCopyACLs. These functions are going to be required when we >> are creating /dev for qemu. We have copy anything that's in >> host's /dev exactly as is. Including ACLs. > > Do we really ? > > IIUC, udev uses ACLs on /dev in order to grant end users in the desktop > session permission on certain device nodes, without chowning the whole > device. > > The device nodes in our private /dev only need to be accessible to the > QEMU process we're about to run. > > So neither existing ownership, group, permissions, nor ACLs matter at > all. Our security driver code will chown/grp the device to grant > QEMU access and that's all that's needed AFAICT. > > What am I missing that requires us to preserve ACLs ? Admins may set ACLs on say /dev/sdb to grant access to some users and then use relabel='no' in domain XMLs so that libvirt doesn't mess it up. If we want to honour no-relabel flag we must create the device exactly as is.