Daniel P. Berrangé <berrange(a)redhat.com> [2018-10-25, 06:32PM +0100]:
On Thu, Oct 25, 2018 at 01:47:26PM +0200, Bjoern Walk wrote:
> Daniel P. Berrangé <berrange(a)redhat.com> [2018-10-24, 10:43PM +0100]:
> > We could optimize this by jcalling virFileAccessibleAs
> > once and storing the result in a global. Then just do a
> > plain stat() call in process to check the st_ctime field
> > for changes. We only need re-run the heavy virFileAccessibleAs
> > check if st_ctime has changed (indicating a owner/group/acl
> > change).
>
> But can't access permission change outside of changing the actual device
> file (e.g. cgroups or other OS capabilities)? Isn't that the whole
> purpose of the virFileAccessibleAs gymnastics?
Yes, cgroups could restrict access to /dev/kvm, but virFileAccessibleAs
does not use cgroups, it only cares about using the correct user + group
membership.
Sorry, but then I don't understand the purpose of this function at all.
Why would you EVER check permissions like that? A simple stat(2) call
should give you the exact same information, no?
--
IBM Systems
Linux on Z & Virtualization Development
--------------------------------------------------
IBM Deutschland Research & Development GmbH
Schönaicher Str. 220, 71032 Böblingen
Phone: +49 7031 16 1819
--------------------------------------------------
Vorsitzende des Aufsichtsrats: Martina Koederitz
Geschäftsführung: Dirk Wittkopp
Sitz der Gesellschaft: Böblingen
Registergericht: Amtsgericht Stuttgart, HRB 243294