When we populate the private /dev that's going to be used by an isolated QEMU process, we take care all metadata matches what's in the top-level namespace: in particular, we copy the file permissions directly. However, since the permissions passed to mknod() are still affected by the active umask, we need to set it to a very permissive value before creating device nodes to avoid file access issues. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1421036 --- src/qemu/qemu_domain.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index f62bf8f..7993acc 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -7040,6 +7040,7 @@ qemuDomainCreateDeviceRecursive(const char *device, #ifdef WITH_SELINUX char *tcon = NULL; #endif + mode_t oldUmask = umask((mode_t) 0); if (!ttl) { virReportSystemError(ELOOP, @@ -7205,6 +7206,7 @@ qemuDomainCreateDeviceRecursive(const char *device, #ifdef WITH_SELINUX freecon(tcon); #endif + umask(oldUmask); return ret; } @@ -7678,6 +7680,7 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED, int ret = -1; bool delDevice = false; bool isLink = S_ISLNK(data->sb.st_mode); + mode_t oldUmask = umask((mode_t) 0); virSecurityManagerPostFork(data->driver->securityManager); @@ -7756,6 +7759,7 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED, freecon(data->tcon); #endif virFileFreeACLs(&data->acl); + umask(oldUmask); return ret; } -- 2.7.4