On 27/11/2017 14:35, Michal Privoznik wrote:
But can you also test _more_ permissions if you want? So if QEMU passed to the helper a file for which it has "lock" but not "ioctl" access, would it make sense for the helper to let it through? Together with the socket MAC, this should be precise enough. Sure, you can check any of the permissions which are defined for the type of object you've got. The goal is to check permissions which correspond to actions you're taking on the object. So if you do something other than just ioctl() on the passed in FD, it would make sense to check further permissions as appropriate. Just to make sure I understand correctly: the PD passing is done by qemu and not libvirt, right? Technically, we don't open the disks.
Correct. Paolo