Re: [libvirt] [PATCH] qemu_conf: Check for namespaces availability more wisely

On Wed, Feb 15, 2017 at 10:20:27AM +0100, Michal Privoznik wrote: > The bare fact that mnt namespace is available is not enough for > us to allow/enable qemu namespaces feature. There are other > requirements: we must copy all the ACL & SELinux labels otherwise > we might grant access that is administratively forbidden or vice > versa. > At the same time, the check for namespace prerequisites is moved > from domain startup time to qemu.conf parser as it doesn't make > much sense to allow users to start misconfigured libvirt just to > find out they can't start a single domain. > > Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; > --- > src/qemu/qemu_conf.c | 20 ++++++++++++++++---- > src/qemu/qemu_conf.h | 3 ++- > src/qemu/qemu_domain.c | 43 ++++++++++++++++++++++++++++--------------- > src/qemu/qemu_domain.h | 2 ++ > src/qemu/qemu_driver.c | 2 +- > 5 files changed, 49 insertions(+), 21 deletions(-) >

> +bool > +qemuDomainNamespaceAvailable(qemuDomainNamespace ns) > +{ > + > + switch (ns) { > + case QEMU_DOMAIN_NS_MOUNT: > +#if !defined(__linux__) > + /* Namespaces are Linux specific. */ > + return false; > +#endif > +#if !defined(HAVE_SYS_ACL_H) || !defined(WITH_SELINUX) > + /* We can't create the exact copy of paths if either of > + * these is not available. */ > + return false; > +#endif Pretty sure this will cause the compiler to complain about unreachable code paths because you'll get return false; return false; if (virProcessNamespaceAvailable(....)