Re: [libvirt] [PATCH 11/17] util: Introduce libvirt_udevhelper

On Thu, Oct 27, 2016 at 09:25:41AM +0200, Daniel P. Berrange wrote: > On Thu, Oct 27, 2016 at 08:37:02AM +0200, Jiri Denemark wrote: > > On Wed, Oct 26, 2016 at 17:39:35 +0200, Daniel P. Berrange wrote: > > > On Wed, Oct 26, 2016 at 02:36:58PM +0200, Michal Privoznik wrote: > > > > This is a small helper intended to be run by udev. On its input > > > > (either as the only command line argument or in DEVNODE > > > > environment vairable) it is given a device and on the output it > > > > will either put nothing (meaning the device is not used by any of > > > > the libvirt domains), or it will print out security labels in the > > > > following form: > > > > > > > > UID GID SELABEL > > > > > > How is this intended to be actually used ? ie what udev rule are > > > you creating along with this ? > > > > Yeah, the rule should really be part of this series. > > > > > IMHO we just want the helper to indicate that udev should not do > > > anything to the device - we should not need udev to ever set labels > > > itself as libvirt has already set them - we just don't want udev to > > > remove them. IOW, I don't see the need to print out this info at all. > > > > That would be nice, but unfortunately there's no way to tell udev not to > > touch a specific device (I discussed this stuff with Michal Sekletar). > > Other udev rules might have already set UID/GID/SELABEL for the device > > and we can only change it to contain the required content; we can't > > reset them to "don't change any of these". > > I think we need to prevent those rules from running - any situation > in which somes rules change permissions and our other rule needs to > change them back is still very badly race prone. > > My expectation was that the standard udev provided rule which resets > permissions on file close would be modified to have an extra condition > in its match rule: > > ENV{EXTERNALLY_MANAGED}!="yes" > > > libvirt would then drop in the rule runs libvirt_udevhelper and if that > returns 1, then we set ENV{EXTERNALLY_MANAGED}. This provides a general > solution that other (non-libvirt) apps can use to prevent the perms > changing behind their back IIUC, we can possibly achieve our goal using GOTO, with two rules. In a 00-libvirt-early.rules have a rule that runs libvirt_udevhelper and adds a "GOTO=libvirt-end". Then in zzzzzz-libvirt-late.rules define the LABEL=libvirt-end. That should cause it to skip over all intermediate udev rules.