Re: [libvirt] [PATCH 0/5] security_stack: Perform rollback if one of stacked drivers fails

On Thu, Oct 10, 2019 at 11:29:17AM +0100, Richard W.M. Jones wrote: Anything related to device nodes & permissions/ownership shouldn't be an issue any more. We switched to create a private mount namespace for each QEMU and setup a custom /dev populated with only the devices QEMU is allowed. Thus we should no longer be touching permisisons/owners in the real /dev If we had a real qemu:///session mode running QEMU itself as root, then we would never change permissions/ownership. We would still need to be changing SELinux labels & so the label restore logic is needd there. We should be able to use qemu:///system & the DAC driver to run QEMU as root though. There was previously a problem wrt monitor sockets that you hit when trying this with libguestfs, but I believe that should now be fixed: https://bugzilla.redhat.com/show_bug.cgi?id=890291#c30 If using the DAC driver to request running as root, the only remaining difference in terms of permissions is that we clear CAP_DAC_OVERRIDE, so the root user will only be able to access files which explicitly grant root access. We could fix this limitation in the DAC driver I believe to allow capabilities to be retained. Regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|