On Wed 24 Jul 2013 10:56:56 AM CEST, Michal Privoznik wrote:
On 24.05.2013 22:25, Martin Kletzander wrote:
> There were some places in the code, where files were being opened with
> uid:gid of the daemon instead of the qemu process related to the file.
>
> First patch exposes the parseIds() function in order for it to be used
> somewhere else in the code than in the DAC security driver. The next
> patch fixes how the files are opened and the last one fixes occurences
> of open() that should use different uid:gid for opening files.
>
> There maybe should be a check for whether the file being opened is an
> image and whether the label used to open the file should be imagelabel
> or not. But, the QEMU process opening the file is running as the
> label (not imagelabel) and accessing the files as such.
>
> Martin Kletzander (3):
> Expose ownership ID parsing
> Make qemuOpenFile aware of per-VM DAC seclabel.
> Use qemuOpenFile in qemu_driver.c
>
> src/libvirt_private.syms | 1 +
> src/qemu/qemu_driver.c | 87 +++++++++++++++++++++++++++++++--------------
> src/security/security_dac.c | 51 ++------------------------
> src/util/virutil.c | 56 +++++++++++++++++++++++++++++
> src/util/virutil.h | 2 ++
> 5 files changed, 122 insertions(+), 75 deletions(-)
>
> --
> 1.8.2.1
>
ACK series,
Thanks, pushed.
Martin