On 01/07/2014 06:32 PM, Gao feng wrote:
On 01/07/2014 12:18 PM, Eric Blake wrote:
On 12/24/2013 06:45 AM, Reco wrote:
On Tue, 24 Dec 2013 06:29:11 -0700 Eric Blake <eblake@redhat.com> wrote:
diff --git i/src/util/virprocess.c w/src/util/virprocess.c index c99b75a..e069483 100644 --- i/src/util/virprocess.c +++ w/src/util/virprocess.c @@ -879,7 +879,7 @@ virProcessRunInMountNamespace(pid_t pid, goto cleanup; }
- if ((cpid = virFork() < 0)) + if ((cpid = virFork()) < 0) goto cleanup; if (cpid == 0) { /* child */
Thanks, that solves it. With this extra patch libvirtd writes to the container's /dev/initctl only and terminates child process only.
Thanks again for the functional review. I'm still waiting for a code review from anyone willing, since this does fix a security issue and I don't want to introduce an unintentional regression. And I guess there's still the need to fix the access to the namespace /dev during device hotplog...
Yes, device hotplug has the same problem. ACK to this serial.
s/serial/series/ (English is weird) I've pushed patch 1, but am seeing if I can work up patches for the /dev issue before I push any others (in particular, if that work turns up any need to rethink the strategy, I'd like to avoid the churn - because I still want this CVE fixed in time for the 1.2.1 release). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org