Re: [libvirt] [PATCH] qemu: Label master key file
On 04/13/2016 11:17 AM, Martin Kletzander wrote:
When creating the master key, we used mode 0600 (which we should)
but
because we were creating it as root, the file is not readable by any
qemu running as non-root. Fortunately, it's just a matter of labelling
the file. We are generating the file path few times already, so let's
label it in the same function that has access to the path already.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
src/qemu/qemu_domain.c | 15 ++++++++++++---
src/qemu/qemu_domain.h | 3 ++-
src/qemu/qemu_process.c | 2 +-
3 files changed, 15 insertions(+), 5 deletions(-)
ACK, makes sense and fixes things for me. One comment below
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 5d54fffcfb98..83e765ef6868 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -504,11 +504,13 @@ qemuDomainGetMasterKeyFilePath(const char *libDir)
* Returns 0 on success, -1 on failure with error message indicating failure
*/
static int
-qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
+qemuDomainWriteMasterKeyFile(virQEMUDriverPtr driver,
+ virDomainObjPtr vm)
{
char *path;
int fd = -1;
int ret = -1;
+ qemuDomainObjPrivatePtr priv = vm->privateData;
if (!(path = qemuDomainGetMasterKeyFilePath(priv->libDir)))
return -1;
@@ -525,6 +527,10 @@ qemuDomainWriteMasterKeyFile(qemuDomainObjPrivatePtr priv)
goto cleanup;
}
+ if (virSecurityManagerDomainSetDirLabel(driver->securityManager,
+ vm->def, path) < 0)
+ goto cleanup;
+
ret = 0;
I looked briefly at fixing this but know if there was a function to ask the
security driver 'just set a on this arbitrary path'. I saw DirLabel but was
thrown off by the 'Dir' name. Maybe change it to something more generic?
Thanks,
Cole