Re: [libvirt] [PATCHv3 3/2] qemu: don't request cgroup ACL access for /dev/net/tun

Since libvirt always passes /dev/net/tun to qemu via fd, we should never trigger the cases where qemu tries to directly open the device. Therefore, it is safer to deny the cgroup device ACL. * src/qemu/qemu_cgroup.c (defaultDeviceACL): Remove /dev/net/tun. * src/qemu/qemu.conf (cgroup_device_acl): Reflect this change. --- Might as well fix this in the process of audit cleanups. I tested that I was still able to access the network through a virtio connection with cgroup ACL enforcing in the host after this change. And it matches the fact that we did not have a cgroup ACL allow for /dev/tapN devices (also passed via fd). src/qemu/qemu.conf | 2 +- src/qemu/qemu_cgroup.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index 8c6b996..364f555 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -182,7 +182,7 @@ # "/dev/null", "/dev/full", "/dev/zero", # "/dev/random", "/dev/urandom", # "/dev/ptmx", "/dev/kvm", "/dev/kqemu", -# "/dev/rtc", "/dev/hpet", "/dev/net/tun", +# "/dev/rtc", "/dev/hpet", #] diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c index 9a7d42f..8c3eee3 100644 --- a/src/qemu/qemu_cgroup.c +++ b/src/qemu/qemu_cgroup.c @@ -37,7 +37,7 @@ static const char *const defaultDeviceACL[] = { "/dev/null", "/dev/full", "/dev/zero", "/dev/random", "/dev/urandom", "/dev/ptmx", "/dev/kvm", "/dev/kqemu", - "/dev/rtc", "/dev/hpet", "/dev/net/tun", + "/dev/rtc", "/dev/hpet", NULL, }; #define DEVICE_PTY_MAJOR 136