Re: [libvirt] [PATCH 2/2] Set labelling for character devices in security drivers

When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is neccessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest.

* src/qemu/qemu_security_dac.c: set file ownership for character  devices * src/security/security_selinux.c: Set file labelling for character

 devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL ---  src/qemu/qemu_driver.c          |   59 +++++++++++++++++++  src/qemu/qemu_security_dac.c    |  117 ++++++++++++++++++++++++++++++++++++++  src/security/security_selinux.c |  119 +++++++++++++++++++++++++++++++++++++++  src/util/cgroup.c               |    2 +-  4 files changed, 296 insertions(+), 1 deletions(-) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index a7b3f25..6274d4c 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2950,6 +2950,28 @@ qemuPrepareHostDevices(struct qemud_driver *driver,  } +static int +qemuPrepareChardevDevice(virDomainDefPtr def ATTRIBUTE_UNUSED, +                         virDomainChrDefPtr dev, +                         void *opaque ATTRIBUTE_UNUSED) +{ +    int fd; +    if (dev->type != VIR_DOMAIN_CHR_TYPE_FILE) +        return 0; + +    if ((fd = open(dev->data.file.path, O_CREAT | O_APPEND, S_IRUSR|S_IWUSR)) < 0) { +        virReportSystemError(errno, +                             _("Unable to pre-create chardev file %s"),

+                             dev->data.file.path); +        return -1; +    } + +    close(fd); + +    return 0; +} + +  static void  qemudReattachManagedDevice(pciDevice *dev)  { @@ -3124,6 +3146,30 @@ cleanup:  } +static int qemuSetupChardevCgroup(virDomainDefPtr def, +                                  virDomainChrDefPtr dev, +                                  void *opaque) +{ +    virCgroupPtr cgroup = opaque; +    int rc; + +    if (dev->type != VIR_DOMAIN_CHR_TYPE_DEV) +        return 0; + + +    VIR_DEBUG("Process path %s for disk", dev->data.file.path);

+    rc = virCgroupAllowDevicePath(cgroup, dev->data.file.path); +    if (rc != 0) { +        virReportSystemError(-rc, +                             _("Unable to allow device %s for %s"),