
2010/6/24 Daniel P. Berrange <berrange@redhat.com>:
When configuring serial, parallel, console or channel devices with a file, dev or pipe backend type, it is neccessary to label the file path in the security drivers. For char devices of type file, it is neccessary to pre-create (touch) the file if it does not already exist since QEMU won't be allowed todo so itself. dev/pipe configs already require the admin to pre-create before starting the guest.
Two typos: s/neccessary/necessary
* src/qemu/qemu_security_dac.c: set file ownership for character devices * src/security/security_selinux.c: Set file labelling for character
Another typo: s/labelling/labeling
devices * src/qemu/qemu_driver.c: Add character devices to cgroup ACL --- src/qemu/qemu_driver.c | 59 +++++++++++++++++++ src/qemu/qemu_security_dac.c | 117 ++++++++++++++++++++++++++++++++++++++ src/security/security_selinux.c | 119 +++++++++++++++++++++++++++++++++++++++ src/util/cgroup.c | 2 +- 4 files changed, 296 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index a7b3f25..6274d4c 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -2950,6 +2950,28 @@ qemuPrepareHostDevices(struct qemud_driver *driver, }
+static int +qemuPrepareChardevDevice(virDomainDefPtr def ATTRIBUTE_UNUSED, + virDomainChrDefPtr dev, + void *opaque ATTRIBUTE_UNUSED) +{ + int fd; + if (dev->type != VIR_DOMAIN_CHR_TYPE_FILE) + return 0; + + if ((fd = open(dev->data.file.path, O_CREAT | O_APPEND, S_IRUSR|S_IWUSR)) < 0) { + virReportSystemError(errno, + _("Unable to pre-create chardev file %s"),
Maybe use '%s' here instead of plain %s.
+ dev->data.file.path); + return -1; + } + + close(fd); + + return 0; +} + + static void qemudReattachManagedDevice(pciDevice *dev) { @@ -3124,6 +3146,30 @@ cleanup: }
+static int qemuSetupChardevCgroup(virDomainDefPtr def, + virDomainChrDefPtr dev, + void *opaque) +{ + virCgroupPtr cgroup = opaque; + int rc; + + if (dev->type != VIR_DOMAIN_CHR_TYPE_DEV) + return 0; + + + VIR_DEBUG("Process path %s for disk", dev->data.file.path);
Again '%s' instead of plain %s.
+ rc = virCgroupAllowDevicePath(cgroup, dev->data.file.path); + if (rc != 0) { + virReportSystemError(-rc, + _("Unable to allow device %s for %s"),
Here too. ACK. Matthias