
Daniel P. Berrangé <berrange@redhat.com> [2018-10-25, 06:32PM +0100]:
On Thu, Oct 25, 2018 at 01:47:26PM +0200, Bjoern Walk wrote:
Daniel P. Berrangé <berrange@redhat.com> [2018-10-24, 10:43PM +0100]:
We could optimize this by jcalling virFileAccessibleAs once and storing the result in a global. Then just do a plain stat() call in process to check the st_ctime field for changes. We only need re-run the heavy virFileAccessibleAs check if st_ctime has changed (indicating a owner/group/acl change).
But can't access permission change outside of changing the actual device file (e.g. cgroups or other OS capabilities)? Isn't that the whole purpose of the virFileAccessibleAs gymnastics?
Yes, cgroups could restrict access to /dev/kvm, but virFileAccessibleAs does not use cgroups, it only cares about using the correct user + group membership.
Sorry, but then I don't understand the purpose of this function at all. Why would you EVER check permissions like that? A simple stat(2) call should give you the exact same information, no? -- IBM Systems Linux on Z & Virtualization Development -------------------------------------------------- IBM Deutschland Research & Development GmbH Schönaicher Str. 220, 71032 Böblingen Phone: +49 7031 16 1819 -------------------------------------------------- Vorsitzende des Aufsichtsrats: Martina Koederitz Geschäftsführung: Dirk Wittkopp Sitz der Gesellschaft: Böblingen Registergericht: Amtsgericht Stuttgart, HRB 243294