[PATCH 0/2] qemu: auto-create <nvram> with defined permissions
Kristina Hanicova (2): qemu: Use qemuDomainOpenFile() in qemuPrepareNVRAM() qemu: Return -EINVAL to keep qemuDomainOpenFile() consistent src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_process.c | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-) -- 2.31.1
Previously, nvram file was created with user/group owner as 'root', rather than specifications defined in libvirtd.conf. The solution is to call qemuDomainOpenFile(), which creates file with defined permissions and qemuSecurityDomainSetPathLabel() to set security label for created nvram file. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1783255 Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/qemu/qemu_process.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 35213f81ec..2aa4574d94 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -4499,9 +4499,10 @@ qemuProcessUpdateCPU(virQEMUDriver *driver, static int -qemuPrepareNVRAM(virQEMUDriverConfig *cfg, +qemuPrepareNVRAM(virQEMUDriver *driver, virDomainObj *vm) { + g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); int ret = -1; int srcFD = -1; int dstFD = -1; @@ -4538,17 +4539,17 @@ qemuPrepareNVRAM(virQEMUDriverConfig *cfg, master_nvram_path); goto cleanup; } - if ((dstFD = virFileOpenAs(loader->nvram, - O_WRONLY | O_CREAT | O_EXCL, - S_IRUSR | S_IWUSR, - cfg->user, cfg->group, 0)) < 0) { - virReportSystemError(-dstFD, - _("Failed to create file '%s'"), - loader->nvram); + + if ((dstFD = qemuDomainOpenFile(driver, vm, loader->nvram, + O_WRONLY | O_CREAT | O_EXCL, + NULL)) < 0) goto cleanup; - } + created = true; + if (qemuSecurityDomainSetPathLabel(driver, vm, loader->nvram, false) < 0) + goto cleanup; + do { char buf[1024]; @@ -6723,7 +6724,7 @@ qemuProcessPrepareHost(virQEMUDriver *driver, qemuDomainObjPrivate *priv = vm->privateData; g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(driver); - if (qemuPrepareNVRAM(cfg, vm) < 0) + if (qemuPrepareNVRAM(driver, vm) < 0) return -1; if (vm->def->vsock) { -- 2.31.1
The description of the function says that the return value is a file descriptor on success and negative errno on failure which is not true. If the 'if' case with check on security labels fails, the return value is -1 not -errno. The solution is to return '-EINVAL' instead. Signed-off-by: Kristina Hanicova <khanicov@redhat.com> --- src/qemu/qemu_domain.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 10641846b3..5254552551 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -11509,7 +11509,7 @@ qemuDomainOpenFile(virQEMUDriver *driver, (seclabel = virDomainDefGetSecurityLabelDef(vm->def, "dac")) != NULL && seclabel->label != NULL && (virParseOwnershipIds(seclabel->label, &user, &group) < 0)) - return -1; + return -EINVAL; return virQEMUFileOpenAs(user, group, dynamicOwnership, path, oflags, needUnlink); -- 2.31.1
On 5/21/21 1:41 PM, Kristina Hanicova wrote:
Kristina Hanicova (2): qemu: Use qemuDomainOpenFile() in qemuPrepareNVRAM() qemu: Return -EINVAL to keep qemuDomainOpenFile() consistent
src/qemu/qemu_domain.c | 2 +- src/qemu/qemu_process.c | 21 +++++++++++---------- 2 files changed, 12 insertions(+), 11 deletions(-)
Reviewed-by: Michal Privoznik <mprivozn@redhat.com> and pushed. Michal
participants (2)
-
Kristina Hanicova -
Michal Prívozník