Allow qemu user to open kernel/initrds in this dir, but still prevent others from listing it. * libvirt.spec.in: set /var/lib/libvirt/boot perms to 0711 --- libvirt.spec.in | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/libvirt.spec.in b/libvirt.spec.in index 66ec070..dad97ec 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -490,7 +490,7 @@ fi %dir %{_localstatedir}/lib/libvirt/ %dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/images/ -%dir %attr(0700, root, root) %{_localstatedir}/lib/libvirt/boot/ +%dir %attr(0711, root, root) %{_localstatedir}/lib/libvirt/boot/ %dir %attr(0700, root, root) %{_localstatedir}/cache/libvirt/ %if %{with_qemu} -- 1.6.2.5

On Thu, Aug 06, 2009 at 03:48:44PM +0100, Mark McLoughlin wrote:

If we're running qemu unprivileged, we need to chown any supplied kernel or initrd before spawning it.

* src/qemu_driver.c: rename qemuDomainSetDiskOwnership() to qemuDomainSetFileOwnership(), pass it a path string instead of a disk definition and use it for chowning the kernel/initrd in qemuDomainSetAllDeviceOwnership() --- src/qemu_driver.c | 20 ++++++++++++-------- 1 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/src/qemu_driver.c b/src/qemu_driver.c index 412b68d..bd58435 100644 --- a/src/qemu_driver.c +++ b/src/qemu_driver.c @@ -1684,18 +1684,18 @@ static int qemuDomainSetHostdevOwnership(virConnectPtr conn,

}

-static int qemuDomainSetDiskOwnership(virConnectPtr conn, - virDomainDiskDefPtr def, +static int qemuDomainSetFileOwnership(virConnectPtr conn, + const char *path, uid_t uid, gid_t gid) {

- if (!def->src) + if (!path) return 0;

- VIR_DEBUG("Setting ownership on %s to %d:%d", def->src, uid, gid); - if (chown(def->src, uid, gid) < 0) { + VIR_DEBUG("Setting ownership on %s to %d:%d", path, uid, gid); + if (chown(path, uid, gid) < 0) { virReportSystemError(conn, errno, _("cannot set ownership on %s"), - def->src); + path); return -1; } return 0; @@ -1725,7 +1725,7 @@ static int qemuDomainSetDeviceOwnership(virConnectPtr conn, (def->data.disk->readonly || def->data.disk->shared)) return 0;

- return qemuDomainSetDiskOwnership(conn, def->data.disk, uid, gid); + return qemuDomainSetFileOwnership(conn, def->data.disk->src, uid, gid);

case VIR_DOMAIN_DEVICE_HOSTDEV: return qemuDomainSetHostdevOwnership(conn, def->data.hostdev, uid, gid); @@ -1753,12 +1753,16 @@ static int qemuDomainSetAllDeviceOwnership(virConnectPtr conn, uid = restore ? 0 : driver->user; gid = restore ? 0 : driver->group;

+ if (qemuDomainSetFileOwnership(conn, def->os.kernel, uid, gid) < 0 || + qemuDomainSetFileOwnership(conn, def->os.initrd, uid, gid) < 0) + return -1; + for (i = 0 ; i < def->ndisks ; i++) { if (restore && (def->disks[i]->readonly || def->disks[i]->shared)) continue;

- if (qemuDomainSetDiskOwnership(conn, def->disks[i], uid, gid) < 0) + if (qemuDomainSetFileOwnership(conn, def->disks[i]->src, uid, gid) < 0) return -1; }

ACK Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|