4:03 p.m.
When dynamic_ownership=0, saved images must be owned by the same uid
as is used to run the qemu process, otherwise restore won't work. To
accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
simply return when it's called.
This fix is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=661720
---
Note that this still leaves open the issue discovered in this bug - if
the saved image file already exists when it is "created" for the new
save, whatever mode it has will be maintained, rather than forcing
0600. It would be simple to force the mode to 0600 (just add a flag to
virFileOperation(), but I'm not sure if it would be safe to do so
right now without a *lot* of testing (I'm concerned about possible
scenarios where the chmod() that's done when the FORCE_PERMISSIONS
flag is set might fail, making a previously working case fail). Any
opinions on that? (At any rate, it should be done in a separate patch
if we decide to do it).
src/qemu/qemu_security_dac.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index b5c52d1..6b6170a 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -533,7 +533,7 @@ qemuSecurityDACRestoreSavedStateLabel(virSecurityDriverPtr drv
ATTRIBUTE_UNUSED,
virDomainObjPtr vm ATTRIBUTE_UNUSED,
const char *savefile)
{
- if (!driver->privileged)
+ if (!driver->privileged || !driver->dynamicOwnership)
return 0;
return qemuSecurityDACRestoreSecurityFileLabel(savefile);
--
1.7.3.4
4:26 p.m.
On 01/05/2011 03:03 PM, Laine Stump wrote:
When dynamic_ownership=0, saved images must be owned by the same uid
as is used to run the qemu process, otherwise restore won't work. To
accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
simply return when it's called.
This fix is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=661720
ACK.
---
Note that this still leaves open the issue discovered in this bug - if
the saved image file already exists when it is "created" for the new
save, whatever mode it has will be maintained, rather than forcing
0600. It would be simple to force the mode to 0600 (just add a flag to
virFileOperation(), but I'm not sure if it would be safe to do so
right now without a *lot* of testing (I'm concerned about possible
scenarios where the chmod() that's done when the FORCE_PERMISSIONS
flag is set might fail, making a previously working case fail). Any
opinions on that? (At any rate, it should be done in a separate patch
if we decide to do it).
For that matter, we could argue that the bug is in whatever code created
the file with the overly-permissive permissions in the first place, and
that libvirt should not change (what gives libvirt the right to decide
to lock down permissions on an already existing file?). So _if_ we
decide that libvirt needs to do anything at all, then it's definitely
material for a separate patch.
--
Eric Blake eblake(a)redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
10:20 a.m.
On 01/05/2011 05:26 PM, Eric Blake wrote:
On 01/05/2011 03:03 PM, Laine Stump wrote:
> When dynamic_ownership=0, saved images must be owned by the same uid
> as is used to run the qemu process, otherwise restore won't work. To
> accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
> simply return when it's called.
>
> This fix is in response to:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=661720
ACK.
Thanks. I pushed this last night after I saw your ACK, but forgot to
reply until now.
4:50 a.m.
On Wed, Jan 05, 2011 at 05:03:48PM -0500, Laine Stump wrote:
When dynamic_ownership=0, saved images must be owned by the same uid
as is used to run the qemu process, otherwise restore won't work. To
accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
simply return when it's called.
This fix is in response to:
https://bugzilla.redhat.com/show_bug.cgi?id=661720
---
Note that this still leaves open the issue discovered in this bug - if
the saved image file already exists when it is "created" for the new
save, whatever mode it has will be maintained, rather than forcing
0600. It would be simple to force the mode to 0600 (just add a flag to
virFileOperation(), but I'm not sure if it would be safe to do so
right now without a *lot* of testing (I'm concerned about possible
scenarios where the chmod() that's done when the FORCE_PERMISSIONS
flag is set might fail, making a previously working case fail). Any
opinions on that? (At any rate, it should be done in a separate patch
if we decide to do it).
We should unlink() the target path first, and then try to
create it with O_CREAT|O_EXCL to ensure we are the ones
who are creating it. Of course the unlink may well need
to be re-tried as with user who owns the file, in case of
root squash NFS
Daniel
10:19 a.m.
On 01/06/2011 05:50 AM, Daniel P. Berrange wrote:
On Wed, Jan 05, 2011 at 05:03:48PM -0500, Laine Stump wrote:
> When dynamic_ownership=0, saved images must be owned by the same uid
> as is used to run the qemu process, otherwise restore won't work. To
> accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
> simply return when it's called.
>
> This fix is in response to:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=661720
> ---
>
> Note that this still leaves open the issue discovered in this bug - if
> the saved image file already exists when it is "created" for the new
> save, whatever mode it has will be maintained, rather than forcing
> 0600. It would be simple to force the mode to 0600 (just add a flag to
> virFileOperation(), but I'm not sure if it would be safe to do so
> right now without a *lot* of testing (I'm concerned about possible
> scenarios where the chmod() that's done when the FORCE_PERMISSIONS
> flag is set might fail, making a previously working case fail). Any
> opinions on that? (At any rate, it should be done in a separate patch
> if we decide to do it).
We should unlink() the target path first, and then try to
create it with O_CREAT|O_EXCL to ensure we are the ones
who are creating it. Of course the unlink may well need
to be re-tried as with user who owns the file, in case of
root squash NFS
Do you think it's safe to put in such a change now? Or should we wait
until after the upcoming release(s)?
5099
days inactive
5100
days old
4 comments
3 participants
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Laine Stump