[libvirt] [PATCH] Set security label on FD for virDomainOpenGraphics
From: "Daniel P. Berrange" <berrange@redhat.com> The virDomainOpenGraphics method accepts a UNIX socket FD from the client app. It must set the label on this FD otherwise QEMU will be prevented from receiving it with recvmsg. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/qemu/qemu_driver.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5124f27..0a8e518 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -14777,6 +14777,10 @@ qemuDomainOpenGraphics(virDomainPtr dom, goto cleanup; } + if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, + fd) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup; qemuDomainObjEnterMonitor(driver, vm); -- 1.8.3.1
On 22.08.2013 13:39, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
The virDomainOpenGraphics method accepts a UNIX socket FD from the client app. It must set the label on this FD otherwise QEMU will be prevented from receiving it with recvmsg.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(*)
--- src/qemu/qemu_driver.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 5124f27..0a8e518 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -14777,6 +14777,10 @@ qemuDomainOpenGraphics(virDomainPtr dom, goto cleanup; }
+ if (virSecurityManagerSetImageFDLabel(driver->securityManager, vm->def, + fd) < 0) + goto cleanup; + if (qemuDomainObjBeginJob(driver, vm, QEMU_JOB_MODIFY) < 0) goto cleanup; qemuDomainObjEnterMonitor(driver, vm);
ACK Michal * Side note - I've noticed more and more signed-off patches. Does this mean we are seamlessly moving to make it a standard?
On Thu, Aug 22, 2013 at 01:52:17PM +0200, Michal Privoznik wrote:
On 22.08.2013 13:39, Daniel P. Berrange wrote:
From: "Daniel P. Berrange" <berrange@redhat.com>
The virDomainOpenGraphics method accepts a UNIX socket FD from the client app. It must set the label on this FD otherwise QEMU will be prevented from receiving it with recvmsg.
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(*)
* Side note - I've noticed more and more signed-off patches. Does this mean we are seamlessly moving to make it a standard?
I do it as a matter of habit on everything I commit these days to any project I'm involved in. If people think we should make it mandatory for libvirt, I'd be supportive of that, but I don't feel strongly enough to force the issue myself right now. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange -
Michal Privoznik