Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:15-SP4
libvirt.16761
673f805d-qemu-chown-uniqDir.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 673f805d-qemu-chown-uniqDir.patch of Package libvirt.16761
commit 673f805d4df2484bc2a5cc637524e92c0cbc5584 Author: Martin Kletzander <mkletzan@redhat.com> Date: Fri Apr 12 15:22:48 2019 +0200 qemu: Label uniqDir when probing capabilities This does not cause a problem in usual scenarios thanks to us allowing CAP_DAC_OVERRIDE for the qemu process, however in some scenarios this might be an issue because the directory is created with mkdtemp(3) which explicitly creates that with 0700 permissions and qemu running as non-root cannot access that. The scenarios include: - Builds without CAPNG - Running libvirtd in certain container configurations [1] - and possibly others. [1] https://github.com/kubevirt/kubevirt/pull/2181#issuecomment-481840304 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> Index: libvirt-5.1.0/src/qemu/qemu_process.c =================================================================== --- libvirt-5.1.0.orig/src/qemu/qemu_process.c +++ libvirt-5.1.0/src/qemu/qemu_process.c @@ -8431,6 +8431,21 @@ qemuProcessQMPNew(const char *binary, static int +qemuProcessQEMULabelUniqPath(qemuProcessQMPPtr proc) +{ + /* We cannot use the security driver here, but we should not need to. */ + if (chown(proc->uniqDir, proc->runUid, -1) < 0) { + virReportSystemError(errno, + _("Cannot chown uniq path: %s"), + proc->uniqDir); + return -1; + } + + return 0; +} + + +static int qemuProcessQMPInit(qemuProcessQMPPtr proc) { char *template = NULL; @@ -8449,6 +8464,9 @@ qemuProcessQMPInit(qemuProcessQMPPtr pro goto cleanup; } + if (qemuProcessQEMULabelUniqPath(proc) < 0) + goto cleanup; + if (virAsprintf(&proc->monpath, "%s/%s", proc->uniqDir, "qmp.monitor") < 0) goto cleanup;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor