diff mbox series

[v2,2/2] security: dac: relabel spice rendernode

Message ID 5531dc0a1a754d362478b2cda42b905a7bbb72d5.1503850638.git.crobinso@redhat.com
State Accepted
Commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634
Headers show
Series dac: relabel spice rendernode | expand

Commit Message

Cole Robinson Aug. 27, 2017, 4:20 p.m. UTC 
For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.

We only do this when mount namespaces are enabled in the qemu driver,
so the chown'ing doesn't interfere with other users of the shared
render node path

https://bugzilla.redhat.com/show_bug.cgi?id=1460804
Signed-off-by: Cole Robinson <crobinso@redhat.com>

---
The restore bit is also motivated by a bug I hit when testing this:

DAC /dev/* permissions are 'restored' to root:root even with mount
namespaces enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=1485719

 src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)

-- 
2.13.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
diff mbox series

Patch

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 507be44a2..349dbe81d 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1381,6 +1381,54 @@  virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
 
 
 static int
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
+                               virDomainDefPtr def,
+                               virDomainGraphicsDefPtr gfx)
+
+{
+    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    uid_t user;
+    gid_t group;
+
+    /* Skip chowning the shared render file if namespaces are disabled */
+    if (!priv->mountNamespace)
+        return 0;
+
+    seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
+        return -1;
+
+    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
+        gfx->data.spice.rendernode) {
+        if (virSecurityDACSetOwnership(priv, NULL,
+                                       gfx->data.spice.rendernode,
+                                       user, group) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
+
+{
+    /* The only graphics labelling we do is dependent on mountNamespaces,
+       in which case 'restoring' the label doesn't actually accomplish
+       anything, so there's nothing to do here */
+    return 0;
+}
+
+
+static int
 virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
                             virDomainDefPtr def,
                             virDomainInputDefPtr input)
@@ -1491,6 +1539,11 @@  virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
             rc = -1;
     }
 
+    for (i = 0; i < def->ngraphics; i++) {
+        if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+            return -1;
+    }
+
     for (i = 0; i < def->ninputs; i++) {
         if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
             rc = -1;
@@ -1611,6 +1664,11 @@  virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
             return -1;
     }
 
+    for (i = 0; i < def->ngraphics; i++) {
+        if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+            return -1;
+    }
+
     for (i = 0; i < def->ninputs; i++) {
         if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
             return -1;