From nobody Mon Apr 29 04:39:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1542030977985497.39738775202295; Mon, 12 Nov 2018 05:56:17 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3624280F9F; Mon, 12 Nov 2018 13:56:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1244B6091C; Mon, 12 Nov 2018 13:56:13 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 82ADB4CAA7; Mon, 12 Nov 2018 13:56:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wACDoUWx022334 for ; Mon, 12 Nov 2018 08:50:30 -0500 Received: by smtp.corp.redhat.com (Postfix) id 750581974D; Mon, 12 Nov 2018 13:50:30 +0000 (UTC) Received: from unknown4CEB42C824F4.redhat.com (ovpn-116-107.phx2.redhat.com [10.3.116.107]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FA3C19940 for ; Mon, 12 Nov 2018 13:50:30 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Mon, 12 Nov 2018 08:50:18 -0500 Message-Id: <20181112135020.26427-2-jferlan@redhat.com> In-Reply-To: <20181112135020.26427-1-jferlan@redhat.com> References: <20181112135020.26427-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 1/3] Revert "access: Modify the VIR_ERR_ACCESS_DENIED to include driverName" X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Mon, 12 Nov 2018 13:56:15 +0000 (UTC) Content-Type: text/plain; charset="utf-8" This reverts commit ccc72d5cbdd85f66cb737134b3be40aac1df03ef. Based on upstream comment to a follow-up patch, this didn't take the right approach and the right thing to do is revert and rework. Signed-off-by: John Ferlan --- src/access/viraccessmanager.c | 25 ++++++++++++------------- src/rpc/gendispatch.pl | 2 +- src/util/virerror.c | 4 ++-- 3 files changed, 15 insertions(+), 16 deletions(-) diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index 1dfff32b9d..e7b5bf38da 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -196,12 +196,11 @@ static void virAccessManagerDispose(void *object) * should the admin need to debug things */ static int -virAccessManagerSanitizeError(int ret, - const char *driverName) +virAccessManagerSanitizeError(int ret) { if (ret < 0) { virResetLastError(); - virAccessError(VIR_ERR_ACCESS_DENIED, driverName, NULL); + virAccessError(VIR_ERR_ACCESS_DENIED, NULL); } =20 return ret; @@ -218,7 +217,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr ma= nager, if (manager->drv->checkConnect) ret =3D manager->drv->checkConnect(manager, driverName, perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 =20 @@ -234,7 +233,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr man= ager, if (manager->drv->checkDomain) ret =3D manager->drv->checkDomain(manager, driverName, domain, per= m); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckInterface(virAccessManagerPtr manager, @@ -249,7 +248,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr = manager, if (manager->drv->checkInterface) ret =3D manager->drv->checkInterface(manager, driverName, iface, p= erm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckNetwork(virAccessManagerPtr manager, @@ -264,7 +263,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr ma= nager, if (manager->drv->checkNetwork) ret =3D manager->drv->checkNetwork(manager, driverName, network, p= erm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, @@ -279,7 +278,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr= manager, if (manager->drv->checkNodeDevice) ret =3D manager->drv->checkNodeDevice(manager, driverName, nodedev= , perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, @@ -294,7 +293,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr m= anager, if (manager->drv->checkNWFilter) ret =3D manager->drv->checkNWFilter(manager, driverName, nwfilter,= perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, @@ -309,7 +308,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManag= erPtr manager, if (manager->drv->checkNWFilterBinding) ret =3D manager->drv->checkNWFilterBinding(manager, driverName, bi= nding, perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckSecret(virAccessManagerPtr manager, @@ -324,7 +323,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr man= ager, if (manager->drv->checkSecret) ret =3D manager->drv->checkSecret(manager, driverName, secret, per= m); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager, @@ -339,7 +338,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPt= r manager, if (manager->drv->checkStoragePool) ret =3D manager->drv->checkStoragePool(manager, driverName, pool, = perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } =20 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, @@ -355,5 +354,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr= manager, if (manager->drv->checkStorageVol) ret =3D manager->drv->checkStorageVol(manager, driverName, pool, v= ol, perm); =20 - return virAccessManagerSanitizeError(ret, driverName); + return virAccessManagerSanitizeError(ret); } diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index f599002056..0c4648c0fb 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -2199,7 +2199,7 @@ elsif ($mode eq "client") { print " virObjectUnref(mgr);\n"; if ($action eq "Ensure") { print " if (rv =3D=3D 0)\n"; - print " virReportError(VIR_ERR_ACCESS_D= ENIED, conn->driver->name, NULL);\n"; + print " virReportError(VIR_ERR_ACCESS_D= ENIED, NULL);\n"; print " return $fail;\n"; } else { print " virResetLastError();\n"; diff --git a/src/util/virerror.c b/src/util/virerror.c index 10f1b55c5f..683e51aa19 100644 --- a/src/util/virerror.c +++ b/src/util/virerror.c @@ -1442,9 +1442,9 @@ virErrorMsg(virErrorNumber error, const char *info) break; case VIR_ERR_ACCESS_DENIED: if (info =3D=3D NULL) - errmsg =3D _("access denied from '%s'"); + errmsg =3D _("access denied"); else - errmsg =3D _("access denied from '%s': %s"); + errmsg =3D _("access denied: %s"); break; case VIR_ERR_DBUS_SERVICE: if (info =3D=3D NULL) --=20 2.17.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 04:39:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1542031509712662.8871449416009; Mon, 12 Nov 2018 06:05:09 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3CE3E3084244; Mon, 12 Nov 2018 14:05:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C42915C207; Mon, 12 Nov 2018 14:05:03 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D53BC4BB79; Mon, 12 Nov 2018 14:05:00 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wACDoXQ2022354 for ; Mon, 12 Nov 2018 08:50:33 -0500 Received: by smtp.corp.redhat.com (Postfix) id 7889B19940; Mon, 12 Nov 2018 13:50:33 +0000 (UTC) Received: from unknown4CEB42C824F4.redhat.com (ovpn-116-107.phx2.redhat.com [10.3.116.107]) by smtp.corp.redhat.com (Postfix) with ESMTP id 337D819743 for ; Mon, 12 Nov 2018 13:50:30 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Mon, 12 Nov 2018 08:50:19 -0500 Message-Id: <20181112135020.26427-3-jferlan@redhat.com> In-Reply-To: <20181112135020.26427-1-jferlan@redhat.com> References: <20181112135020.26427-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 2/3] access: Modify the VIR_ERR_ACCESS_DENIED to include driverName X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.40]); Mon, 12 Nov 2018 14:05:08 +0000 (UTC) Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1631606 Changes made to manage and utilize a secondary connection driver to APIs outside the scope of the primary connection driver have resulted in some confusion processing polkit rules since the simple "access denied" error message doesn't provide enough of a clue when combined with the "authentication failed: access denied by policy" as to which connection driver refused or failed the ACL check. In order to provide some context, let's modify the existing "access denied" error returned from the various vir*EnsureACL API's to provide the connection driver name that is causing the failure. This should provide the context for writing the polkit rules that would allow access via the driver, but yet still adhere to the virAccessManagerSanitizeError commentary regarding not telling the user why access was denied. Signed-off-by: John Ferlan --- src/access/viraccessmanager.c | 26 ++++++++++++++------------ src/rpc/gendispatch.pl | 3 ++- 2 files changed, 16 insertions(+), 13 deletions(-) diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index e7b5bf38da..f5d62604cf 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -196,11 +196,13 @@ static void virAccessManagerDispose(void *object) * should the admin need to debug things */ static int -virAccessManagerSanitizeError(int ret) +virAccessManagerSanitizeError(int ret, + const char *driverName) { if (ret < 0) { virResetLastError(); - virAccessError(VIR_ERR_ACCESS_DENIED, NULL); + virAccessError(VIR_ERR_ACCESS_DENIED, + _("'%s' denied access"), driverName); } =20 return ret; @@ -217,7 +219,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr ma= nager, if (manager->drv->checkConnect) ret =3D manager->drv->checkConnect(manager, driverName, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 =20 @@ -233,7 +235,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr man= ager, if (manager->drv->checkDomain) ret =3D manager->drv->checkDomain(manager, driverName, domain, per= m); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckInterface(virAccessManagerPtr manager, @@ -248,7 +250,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr = manager, if (manager->drv->checkInterface) ret =3D manager->drv->checkInterface(manager, driverName, iface, p= erm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNetwork(virAccessManagerPtr manager, @@ -263,7 +265,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr ma= nager, if (manager->drv->checkNetwork) ret =3D manager->drv->checkNetwork(manager, driverName, network, p= erm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, @@ -278,7 +280,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr= manager, if (manager->drv->checkNodeDevice) ret =3D manager->drv->checkNodeDevice(manager, driverName, nodedev= , perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, @@ -293,7 +295,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr m= anager, if (manager->drv->checkNWFilter) ret =3D manager->drv->checkNWFilter(manager, driverName, nwfilter,= perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, @@ -308,7 +310,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManag= erPtr manager, if (manager->drv->checkNWFilterBinding) ret =3D manager->drv->checkNWFilterBinding(manager, driverName, bi= nding, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckSecret(virAccessManagerPtr manager, @@ -323,7 +325,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr man= ager, if (manager->drv->checkSecret) ret =3D manager->drv->checkSecret(manager, driverName, secret, per= m); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager, @@ -338,7 +340,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPt= r manager, if (manager->drv->checkStoragePool) ret =3D manager->drv->checkStoragePool(manager, driverName, pool, = perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, @@ -354,5 +356,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr= manager, if (manager->drv->checkStorageVol) ret =3D manager->drv->checkStorageVol(manager, driverName, pool, v= ol, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index 0c4648c0fb..a8b9f5aeca 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -2199,7 +2199,8 @@ elsif ($mode eq "client") { print " virObjectUnref(mgr);\n"; if ($action eq "Ensure") { print " if (rv =3D=3D 0)\n"; - print " virReportError(VIR_ERR_ACCESS_D= ENIED, NULL);\n"; + print " virReportError(VIR_ERR_ACCESS_D= ENIED,\n"; + print" _(\"'%s' denied = access\"), conn->driver->name);\n"; print " return $fail;\n"; } else { print " virResetLastError();\n"; --=20 2.17.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list From nobody Mon Apr 29 04:39:37 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1542031528263263.3009592135562; Mon, 12 Nov 2018 06:05:28 -0800 (PST) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2C115300157E; Mon, 12 Nov 2018 14:05:25 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DF8A55D968; Mon, 12 Nov 2018 14:05:24 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 76765181A86C; Mon, 12 Nov 2018 14:05:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id wACDoXmC022359 for ; Mon, 12 Nov 2018 08:50:33 -0500 Received: by smtp.corp.redhat.com (Postfix) id DEE9F19743; Mon, 12 Nov 2018 13:50:33 +0000 (UTC) Received: from unknown4CEB42C824F4.redhat.com (ovpn-116-107.phx2.redhat.com [10.3.116.107]) by smtp.corp.redhat.com (Postfix) with ESMTP id 9F9AB19940 for ; Mon, 12 Nov 2018 13:50:33 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Mon, 12 Nov 2018 08:50:20 -0500 Message-Id: <20181112135020.26427-4-jferlan@redhat.com> In-Reply-To: <20181112135020.26427-1-jferlan@redhat.com> References: <20181112135020.26427-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 3/3] qemu: Set identity for the reconnect all thread X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.46]); Mon, 12 Nov 2018 14:05:27 +0000 (UTC) Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1631622 If polkit authentication is enabled, an attempt to open the connection failed during virAccessDriverPolkitGetCaller when the call to virIdentityGetCurrent returned NULL resulting in the errors: virAccessDriverPolkitGetCaller:87 : access denied: Policy kit denied action org.libvirt.api.connect.getattr from Because qemuProcessReconnect runs in a thread during daemonRunStateInit processing it doesn't have the thread local identity. Thus when the virGetConnectNWFilter is called as part of the qemuProcessFiltersInstantiate when virDomainConfNWFilterInstantiate is run the attempt to get the idenity fails and results in the anonymous error above. To fix this, let's grab/use the virIdenityPtr of the process that will be creating the thread, e.g. what daemonRunStateInit has set and use that for our thread. That way any other similar processing that uses/requires an identity for any other call that would have previously been successfully run won't fail in a similar manner. Signed-off-by: John Ferlan --- src/qemu/qemu_process.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c index 1850923914..df7f0bfafb 100644 --- a/src/qemu/qemu_process.c +++ b/src/qemu/qemu_process.c @@ -81,6 +81,7 @@ #include "netdev_bandwidth_conf.h" #include "virresctrl.h" #include "virvsock.h" +#include "viridentity.h" =20 #define VIR_FROM_THIS VIR_FROM_QEMU =20 @@ -7705,6 +7706,7 @@ qemuProcessRefreshCPU(virQEMUDriverPtr driver, struct qemuProcessReconnectData { virQEMUDriverPtr driver; virDomainObjPtr obj; + virIdentityPtr identity; }; /* * Open an existing VM's monitor, re-detect VCPU threads @@ -7742,6 +7744,8 @@ qemuProcessReconnect(void *opaque) bool retry =3D true; bool tryMonReconn =3D false; =20 + virIdentitySetCurrent(data->identity); + virObjectUnref(data->identity); VIR_FREE(data); =20 qemuDomainObjRestoreJob(obj, &oldjob); @@ -7968,6 +7972,7 @@ qemuProcessReconnect(void *opaque) virObjectUnref(cfg); virObjectUnref(caps); virNWFilterUnlockFilterUpdates(); + virIdentitySetCurrent(NULL); return; =20 error: @@ -8011,6 +8016,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj, =20 memcpy(data, src, sizeof(*data)); data->obj =3D obj; + data->identity =3D virIdentityGetCurrent(); =20 virNWFilterReadLockFilterUpdates(); =20 @@ -8034,6 +8040,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj, =20 virDomainObjEndAPI(&obj); virNWFilterUnlockFilterUpdates(); + virObjectUnref(data->identity); VIR_FREE(data); return -1; } --=20 2.17.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list