dac: relabel spice rendernode

[libvirt] [PATCH v2 0/2] dac: relabel spice rendernode

Cole Robinson posted 2 patches 6 years, 7 months ago

Download series mbox

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/cover.1503850638.git.crobinso@redhat.com

Test syntax-check passed

src/qemu/qemu_driver.c          |  2 ++
src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++
src/security/security_dac.h     |  3 ++
src/security/security_manager.c |  4 ++-
src/security/security_manager.h |  1 +
5 files changed, 77 insertions(+), 1 deletion(-)

Expand all Fold all

[libvirt] [PATCH v2 0/2] dac: relabel spice rendernode

Posted by Cole Robinson 6 years, 7 months ago

This fixes the last issue preventing qemu:///system spice GL from working
out of the box: chown'ing the rendernode path so we have permissions
to open it.

We skip this if mount namespaces are disabled, so the chown'ing won't
interfere with other rendernode users on the host.

https://bugzilla.redhat.com/show_bug.cgi?id=1460804

v2:
    Add the MOUNT_NAMESPACE handling
    Drop DAC restore of rendernode

Cole Robinson (2):
  security: add MANAGER_MOUNT_NAMESPACE flag
  security: dac: relabel spice rendernode

 src/qemu/qemu_driver.c          |  2 ++
 src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++
 src/security/security_dac.h     |  3 ++
 src/security/security_manager.c |  4 ++-
 src/security/security_manager.h |  1 +
 5 files changed, 77 insertions(+), 1 deletion(-)

-- 
2.13.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCH v2 0/2] dac: relabel spice rendernode

Posted by Andrea Bolognani 6 years, 7 months ago

On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote:
> This fixes the last issue preventing qemu:///system spice GL from working
> out of the box: chown'ing the rendernode path so we have permissions
> to open it.
> 
> We skip this if mount namespaces are disabled, so the chown'ing won't
> interfere with other rendernode users on the host.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=1460804
> 
> v2:
>     Add the MOUNT_NAMESPACE handling
>     Drop DAC restore of rendernode
> 
> Cole Robinson (2):
>   security: add MANAGER_MOUNT_NAMESPACE flag
>   security: dac: relabel spice rendernode
> 
>  src/qemu/qemu_driver.c          |  2 ++
>  src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++
>  src/security/security_dac.h     |  3 ++
>  src/security/security_manager.c |  4 ++-
>  src/security/security_manager.h |  1 +
>  5 files changed, 77 insertions(+), 1 deletion(-)

Looks reasonable and works as expected on my Fedora 26
installation, so for the entire series:

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>

You should document this in the release notes, though :)

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list