[libvirt] [PATCH] Call initgroups for qemu's uid prior to exec
Eric Blake
eblake at redhat.com
Tue Dec 21 21:52:01 UTC 2010
On 12/21/2010 01:45 PM, Laine Stump wrote:
> This patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=664406
>
> If qemu is run as a different uid, it has been unable to access mode
> 0660 files that are owned by a different user, but with a group that
> the qemu is a member of (aside from the one group listed in the passwd
> file). initgroups will change the group membership of the process (and
> its children) to match the new uid.
> ---
> src/qemu/qemu_security_dac.c | 27 +++++++++++++++++++++++++++
> 1 files changed, 27 insertions(+), 0 deletions(-)
>
> diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
> index 55dc0c6..2e60aec 100644
> --- a/src/qemu/qemu_security_dac.c
> +++ b/src/qemu/qemu_security_dac.c
> @@ -12,6 +12,8 @@
> #include <sys/types.h>
> #include <sys/stat.h>
> #include <fcntl.h>
> +#include <pwd.h>
> +#include <grp.h>
>
> #include "qemu_security_dac.h"
> #include "qemu_conf.h"
> @@ -558,6 +560,30 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
> }
> }
> if (driver->user) {
> + struct passwd pwd, *pwd_result;
> + char *buf = NULL;
> + size_t bufsize = 16384;
qemu_driver.c sets this to 1024*1024. Will that matter? For that
matter, can't you provide this functionality in a single .c file so that
both qemudOpenAsUID and qemuSecurityDACSetProcessLabel can share the
benefits of common code?
That refactoring probably deserves a v2.
> @@ -566,6 +592,7 @@ qemuSecurityDACSetProcessLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
> }
> }
>
> +
> return 0;
Spurious whitespace change.
--
Eric Blake eblake at redhat.com +1-801-349-2682
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 619 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20101221/beda1f09/attachment-0001.sig>
More information about the libvir-list
mailing list