[libvirt] [PATCH 0/12] Improve security driver handling & QEMU DAC management
Dan Kenigsberg
danken at redhat.com
Tue Jan 26 10:06:58 UTC 2010
On Wed, Jan 20, 2010 at 03:14:57PM +0000, Daniel P. Berrange wrote:
> This patch series does some work on te security drivers, and the QEMU code
> for managing DAC permissions on files.
>
> The core goal is to turn the QEMU driver DAC file management code into a
> security driver. Instead of QEMU calling into the SELinux/AppArmour drivers
> directly, a stacked driver module is introduced. This delegates all operations
> to first the QEMU DAC driver, and then the main SELinux/AppArmour driver.
> The end result is that all the permissions management code is removed from
> the QEMU driver, and we're left with just simple security driver calls.
>
> In the process of this a number of flaws in the current hotplug code were
> found, and code was generally tidied up with a view to making it easier to
> manage.
>
> Finally, we add the ability to turn off the QEMU DAC file managment code,
> and also deal gracefully with failures to change ownership (eg on NFS with
> root squash, or readonly FS).
hmmm, there's another problem which this patch set does not address:
error : virStorageFileGetMetadata:415 : cannot open file '/deep/into/my/root/squashing/export': Permission denied
With dynamic_ownership = 0, libvirt down not mess with chown, but it now
assumes that it can read disk images.
Regrards,
Dan.
More information about the libvir-list
mailing list