[libvirt] [PATCHv9 8/9] blockjob: allow mirroring under SELinux and cgroup
Peter Krempa
pkrempa at redhat.com
Fri Oct 26 13:42:05 UTC 2012
On 10/23/12 04:10, Eric Blake wrote:
> Use the recent addition of qemuDomainPrepareDiskChainElement to
> obtain locking manager lease, permit a block device through cgroups,
> and set the SELinux label; then audit the fact that we hand a new
> file over to qemu. Alas, releasing the lease and label at the end
> of the mirroring is a trickier prospect (we would have to trace the
> backing chain of both source and destination, and be sure not to
> revoke rights to any part of the chain that is shared), so for now,
> virDomainBlockJobAbort still leaves things with additional access
> granted (as block-pull and block-commit have the same problem of
> not clamping access after completion, a future cleanup would cover
> all three commands).
>
> * src/qemu/qemu_driver.c (qemuDomainBlockCopy): Set up labeling.
> ---
> src/qemu/qemu_driver.c | 71 ++++++++++++++++++++++++++++++++++++--------------
> 1 file changed, 52 insertions(+), 19 deletions(-)
>
Hm, Jan will need to figure out how to change qemuOpenFile to work with
the DAC driver when dealing with the issue with the patch that you
already pushed. This code also probes under qemu's permissions.
At any rate ACK as nearly nobody cares about the DAC driver yet.
Peter
More information about the libvir-list
mailing list