[libvirt] [PATCH] security: also parse user/group names instead of just IDs for DAC labels
Peter Krempa
pkrempa at redhat.com
Thu Sep 20 13:00:17 UTC 2012
On 09/20/12 02:31, Eric Blake wrote:
> On 09/19/2012 03:32 PM, Marcelo Cerri wrote:
>> The DAC driver is missing parsing of group and user names for DAC labels
>> and currently just parses uid and gid. This patch extends it to support
>> names, so the following security label definition is now valid:
>>
>> <seclabel type='static' model='dac' relabel='yes'>
>> <label>qemu:qemu</label>
>> <imagelabel>qemu:qemu</imagelabel>
>> </seclabel>
>
> Question for migration - what if qemu is uid/gid 107 on machine A but
> 108 on machine B. Then it might be nice if an explicit use of
> <label>107:107</label> says to preserve uid (but switch effective users)
> on migration, while <label>qemu:qemu</label> says to preserve the user
> identification, in spite of the change in underlying uid. And depending
> on how the shared storage is accessed, such as via NFS with uid mapping,
> preserving user name instead of uid might actually be important.
>
> If that's true, then we need to enhance domain_conf.c to track whether
> the user passed in ids or names in their XML. For that matter, to avoid
> possible ambiguities (since it is legal [although stupid] to have a user
> name consisting of all digits and worse having the name differ from the
> underlying uid), should we have an optional attribute that gives us a
> hint whether the contents are intended as an id number or as a string
> name? That is, I wonder if we'd want something like:
The other option (that I prefer more) would be to document this behavior
and leave it as proposed in this patch. Or maybe just reverse the order
of resolving so that the numerical parsing is done before name parsing.
If we warn the user, that specifying numerical values will result into
using them as UID and GID and strings being translated we filter out the
ambiguity by our design.
I don't think it's worth spending this effort on such a weird corner case.
>
> <label type='id'>107:107</label>
> <imagelabel type='name'>qemu:qemu</label>
>
> except that what happens if I want to mix number and name between uid
> and gid?
>
Mixing them will work in my approach presented here.
Peter
More information about the libvir-list
mailing list