[libvirt] [PATCH] qemu: don't share kerberos caches between domains
Cole Robinson
crobinso at redhat.com
Thu Jan 24 22:53:23 UTC 2013
On 01/23/2013 08:26 PM, Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=718377
> complains that there were some SELinux AVCs when using vnc console
> over Kerberos. The root problem was that Kerberos tries to set up
> a cache file, and if we don't tell it where, then all domains use
> the same cache file, which violates sVirt protections. Setting the
> environment variable unconditionally should be safe, even for setups
> where Kerboros won't actually create a cache file.
>
> * src/qemu/qemu_process.c (qemuProcessStart): Set KRB5CACHEDIR for
> each domain.
> ---
> src/qemu/qemu_process.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
> index 55d00e3..986e8ee 100644
> --- a/src/qemu/qemu_process.c
> +++ b/src/qemu/qemu_process.c
> @@ -1,7 +1,7 @@
> /*
> * qemu_process.h: QEMU process management
> *
> - * Copyright (C) 2006-2012 Red Hat, Inc.
> + * Copyright (C) 2006-2013 Red Hat, Inc.
> *
> * This library is free software; you can redistribute it and/or
> * modify it under the terms of the GNU Lesser General Public
> @@ -3857,6 +3857,8 @@ int qemuProcessStart(virConnectPtr conn,
> virCommandSetPidFile(cmd, priv->pidfile);
> virCommandDaemonize(cmd);
> virCommandRequireHandshake(cmd);
> + virCommandAddEnvFormat(cmd, "KRB5CACHEDIR=%s/%s.krb",
> + driver->cacheDir, vm->def->name);
>
> ret = virCommandRun(cmd, NULL);
>
Thanks for taking a stab at this. The environment variable is actually called
KRB5RCACHEDIR, and I don't think kerberos creates the directory for us.
There's also KRB5RCACHENAME for pointing to a file path.
What all this means is that someone should probably reproduce the bug first :)
Thanks,
Cole
More information about the libvir-list
mailing list