[libvirt] [PATCH RFC 2/4] Introduce virConnectGetDomainCapabilities
Daniel P. Berrange
berrange at redhat.com
Thu Jun 26 10:38:08 UTC 2014
On Thu, Jun 26, 2014 at 12:18:26PM +0200, Michal Privoznik wrote:
> static virNetworkDriver network_driver = {
> diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
> index 4b75bdb..9d141e9 100644
> --- a/src/remote/remote_protocol.x
> +++ b/src/remote/remote_protocol.x
> @@ -5419,5 +5431,11 @@ enum remote_procedure {
> * @generate: none
> * @acl: network:read
> */
> - REMOTE_PROC_NETWORK_GET_DHCP_LEASES_FOR_MAC = 342
> + REMOTE_PROC_NETWORK_GET_DHCP_LEASES_FOR_MAC = 342,
> +
> + /**
> + * @generate: both
> + * @acl: connect:read
As mentioned against cover letter we'll need 'connect:write'
here I think.
Perhaps we could allow for 'connect:read' if-and-only-if
emulatorbin is NULL. ie we'd use the combination of arch
+ machine + virttype to lookup the binary in the primary
capabilities when emulatorbin is NULL. That would avoid
any risk of running arbitrary user provided paths, and
so we safe to allow connect:read there.
Regards,
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list