[libvirt] [PATCH v1 05/21] virfile: Introduce ACL helpers

Daniel P. Berrange berrange at redhat.com
Mon Dec 5 12:36:22 UTC 2016

On Thu, Nov 24, 2016 at 03:47:54PM +0100, Michal Privoznik wrote:
> Namely, virFileGetACLs, virFileSetACLs, virFileFreeACLs and
> virFileCopyACLs. These functions are going to be required when we
> are creating /dev for qemu. We have copy anything that's in
> host's /dev exactly as is. Including ACLs.

Do we really ?

IIUC, udev uses ACLs on /dev in order to grant end users in the desktop
session permission on certain device nodes, without chowning the whole

The device nodes in our private /dev only need to be accessible to the
QEMU process we're about to run.

So neither existing ownership, group, permissions, nor ACLs matter at
all. Our security driver code will chown/grp the device to grant
QEMU access and that's all that's needed AFAICT.

What am I missing that requires us to preserve ACLs ?

|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list