[libvirt] [PATCH 11/17] util: Introduce libvirt_udevhelper

Daniel P. Berrange berrange at redhat.com
Thu Oct 27 13:08:37 UTC 2016 

On Thu, Oct 27, 2016 at 09:25:41AM +0200, Daniel P. Berrange wrote:
> On Thu, Oct 27, 2016 at 08:37:02AM +0200, Jiri Denemark wrote:
> > On Wed, Oct 26, 2016 at 17:39:35 +0200, Daniel P. Berrange wrote:
> > > On Wed, Oct 26, 2016 at 02:36:58PM +0200, Michal Privoznik wrote:
> > > > This is a small helper intended to be run by udev. On its input
> > > > (either as the only command line argument or in DEVNODE
> > > > environment vairable) it is given a device and on the output it
> > > > will either put nothing (meaning the device is not used by any of
> > > > the libvirt domains), or it will print out security labels in the
> > > > following form:
> > > > 
> > > >   UID GID SELABEL
> > > 
> > > How is this intended to be actually used ? ie what udev rule are
> > > you creating along with this ?
> > 
> > Yeah, the rule should really be part of this series.
> > 
> > > IMHO we just want the helper to indicate that udev should not do
> > > anything to the device - we should not need udev to ever set labels
> > > itself as libvirt has already set them - we just don't want udev to
> > > remove them. IOW, I don't see the need to print out this info at all.
> > 
> > That would be nice, but unfortunately there's no way to tell udev not to
> > touch a specific device (I discussed this stuff with Michal Sekletar).
> > Other udev rules might have already set UID/GID/SELABEL for the device
> > and we can only change it to contain the required content; we can't
> > reset them to "don't change any of these".
> 
> I think we need to prevent those rules from running - any situation
> in which somes rules change permissions and our other rule needs to
> change them back is still very badly race prone.
> 
> My expectation was that the standard udev provided rule which resets
> permissions on file close would be modified to have an extra condition
> in its match rule:
> 
>    ENV{EXTERNALLY_MANAGED}!="yes"
> 
> 
> libvirt would then drop in the rule runs libvirt_udevhelper and if that
> returns 1, then we set ENV{EXTERNALLY_MANAGED}. This provides a general
> solution that other (non-libvirt) apps  can use to prevent the perms
> changing behind their back

IIUC, we can possibly achieve our goal using GOTO, with two rules.

In a 00-libvirt-early.rules  have a rule that runs libvirt_udevhelper
and adds a "GOTO=libvirt-end".  Then in zzzzzz-libvirt-late.rules
define the LABEL=libvirt-end.  That should cause it to skip over all
intermediate udev rules.


Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://entangle-photo.org       -o-    http://search.cpan.org/~danberr/ :|

More information about the libvir-list mailing list