[libvirt] [PATCH] qemu: Set umask before calling mknod()
Andrea Bolognani
abologna at redhat.com
Mon Feb 13 20:18:30 UTC 2017
When we populate the private /dev that's going to be used by
an isolated QEMU process, we take care all metadata matches
what's in the top-level namespace: in particular, we copy the
file permissions directly.
However, since the permissions passed to mknod() are still
affected by the active umask, we need to set it to a very
permissive value before creating device nodes to avoid file
access issues.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1421036
---
src/qemu/qemu_domain.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index f62bf8f..7993acc 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -7040,6 +7040,7 @@ qemuDomainCreateDeviceRecursive(const char *device,
#ifdef WITH_SELINUX
char *tcon = NULL;
#endif
+ mode_t oldUmask = umask((mode_t) 0);
if (!ttl) {
virReportSystemError(ELOOP,
@@ -7205,6 +7206,7 @@ qemuDomainCreateDeviceRecursive(const char *device,
#ifdef WITH_SELINUX
freecon(tcon);
#endif
+ umask(oldUmask);
return ret;
}
@@ -7678,6 +7680,7 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED,
int ret = -1;
bool delDevice = false;
bool isLink = S_ISLNK(data->sb.st_mode);
+ mode_t oldUmask = umask((mode_t) 0);
virSecurityManagerPostFork(data->driver->securityManager);
@@ -7756,6 +7759,7 @@ qemuDomainAttachDeviceMknodHelper(pid_t pid ATTRIBUTE_UNUSED,
freecon(data->tcon);
#endif
virFileFreeACLs(&data->acl);
+ umask(oldUmask);
return ret;
}
--
2.7.4
More information about the libvir-list
mailing list