[libvirt] [PATCH] security: dac: relabel spice rendernode
Cole Robinson
crobinso at redhat.com
Mon Jul 17 16:42:12 UTC 2017
On 07/17/2017 12:35 PM, Daniel P. Berrange wrote:
> On Mon, Jul 17, 2017 at 12:31:50PM -0400, Cole Robinson wrote:
>> For a logged in user this a path like /dev/dri/renderD128 will have
>> default ownership root:video which won't work for the qemu:qemu user,
>> so we need to chown it.
>>
>> Thankfully with the namespace work we don't need to worry about this
>> shutting out other legitimate users
>
> We support turning off namespaces, in which case this will harm other
> users. So at very least we need to make this conditional on namespaces
> being enabled.
>
I can look into that, but then again it's basically the way the DAC driver
already works for potentially more invasive scenarios like /dev/sd*,
/dev/cdrom, USB devices etc etc
- Cole
More information about the libvir-list
mailing list