[libvirt] [PATCH] security: dac: relabel spice rendernode

Daniel P. Berrange berrange at redhat.com
Tue Jul 18 07:20:39 UTC 2017


On Mon, Jul 17, 2017 at 12:42:12PM -0400, Cole Robinson wrote:
> On 07/17/2017 12:35 PM, Daniel P. Berrange wrote:
> > On Mon, Jul 17, 2017 at 12:31:50PM -0400, Cole Robinson wrote:
> >> For a logged in user this a path like /dev/dri/renderD128 will have
> >> default ownership root:video which won't work for the qemu:qemu user,
> >> so we need to chown it.
> >>
> >> Thankfully with the namespace work we don't need to worry about this
> >> shutting out other legitimate users
> > 
> > We support turning off namespaces, in which case this will harm other
> > users. So at very least we need to make this conditional on namespaces
> > being enabled.
> > 
> 
> I can look into that, but then again it's basically the way the DAC driver
> already works for potentially more invasive scenarios like /dev/sd*,
> /dev/cdrom, USB devices etc etc

My concern is that changing this will break apps in the active desktop
session that are currently using the graphics card too.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|




More information about the libvir-list mailing list