[libvirt] [PATCH] security: dac: relabel spice rendernode
Daniel P. Berrange
berrange at redhat.com
Tue Jul 18 07:20:39 UTC 2017
On Mon, Jul 17, 2017 at 12:42:12PM -0400, Cole Robinson wrote:
> On 07/17/2017 12:35 PM, Daniel P. Berrange wrote:
> > On Mon, Jul 17, 2017 at 12:31:50PM -0400, Cole Robinson wrote:
> >> For a logged in user this a path like /dev/dri/renderD128 will have
> >> default ownership root:video which won't work for the qemu:qemu user,
> >> so we need to chown it.
> >>
> >> Thankfully with the namespace work we don't need to worry about this
> >> shutting out other legitimate users
> >
> > We support turning off namespaces, in which case this will harm other
> > users. So at very least we need to make this conditional on namespaces
> > being enabled.
> >
>
> I can look into that, but then again it's basically the way the DAC driver
> already works for potentially more invasive scenarios like /dev/sd*,
> /dev/cdrom, USB devices etc etc
My concern is that changing this will break apps in the active desktop
session that are currently using the graphics card too.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list