[libvirt] [PATCH v2 3/3] qemu: Set identity for the reconnect all thread

Mon Nov 12 13:50:20 UTC 2018

https://bugzilla.redhat.com/show_bug.cgi?id=1631622

If polkit authentication is enabled, an attempt to open
the connection failed during virAccessDriverPolkitGetCaller
when the call to virIdentityGetCurrent returned NULL resulting
in the errors:

  virAccessDriverPolkitGetCaller:87 : access denied:
  Policy kit denied action org.libvirt.api.connect.getattr from <anonymous>

Because qemuProcessReconnect runs in a thread during
daemonRunStateInit processing it doesn't have the thread
local identity. Thus when the virGetConnectNWFilter is
called as part of the qemuProcessFiltersInstantiate when
virDomainConfNWFilterInstantiate is run the attempt to get
the idenity fails and results in the anonymous error above.

To fix this, let's grab/use the virIdenityPtr of the process
that will be creating the thread, e.g. what daemonRunStateInit
has set and use that for our thread. That way any other similar
processing that uses/requires an identity for any other call
that would have previously been successfully run won't fail in
a similar manner.

Signed-off-by: John Ferlan <jferlan at redhat.com>
---
 src/qemu/qemu_process.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 1850923914..df7f0bfafb 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -81,6 +81,7 @@
 #include "netdev_bandwidth_conf.h"
 #include "virresctrl.h"
 #include "virvsock.h"
+#include "viridentity.h"
 
 #define VIR_FROM_THIS VIR_FROM_QEMU
 
@@ -7705,6 +7706,7 @@ qemuProcessRefreshCPU(virQEMUDriverPtr driver,
 struct qemuProcessReconnectData {
     virQEMUDriverPtr driver;
     virDomainObjPtr obj;
+    virIdentityPtr identity;
 };
 /*
  * Open an existing VM's monitor, re-detect VCPU threads
@@ -7742,6 +7744,8 @@ qemuProcessReconnect(void *opaque)
     bool retry = true;
     bool tryMonReconn = false;
 
+    virIdentitySetCurrent(data->identity);
+    virObjectUnref(data->identity);
     VIR_FREE(data);
 
     qemuDomainObjRestoreJob(obj, &oldjob);
@@ -7968,6 +7972,7 @@ qemuProcessReconnect(void *opaque)
     virObjectUnref(cfg);
     virObjectUnref(caps);
     virNWFilterUnlockFilterUpdates();
+    virIdentitySetCurrent(NULL);
     return;
 
  error:
@@ -8011,6 +8016,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj,
 
     memcpy(data, src, sizeof(*data));
     data->obj = obj;
+    data->identity = virIdentityGetCurrent();
 
     virNWFilterReadLockFilterUpdates();
 
@@ -8034,6 +8040,7 @@ qemuProcessReconnectHelper(virDomainObjPtr obj,
 
         virDomainObjEndAPI(&obj);
         virNWFilterUnlockFilterUpdates();
+        virObjectUnref(data->identity);
         VIR_FREE(data);
         return -1;
     }
-- 
2.17.2


