[libvirt] [PATCH 10/12] security: dac: Relabel the DRI render device for egl-headless too
Erik Skultety
eskultet at redhat.com
Thu Nov 22 16:36:08 UTC 2018
Just like for SPICE, we need to change the permissions on the DRI device
used as the @rendernode for egl-headless graphics type.
Signed-off-by: Erik Skultety <eskultet at redhat.com>
---
src/security/security_dac.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 6b64d2c07a..646b3d4745 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1492,11 +1492,17 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
virDomainGraphicsDefPtr gfx)
{
+ const char *rendernode = NULL;
virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
virSecurityLabelDefPtr seclabel;
uid_t user;
gid_t group;
+ /* So far, only SPICE and EGL headless support rendering on DRM nodes */
+ if (gfx->type != VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+ gfx->type != VIR_DOMAIN_GRAPHICS_TYPE_EGL_HEADLESS)
+ return 0;
+
/* Skip chowning the shared render file if namespaces are disabled */
if (!priv->mountNamespace)
return 0;
@@ -1508,14 +1514,13 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
return -1;
- if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
- gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
- gfx->data.spice.rendernode) {
- if (virSecurityDACSetOwnership(mgr, NULL,
- gfx->data.spice.rendernode,
- user, group) < 0)
- return -1;
- }
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_EGL_HEADLESS)
+ rendernode = gfx->data.egl_headless.rendernode;
+ else if (gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES)
+ rendernode = gfx->data.spice.rendernode;
+
+ if (virSecurityDACSetOwnership(mgr, NULL, rendernode, user, group) < 0)
+ return -1;
return 0;
}
--
2.19.1
More information about the libvir-list
mailing list