[PATCH 1/2] qemu: Move pid file of pr-helper to stateDir

[Peng Liang]

Libvirt will put the pid file of pr-helper to per-domain directory.
However, the ownership of the per-domain directory is the user to run
the QEMU process and the user has the write permission of the directory.
If VM escape occurs, the attacker can
1. write arbitrary content to the pid file (if running QEMU using root),
   then the attacker can kill any process by writing appropriate pid to
   the pid file;
2. spoof the pid file (if running QEMU using a regular user), then the
   pr-helper process will never be cleared even if the VM is destroyed.

So, move the pid file of pr-helper from per-domain directory to
stateDir just like the pid file of the domain.

Signed-off-by: Peng Liang <liangpeng10 at huawei.com>
---
 src/qemu/qemu_process.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/qemu/qemu_process.c b/src/qemu/qemu_process.c
index 1d0165af6daa..583f3ec76c7b 100644
--- a/src/qemu/qemu_process.c
+++ b/src/qemu/qemu_process.c
@@ -2859,9 +2859,11 @@ static char *
 qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm)
 {
     qemuDomainObjPrivate *priv = vm->privateData;
-    const char *prdAlias = qemuDomainGetManagedPRAlias();
+    g_autofree char *domname = virDomainDefGetShortName(vm->def);
+    g_autofree char *prdName = g_strdup_printf("%s-%s", domname, qemuDomainGetManagedPRAlias());
+    g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
 
-    return virPidFileBuildPath(priv->libDir, prdAlias);
+    return virPidFileBuildPath(cfg->stateDir, prdName);
 }
 
 
-- 
2.31.1