[PATCH 1/4] qemu_namespace: Tolerate missing ACLs when creating a path in namespace

[Martin Kletzander]

On Mon, Sep 12, 2022 at 03:46:38PM +0200, Michal Privoznik wrote:
>When creating a path in a domain's mount namespace we try to set
>ACLs on it, so that it's a verbatim copy of the path in parent's
>namespace. The ACLs are queried upfront (by
>qemuNamespaceMknodItemInit()) but this is fault tolerant so the
>pointer to ACLs might be NULL (meaning no ACLs were queried, for
>instance because the underlying filesystem does not support
>them). But then we take this NULL and pass it to virFileSetACLs()
>which immediately returns an error because NULL is invalid value.
>
>Mimic what we do with SELinux label - just set it if we queried
>it successfully before.
>

It would be less confusing if you just said something along the lines
of:

Only set ACLs if they are non-NULL which includes symlinks.

>Signed-off-by: Michal Privoznik <mprivozn at redhat.com>

Reviewed-by: Martin Kletzander <mkletzan at redhat.com>

>---
> src/qemu/qemu_namespace.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
>diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
>index 98cd794666..71e3366ca5 100644
>--- a/src/qemu/qemu_namespace.c
>+++ b/src/qemu/qemu_namespace.c
>@@ -1040,8 +1040,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)
>         goto cleanup;
>     }
>
>-    /* Symlinks don't have ACLs. */
>-    if (!isLink &&
>+    if (data->acl &&
>         virFileSetACLs(data->file, data->acl) < 0 &&
>         errno != ENOTSUP) {
>         virReportSystemError(errno,
>-- 
>2.35.1
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20220923/8cafada5/attachment.sig>