[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH] Don't chown qemu saved image back to root after save if dynamic_ownership=0

When dynamic_ownership=0, saved images must be owned by the same uid
as is used to run the qemu process, otherwise restore won't work. To
accomplish this, qemuSecurityDACRestoreSavedStateLabel() needs to
simply return when it's called.

This fix is in response to:


Note that this still leaves open the issue discovered in this bug - if
the saved image file already exists when it is "created" for the new
save, whatever mode it has will be maintained, rather than forcing
0600. It would be simple to force the mode to 0600 (just add a flag to
virFileOperation(), but I'm not sure if it would be safe to do so
right now without a *lot* of testing (I'm concerned about possible
scenarios where the chmod() that's done when the FORCE_PERMISSIONS
flag is set might fail, making a previously working case fail). Any
opinions on that? (At any rate, it should be done in a separate patch
if we decide to do it).

 src/qemu/qemu_security_dac.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/src/qemu/qemu_security_dac.c b/src/qemu/qemu_security_dac.c
index b5c52d1..6b6170a 100644
--- a/src/qemu/qemu_security_dac.c
+++ b/src/qemu/qemu_security_dac.c
@@ -533,7 +533,7 @@ qemuSecurityDACRestoreSavedStateLabel(virSecurityDriverPtr drv ATTRIBUTE_UNUSED,
                                       virDomainObjPtr vm ATTRIBUTE_UNUSED,
                                       const char *savefile)
-    if (!driver->privileged)
+    if (!driver->privileged || !driver->dynamicOwnership)
         return 0;
     return qemuSecurityDACRestoreSecurityFileLabel(savefile);

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]