[libvirt] [PATCHv3 3/2] qemu: don't request cgroup ACL access for /dev/net/tun

Laine Stump laine at laine.org
Thu Mar 10 16:27:48 UTC 2011


On 03/09/2011 05:12 PM, Eric Blake wrote:
> Since libvirt always passes /dev/net/tun to qemu via fd, we should
> never trigger the cases where qemu tries to directly open the
> device.  Therefore, it is safer to deny the cgroup device ACL.
>
> * src/qemu/qemu_cgroup.c (defaultDeviceACL): Remove /dev/net/tun.
> * src/qemu/qemu.conf (cgroup_device_acl): Reflect this change.
> ---
>
> Might as well fix this in the process of audit cleanups.  I tested
> that I was still able to access the network through a virtio
> connection with cgroup ACL enforcing in the host after this change.
> And it matches the fact that we did not have a cgroup ACL allow
> for /dev/tapN devices (also passed via fd).
>
>   src/qemu/qemu.conf     |    2 +-
>   src/qemu/qemu_cgroup.c |    2 +-
>   2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
> index 8c6b996..364f555 100644
> --- a/src/qemu/qemu.conf
> +++ b/src/qemu/qemu.conf
> @@ -182,7 +182,7 @@
>   #    "/dev/null", "/dev/full", "/dev/zero",
>   #    "/dev/random", "/dev/urandom",
>   #    "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
> -#    "/dev/rtc", "/dev/hpet", "/dev/net/tun",
> +#    "/dev/rtc", "/dev/hpet",
>   #]
>
>
> diff --git a/src/qemu/qemu_cgroup.c b/src/qemu/qemu_cgroup.c
> index 9a7d42f..8c3eee3 100644
> --- a/src/qemu/qemu_cgroup.c
> +++ b/src/qemu/qemu_cgroup.c
> @@ -37,7 +37,7 @@ static const char *const defaultDeviceACL[] = {
>       "/dev/null", "/dev/full", "/dev/zero",
>       "/dev/random", "/dev/urandom",
>       "/dev/ptmx", "/dev/kvm", "/dev/kqemu",
> -    "/dev/rtc", "/dev/hpet", "/dev/net/tun",
> +    "/dev/rtc", "/dev/hpet",
>       NULL,
>   };
>   #define DEVICE_PTY_MAJOR 136

ACK.




More information about the libvir-list mailing list