[libvirt] [PATCH 11/17] util: Introduce libvirt_udevhelper

Jiri Denemark jdenemar at redhat.com
Thu Oct 27 14:37:07 UTC 2016 

On Thu, Oct 27, 2016 at 15:08:37 +0200, Daniel P. Berrange wrote:
> On Thu, Oct 27, 2016 at 09:25:41AM +0200, Daniel P. Berrange wrote:
> > On Thu, Oct 27, 2016 at 08:37:02AM +0200, Jiri Denemark wrote:
> > > On Wed, Oct 26, 2016 at 17:39:35 +0200, Daniel P. Berrange wrote:
> > > > On Wed, Oct 26, 2016 at 02:36:58PM +0200, Michal Privoznik wrote:
> > > > > This is a small helper intended to be run by udev. On its input
> > > > > (either as the only command line argument or in DEVNODE
> > > > > environment vairable) it is given a device and on the output it
> > > > > will either put nothing (meaning the device is not used by any of
> > > > > the libvirt domains), or it will print out security labels in the
> > > > > following form:
> > > > > 
> > > > >   UID GID SELABEL
> > > > 
> > > > How is this intended to be actually used ? ie what udev rule are
> > > > you creating along with this ?
> > > 
> > > Yeah, the rule should really be part of this series.
> > > 
> > > > IMHO we just want the helper to indicate that udev should not do
> > > > anything to the device - we should not need udev to ever set labels
> > > > itself as libvirt has already set them - we just don't want udev to
> > > > remove them. IOW, I don't see the need to print out this info at all.
> > > 
> > > That would be nice, but unfortunately there's no way to tell udev not to
> > > touch a specific device (I discussed this stuff with Michal Sekletar).
> > > Other udev rules might have already set UID/GID/SELABEL for the device
> > > and we can only change it to contain the required content; we can't
> > > reset them to "don't change any of these".
> > 
> > I think we need to prevent those rules from running - any situation
> > in which somes rules change permissions and our other rule needs to
> > change them back is still very badly race prone.
> > 
> > My expectation was that the standard udev provided rule which resets
> > permissions on file close would be modified to have an extra condition
> > in its match rule:
> > 
> >    ENV{EXTERNALLY_MANAGED}!="yes"
> > 
> > 
> > libvirt would then drop in the rule runs libvirt_udevhelper and if that
> > returns 1, then we set ENV{EXTERNALLY_MANAGED}. This provides a general
> > solution that other (non-libvirt) apps  can use to prevent the perms
> > changing behind their back
> 
> IIUC, we can possibly achieve our goal using GOTO, with two rules.
> 
> In a 00-libvirt-early.rules  have a rule that runs libvirt_udevhelper
> and adds a "GOTO=libvirt-end".  Then in zzzzzz-libvirt-late.rules
> define the LABEL=libvirt-end.  That should cause it to skip over all
> intermediate udev rules.

Hmm, sounds like a nice hack around it. I didn't realize goto can jump
to a label defined in a different rule file...

Jirka

More information about the libvir-list mailing list