[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] security: dac: relabel spice rendernode



On 07/17/2017 12:35 PM, Daniel P. Berrange wrote:
> On Mon, Jul 17, 2017 at 12:31:50PM -0400, Cole Robinson wrote:
>> For a logged in user this a path like /dev/dri/renderD128 will have
>> default ownership root:video which won't work for the qemu:qemu user,
>> so we need to chown it.
>>
>> Thankfully with the namespace work we don't need to worry about this
>> shutting out other legitimate users
> 
> We support turning off namespaces, in which case this will harm other
> users. So at very least we need to make this conditional on namespaces
> being enabled.
> 

I can look into that, but then again it's basically the way the DAC driver
already works for potentially more invasive scenarios like /dev/sd*,
/dev/cdrom, USB devices etc etc

- Cole


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]