1. Patchew
  2. Libvirt
  3. [libvirt] [sandbox 0/6] Misc patches
  4. View patch

[libvirt] [sandbox 2/6] machine: use squash security mode for non-root virt-sandbox mounts

Cédric Bosdonnat posted 6 patches 7 years, 5 months ago
There is a newer version of this series
[libvirt] [sandbox 2/6] machine: use squash security mode for non-root virt-sandbox mounts
Posted by Cédric Bosdonnat 7 years, 5 months ago 
When running virt-sandbox as a user with host-bind mount, the user
can't write in the mounted folder. If run as root, use passthrough
security mode, otherwise use squashed one to fix this.
---
 libvirt-sandbox/libvirt-sandbox-builder-machine.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/libvirt-sandbox/libvirt-sandbox-builder-machine.c b/libvirt-sandbox/libvirt-sandbox-builder-machine.c
index 7204f71..b6f2218 100644
--- a/libvirt-sandbox/libvirt-sandbox-builder-machine.c
+++ b/libvirt-sandbox/libvirt-sandbox-builder-machine.c
@@ -589,7 +589,10 @@ static gboolean gvir_sandbox_builder_machine_construct_devices(GVirSandboxBuilde
 
             fs = gvir_config_domain_filesys_new();
             gvir_config_domain_filesys_set_type(fs, GVIR_CONFIG_DOMAIN_FILESYS_MOUNT);
-            gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG_DOMAIN_FILESYS_ACCESS_PASSTHROUGH);
+            if (getuid() == 0)
+                gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG_DOMAIN_FILESYS_ACCESS_PASSTHROUGH);
+            else
+                gvir_config_domain_filesys_set_access_type(fs, GVIR_CONFIG_DOMAIN_FILESYS_ACCESS_SQUASH);
             gvir_config_domain_filesys_set_source(fs,
                                                   gvir_sandbox_config_mount_file_get_source(mfile));
             gvir_config_domain_filesys_set_target(fs, target);
-- 
2.15.1

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
Re: [libvirt] [sandbox 2/6] machine: use squash security mode for non-root virt-sandbox mounts
Posted by Daniel P. Berrange 7 years, 5 months ago 
On Tue, Dec 05, 2017 at 10:53:18AM +0100, Cédric Bosdonnat wrote:
> When running virt-sandbox as a user with host-bind mount, the user
> can't write in the mounted folder. If run as root, use passthrough
> security mode, otherwise use squashed one to fix this.
> ---
>  libvirt-sandbox/libvirt-sandbox-builder-machine.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)

Reviewed-by: Daniel P. Berrange <berrange@redhat.com>


Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Patchew 2.1-devel-8c64711

© 2016 - 2025 Red Hat, Inc.