From nobody Mon Feb  9 23:26:21 2026
Delivered-To: importer@patchew.org
Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28
 as permitted sender) client-ip=209.132.183.28;
 envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com;
Authentication-Results: mx.zohomail.com;
	spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as
 permitted sender)  smtp.mailfrom=libvir-list-bounces@redhat.com
Return-Path: <libvir-list-bounces@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by
 mx.zohomail.com
	with SMTPS id 1503850874616542.8812517291663;
 Sun, 27 Aug 2017 09:21:14 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
 [10.5.11.13])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 0746F5F7AE;
	Sun, 27 Aug 2017 16:21:13 +0000 (UTC)
Received: from colo-mx.corp.redhat.com
 (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id CD37460618;
	Sun, 27 Aug 2017 16:21:12 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com
 (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8BE021806109;
	Sun, 27 Aug 2017 16:21:12 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
	[10.5.11.16])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id v7RGKqUn027613 for <libvir-list@listman.util.phx.redhat.com>;
	Sun, 27 Aug 2017 12:20:52 -0400
Received: by smtp.corp.redhat.com (Postfix)
	id 48E375C880; Sun, 27 Aug 2017 16:20:52 +0000 (UTC)
Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34])
	by smtp.corp.redhat.com (Postfix) with ESMTP id C4C9E5C66F;
	Sun, 27 Aug 2017 16:20:51 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 0746F5F7AE
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
 dmarc=none (p=none dis=none) header.from=redhat.com
Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com;
 spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com
From: Cole Robinson <crobinso@redhat.com>
To: libvirt-list@redhat.com
Date: Sun, 27 Aug 2017 12:20:42 -0400
Message-Id: 
 <5531dc0a1a754d362478b2cda42b905a7bbb72d5.1503850638.git.crobinso@redhat.com>
In-Reply-To: <cover.1503850638.git.crobinso@redhat.com>
References: <cover.1503850638.git.crobinso@redhat.com>
In-Reply-To: <cover.1503850638.git.crobinso@redhat.com>
References: <cover.1503850638.git.crobinso@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-loop: libvir-list@redhat.com
Subject: [libvirt] [PATCH v2 2/2] security: dac: relabel spice rendernode
X-BeenThere: libvir-list@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Development discussions about the libvirt library & tools
	<libvir-list.redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/libvir-list>
List-Post: <mailto:libvir-list@redhat.com>
List-Help: <mailto:libvir-list-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/libvir-list>,
	<mailto:libvir-list-request@redhat.com?subject=subscribe>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
X-Greylist: Sender IP whitelisted,
 not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]);
 Sun, 27 Aug 2017 16:21:13 +0000 (UTC)
X-ZohoMail: RSF_0  Z_629925259 SPT_0
Content-Type: text/plain; charset="utf-8"

For a logged in user this a path like /dev/dri/renderD128 will have
default ownership root:video which won't work for the qemu:qemu user,
so we need to chown it.

We only do this when mount namespaces are enabled in the qemu driver,
so the chown'ing doesn't interfere with other users of the shared
render node path

https://bugzilla.redhat.com/show_bug.cgi?id=3D1460804
Signed-off-by: Cole Robinson <crobinso@redhat.com>
---
The restore bit is also motivated by a bug I hit when testing this:

DAC /dev/* permissions are 'restored' to root:root even with mount
namespaces enabled:
https://bugzilla.redhat.com/show_bug.cgi?id=3D1485719

 src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++=
++++
 1 file changed, 58 insertions(+)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 507be44a2..349dbe81d 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -1381,6 +1381,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManager=
Ptr mgr,
=20
=20
 static int
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
+                               virDomainDefPtr def,
+                               virDomainGraphicsDefPtr gfx)
+
+{
+    virSecurityDACDataPtr priv =3D virSecurityManagerGetPrivateData(mgr);
+    virSecurityLabelDefPtr seclabel;
+    uid_t user;
+    gid_t group;
+
+    /* Skip chowning the shared render file if namespaces are disabled */
+    if (!priv->mountNamespace)
+        return 0;
+
+    seclabel =3D virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
+    if (seclabel && !seclabel->relabel)
+        return 0;
+
+    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < =
0)
+        return -1;
+
+    if (gfx->type =3D=3D VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
+        gfx->data.spice.gl =3D=3D VIR_TRISTATE_BOOL_YES &&
+        gfx->data.spice.rendernode) {
+        if (virSecurityDACSetOwnership(priv, NULL,
+                                       gfx->data.spice.rendernode,
+                                       user, group) < 0)
+            return -1;
+    }
+
+    return 0;
+}
+
+
+static int
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNU=
SED,
+                               virDomainDefPtr def ATTRIBUTE_UNUSED,
+                               virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSE=
D)
+
+{
+    /* The only graphics labelling we do is dependent on mountNamespaces,
+       in which case 'restoring' the label doesn't actually accomplish
+       anything, so there's nothing to do here */
+    return 0;
+}
+
+
+static int
 virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
                             virDomainDefPtr def,
                             virDomainInputDefPtr input)
@@ -1491,6 +1539,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr =
mgr,
             rc =3D -1;
     }
=20
+    for (i =3D 0; i < def->ngraphics; i++) {
+        if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i])=
 < 0)
+            return -1;
+    }
+
     for (i =3D 0; i < def->ninputs; i++) {
         if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
             rc =3D -1;
@@ -1611,6 +1664,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
             return -1;
     }
=20
+    for (i =3D 0; i < def->ngraphics; i++) {
+        if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
+            return -1;
+    }
+
     for (i =3D 0; i < def->ninputs; i++) {
         if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
             return -1;
--=20
2.13.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list