102 lines
3.4 KiB
Diff
102 lines
3.4 KiB
Diff
|
From: Cole Robinson <crobinso@redhat.com>
|
||
|
Date: Mon, 17 Jul 2017 08:57:57 -0400
|
||
|
Subject: [PATCH] security: dac: relabel spice rendernode
|
||
|
|
||
|
For a logged in user this a path like /dev/dri/renderD128 will have
|
||
|
default ownership root:video which won't work for the qemu:qemu user,
|
||
|
so we need to chown it.
|
||
|
|
||
|
We only do this when mount namespaces are enabled in the qemu driver,
|
||
|
so the chown'ing doesn't interfere with other users of the shared
|
||
|
render node path
|
||
|
|
||
|
https://bugzilla.redhat.com/show_bug.cgi?id=1460804
|
||
|
(cherry picked from commit 98931187eefdec6f2dea5cb82ab6d23a3ffa6634)
|
||
|
---
|
||
|
src/security/security_dac.c | 58 +++++++++++++++++++++++++++++++++++++++++++++
|
||
|
1 file changed, 58 insertions(+)
|
||
|
|
||
|
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
|
||
|
index 1f8d279bf..5f13bcee8 100644
|
||
|
--- a/src/security/security_dac.c
|
||
|
+++ b/src/security/security_dac.c
|
||
|
@@ -1380,6 +1380,54 @@ virSecurityDACRestoreTPMFileLabel(virSecurityManagerPtr mgr,
|
||
|
|
||
|
|
||
|
static int
|
||
|
+virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
|
||
|
+ virDomainDefPtr def,
|
||
|
+ virDomainGraphicsDefPtr gfx)
|
||
|
+
|
||
|
+{
|
||
|
+ virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
|
||
|
+ virSecurityLabelDefPtr seclabel;
|
||
|
+ uid_t user;
|
||
|
+ gid_t group;
|
||
|
+
|
||
|
+ /* Skip chowning the shared render file if namespaces are disabled */
|
||
|
+ if (!priv->mountNamespace)
|
||
|
+ return 0;
|
||
|
+
|
||
|
+ seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
|
||
|
+ if (seclabel && !seclabel->relabel)
|
||
|
+ return 0;
|
||
|
+
|
||
|
+ if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
|
||
|
+ return -1;
|
||
|
+
|
||
|
+ if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
|
||
|
+ gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
|
||
|
+ gfx->data.spice.rendernode) {
|
||
|
+ if (virSecurityDACSetOwnership(priv, NULL,
|
||
|
+ gfx->data.spice.rendernode,
|
||
|
+ user, group) < 0)
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+static int
|
||
|
+virSecurityDACRestoreGraphicsLabel(virSecurityManagerPtr mgr ATTRIBUTE_UNUSED,
|
||
|
+ virDomainDefPtr def ATTRIBUTE_UNUSED,
|
||
|
+ virDomainGraphicsDefPtr gfx ATTRIBUTE_UNUSED)
|
||
|
+
|
||
|
+{
|
||
|
+ /* The only graphics labelling we do is dependent on mountNamespaces,
|
||
|
+ in which case 'restoring' the label doesn't actually accomplish
|
||
|
+ anything, so there's nothing to do here */
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
+
|
||
|
+static int
|
||
|
virSecurityDACSetInputLabel(virSecurityManagerPtr mgr,
|
||
|
virDomainDefPtr def,
|
||
|
virDomainInputDefPtr input)
|
||
|
@@ -1489,6 +1537,11 @@ virSecurityDACRestoreAllLabel(virSecurityManagerPtr mgr,
|
||
|
rc = -1;
|
||
|
}
|
||
|
|
||
|
+ for (i = 0; i < def->ngraphics; i++) {
|
||
|
+ if (virSecurityDACRestoreGraphicsLabel(mgr, def, def->graphics[i]) < 0)
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
for (i = 0; i < def->ninputs; i++) {
|
||
|
if (virSecurityDACRestoreInputLabel(mgr, def, def->inputs[i]) < 0)
|
||
|
rc = -1;
|
||
|
@@ -1602,6 +1655,11 @@ virSecurityDACSetAllLabel(virSecurityManagerPtr mgr,
|
||
|
return -1;
|
||
|
}
|
||
|
|
||
|
+ for (i = 0; i < def->ngraphics; i++) {
|
||
|
+ if (virSecurityDACSetGraphicsLabel(mgr, def, def->graphics[i]) < 0)
|
||
|
+ return -1;
|
||
|
+ }
|
||
|
+
|
||
|
for (i = 0; i < def->ninputs; i++) {
|
||
|
if (virSecurityDACSetInputLabel(mgr, def, def->inputs[i]) < 0)
|
||
|
return -1;
|