[v2,0/2] dac: relabel spice rendernode

Message ID	cover.1503850638.git.crobinso@redhat.com
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 820075F7A6 From: Cole Robinson <crobinso@redhat.com> To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:40 -0400 Message-Id: <cover.1503850638.git.crobinso@redhat.com> Subject: [libvirt] [PATCH v2 0/2] dac: relabel spice rendernode Precedence: junk MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com
Series	dac: relabel spice rendernode \| expand [v2,0/2] dac: relabel spice rendernode [v2,1/2] security: add MANAGER_MOUNT_NAMESPACE flag [v2,2/2] security: dac: relabel spice rendernode

Message ID

cover.1503850638.git.crobinso@redhat.com

Headers

Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com
	designates 209.132.183.28 as permitted sender)
	client-ip=209.132.183.28; 
DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 820075F7A6
From: Cole Robinson <crobinso@redhat.com>
To: libvirt-list@redhat.com
Date: Sun, 27 Aug 2017 12:20:40 -0400
Message-Id: <cover.1503850638.git.crobinso@redhat.com>
Subject: [libvirt] [PATCH v2 0/2] dac: relabel spice rendernode
Precedence: junk
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: libvir-list-bounces@redhat.com
Errors-To: libvir-list-bounces@redhat.com

Series

dac: relabel spice rendernode | expand

Message

Cole Robinson Aug. 27, 2017, 4:20 p.m. UTC

This fixes the last issue preventing qemu:///system spice GL from working
out of the box: chown'ing the rendernode path so we have permissions
to open it.

We skip this if mount namespaces are disabled, so the chown'ing won't
interfere with other rendernode users on the host.

https://bugzilla.redhat.com/show_bug.cgi?id=1460804

v2:
    Add the MOUNT_NAMESPACE handling
    Drop DAC restore of rendernode

Cole Robinson (2):
  security: add MANAGER_MOUNT_NAMESPACE flag
  security: dac: relabel spice rendernode

 src/qemu/qemu_driver.c          |  2 ++
 src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++
 src/security/security_dac.h     |  3 ++
 src/security/security_manager.c |  4 ++-
 src/security/security_manager.h |  1 +
 5 files changed, 77 insertions(+), 1 deletion(-)

-- 
2.13.5

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Comments

Andrea Bolognani Sept. 4, 2017, 12:37 p.m. UTC | #1

On Sun, 2017-08-27 at 12:20 -0400, Cole Robinson wrote:
> This fixes the last issue preventing qemu:///system spice GL from working

> out of the box: chown'ing the rendernode path so we have permissions

> to open it.

> 

> We skip this if mount namespaces are disabled, so the chown'ing won't

> interfere with other rendernode users on the host.

> 

> https://bugzilla.redhat.com/show_bug.cgi?id=1460804

> 

> v2:

>     Add the MOUNT_NAMESPACE handling

>     Drop DAC restore of rendernode

> 

> Cole Robinson (2):

>   security: add MANAGER_MOUNT_NAMESPACE flag

>   security: dac: relabel spice rendernode

> 

>  src/qemu/qemu_driver.c          |  2 ++

>  src/security/security_dac.c     | 68 +++++++++++++++++++++++++++++++++++++++++

>  src/security/security_dac.h     |  3 ++

>  src/security/security_manager.c |  4 ++-

>  src/security/security_manager.h |  1 +

>  5 files changed, 77 insertions(+), 1 deletion(-)


Looks reasonable and works as expected on my Fedora 26
installation, so for the entire series:

  Reviewed-by: Andrea Bolognani <abologna@redhat.com>


You should document this in the release notes, though :)

-- 
Andrea Bolognani / Red Hat / Virtualization

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list