From patchwork Sun Aug 27 16:20:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cole Robinson X-Patchwork-Id: 111088 Delivered-To: patch@linaro.org Received: by 10.140.95.78 with SMTP id h72csp3737963qge; Sun, 27 Aug 2017 09:20:55 -0700 (PDT) X-Received: by 10.237.35.163 with SMTP id j32mr6749137qtc.29.1503850855847; Sun, 27 Aug 2017 09:20:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1503850855; cv=none; d=google.com; s=arc-20160816; b=I7xW1f3dDo1s6TKTVG3f4/rwP0fGFu9f3HGPE7CWeHJjYXRYWhK3r6FOKdKZ5epcXB fGMbszTT8n68kmx9REgWqGbO2+HtFmoEoEkmgNCJrdjvE8ae5jb3AIt9sGwU6Yqi+OU6 +BvRk+VXcwwCq4/beML0VVBHKT6z4qVDByI96jBvT0Nmgx0UerhfMoSwIdNv3pe1C4Kd yyYMc6deZ7OYFUkkZpa6U/IGmEakUFrW6WjTfB1HOj0nGNAOk1XuhdFwekL8x/nJMebF DgBJf6mSeKw1NSMKh/2EGyReEU3uwFakf9DlJI75H4q6e5XSo28DGXRuRA+W3jZ+ODKw COKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:message-id:date:to:from:delivered-to :dmarc-filter:arc-authentication-results; bh=EHf3JhgA4UBi1UR88uKwHtWnmO2izRICoHXkU8nfdps=; b=BQpOQd1VM5MVZQhV9Zbh/C+7IhTgG8ju2BtD1h5uo4HU3HjkEGbcpm+f04Q6Zz8SXl Zb88pZHuJslk6iQKt2vFzDDmOxwd/WyXL+8XMLJHrVDduIdsYE6xMJzIqR2/vfisVg1o tYUatPfpuVUXBhgT+9zrfhp5LRkpGKTp1tldB7u39dWPoCAj2Prq6n8AqzD0Nu2BoW20 f4FcS8AUsZ0viWNXUKN7vmg5T2cotVngshw6kDyVBBJruSizsKaYenhpRyWUpvt76AVZ JTG7LSvKmIuJuhcHtNAOhf7BvsBiC4VIxYqtW7pqXeB8yb45a933EPPSUf9imSakQPVj 4wGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28]) by mx.google.com with ESMTPS id d21si10876622qtb.393.2017.08.27.09.20.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 27 Aug 2017 09:20:55 -0700 (PDT) Received-SPF: pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; Authentication-Results: mx.google.com; spf=pass (google.com: domain of libvir-list-bounces@redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 820075F7A6; Sun, 27 Aug 2017 16:20:54 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 820075F7A6 Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx10.extmail.prod.ext.phx2.redhat.com; spf=fail smtp.mailfrom=libvir-list-bounces@redhat.com Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E5B3F6A748; Sun, 27 Aug 2017 16:20:53 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BC6673FC72; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id v7RGKpJ4027600 for ; Sun, 27 Aug 2017 12:20:51 -0400 Received: by smtp.corp.redhat.com (Postfix) id 0A9175C880; Sun, 27 Aug 2017 16:20:51 +0000 (UTC) Delivered-To: libvirt-list@redhat.com Received: from colepc.redhat.com (ovpn-116-34.phx2.redhat.com [10.3.116.34]) by smtp.corp.redhat.com (Postfix) with ESMTP id 96C7C5C66F; Sun, 27 Aug 2017 16:20:48 +0000 (UTC) From: Cole Robinson To: libvirt-list@redhat.com Date: Sun, 27 Aug 2017 12:20:40 -0400 Message-Id: X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 0/2] dac: relabel spice rendernode X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.39]); Sun, 27 Aug 2017 16:20:55 +0000 (UTC) This fixes the last issue preventing qemu:///system spice GL from working out of the box: chown'ing the rendernode path so we have permissions to open it. We skip this if mount namespaces are disabled, so the chown'ing won't interfere with other rendernode users on the host. https://bugzilla.redhat.com/show_bug.cgi?id=1460804 v2: Add the MOUNT_NAMESPACE handling Drop DAC restore of rendernode Cole Robinson (2): security: add MANAGER_MOUNT_NAMESPACE flag security: dac: relabel spice rendernode src/qemu/qemu_driver.c | 2 ++ src/security/security_dac.c | 68 +++++++++++++++++++++++++++++++++++++++++ src/security/security_dac.h | 3 ++ src/security/security_manager.c | 4 ++- src/security/security_manager.h | 1 + 5 files changed, 77 insertions(+), 1 deletion(-) -- 2.13.5 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list