mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 04:25:18 +00:00
qemu: Make sure qemu can access its directory in hugetlbfs
When libvirtd is started, we create "libvirt/qemu" directories under hugetlbfs mount point. Only the "qemu" subdirectory is chowned to qemu user and "libvirt" remains owned by root. If umask was too restrictive when libvirtd started, qemu user may lose access to "qemu" subdirectory. Let's explicitly grant search permissions to "libvirt" directory for all users. (cherry picked from commit 9d2ac5453e4d50c6f12b2f8a5078691fec60020b)
This commit is contained in:
parent
30aede2279
commit
30e02e12c1
@ -1204,6 +1204,7 @@ virFileFclose;
|
|||||||
virFileFdopen;
|
virFileFdopen;
|
||||||
virFileRewrite;
|
virFileRewrite;
|
||||||
virFileTouch;
|
virFileTouch;
|
||||||
|
virFileUpdatePerm;
|
||||||
|
|
||||||
|
|
||||||
# virkeycode.h
|
# virkeycode.h
|
||||||
|
@ -456,6 +456,8 @@ qemudStartup(int privileged) {
|
|||||||
int rc;
|
int rc;
|
||||||
virConnectPtr conn = NULL;
|
virConnectPtr conn = NULL;
|
||||||
char ebuf[1024];
|
char ebuf[1024];
|
||||||
|
char *membase = NULL;
|
||||||
|
char *mempath = NULL;
|
||||||
|
|
||||||
if (VIR_ALLOC(qemu_driver) < 0)
|
if (VIR_ALLOC(qemu_driver) < 0)
|
||||||
return -1;
|
return -1;
|
||||||
@ -660,24 +662,27 @@ qemudStartup(int privileged) {
|
|||||||
*/
|
*/
|
||||||
if (qemu_driver->hugetlbfs_mount &&
|
if (qemu_driver->hugetlbfs_mount &&
|
||||||
qemu_driver->hugetlbfs_mount[0] == '/') {
|
qemu_driver->hugetlbfs_mount[0] == '/') {
|
||||||
char *mempath = NULL;
|
if (virAsprintf(&membase, "%s/libvirt",
|
||||||
if (virAsprintf(&mempath, "%s/libvirt/qemu", qemu_driver->hugetlbfs_mount) < 0)
|
qemu_driver->hugetlbfs_mount) < 0 ||
|
||||||
|
virAsprintf(&mempath, "%s/qemu", membase) < 0)
|
||||||
goto out_of_memory;
|
goto out_of_memory;
|
||||||
|
|
||||||
if (virFileMakePath(mempath) < 0) {
|
if (virFileMakePath(mempath) < 0) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
_("unable to create hugepage path %s"), mempath);
|
_("unable to create hugepage path %s"), mempath);
|
||||||
VIR_FREE(mempath);
|
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
if (qemu_driver->privileged &&
|
if (qemu_driver->privileged) {
|
||||||
chown(mempath, qemu_driver->user, qemu_driver->group) < 0) {
|
if (virFileUpdatePerm(membase, 0, S_IXGRP | S_IXOTH) < 0)
|
||||||
|
goto error;
|
||||||
|
if (chown(mempath, qemu_driver->user, qemu_driver->group) < 0) {
|
||||||
virReportSystemError(errno,
|
virReportSystemError(errno,
|
||||||
_("unable to set ownership on %s to %d:%d"),
|
_("unable to set ownership on %s to %d:%d"),
|
||||||
mempath, qemu_driver->user, qemu_driver->group);
|
mempath, qemu_driver->user,
|
||||||
VIR_FREE(mempath);
|
qemu_driver->group);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
qemu_driver->hugepage_path = mempath;
|
qemu_driver->hugepage_path = mempath;
|
||||||
}
|
}
|
||||||
@ -737,6 +742,8 @@ error:
|
|||||||
virConnectClose(conn);
|
virConnectClose(conn);
|
||||||
VIR_FREE(base);
|
VIR_FREE(base);
|
||||||
VIR_FREE(driverConf);
|
VIR_FREE(driverConf);
|
||||||
|
VIR_FREE(membase);
|
||||||
|
VIR_FREE(mempath);
|
||||||
qemudShutdown();
|
qemudShutdown();
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
@ -437,3 +437,40 @@ int virFileTouch(const char *path, mode_t mode)
|
|||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
#define MODE_BITS (S_ISUID | S_ISGID | S_ISVTX | S_IRWXU | S_IRWXG | S_IRWXO)
|
||||||
|
|
||||||
|
int virFileUpdatePerm(const char *path,
|
||||||
|
mode_t mode_remove,
|
||||||
|
mode_t mode_add)
|
||||||
|
{
|
||||||
|
struct stat sb;
|
||||||
|
mode_t mode;
|
||||||
|
|
||||||
|
if (mode_remove & ~MODE_BITS || mode_add & ~MODE_BITS) {
|
||||||
|
virFileError(VIR_ERR_INVALID_ARG, "%s", _("invalid mode"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (stat(path, &sb) < 0) {
|
||||||
|
virReportSystemError(errno, _("cannot stat '%s'"), path);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
mode = sb.st_mode & MODE_BITS;
|
||||||
|
|
||||||
|
if ((mode & mode_remove) == 0 && (mode & mode_add) == mode_add)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
mode &= MODE_BITS ^ mode_remove;
|
||||||
|
mode |= mode_add;
|
||||||
|
|
||||||
|
if (chmod(path, mode) < 0) {
|
||||||
|
virReportSystemError(errno, _("cannot change permission of '%s'"),
|
||||||
|
path);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@ -83,4 +83,8 @@ int virFileRewrite(const char *path,
|
|||||||
|
|
||||||
int virFileTouch(const char *path, mode_t mode);
|
int virFileTouch(const char *path, mode_t mode);
|
||||||
|
|
||||||
|
int virFileUpdatePerm(const char *path,
|
||||||
|
mode_t mode_remove,
|
||||||
|
mode_t mode_add);
|
||||||
|
|
||||||
#endif /* __VIR_FILES_H */
|
#endif /* __VIR_FILES_H */
|
||||||
|
Loading…
x
Reference in New Issue
Block a user