External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 19:32:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemuDomainBuildNamespace: Populate SEV from daemon's namespace

Browse Source 
As mentioned in one of previous commits, populating domain's
namespace from pre-exec() hook is dangerous. This commit moves
population of the namespace with domain SEV into daemon's
namespace.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
Michal Privoznik 2020-07-21 14:51:13 +02:00
parent 6483b1e32b
commit 40592f168f
1 changed files with 6 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
src/qemu/qemu_namespace.c
View File

@ -421,7 +421,7 @@ qemuDomainCreateDeviceRecursive(const char *device,
} }
static int static int G_GNUC_UNUSED
qemuDomainCreateDevice(const char *device, qemuDomainCreateDevice(const char *device,
const struct qemuDomainCreateDeviceData *data, const struct qemuDomainCreateDeviceData *data,
bool allow_noent) bool allow_noent)
@ -836,7 +836,7 @@ qemuDomainSetupLoader(virDomainObjPtr vm,
static int static int
qemuDomainSetupLaunchSecurity(virDomainObjPtr vm, qemuDomainSetupLaunchSecurity(virDomainObjPtr vm,
const struct qemuDomainCreateDeviceData *data) char ***paths)
{ {
virDomainSEVDefPtr sev = vm->def->sev; virDomainSEVDefPtr sev = vm->def->sev;
@ -845,7 +845,7 @@ qemuDomainSetupLaunchSecurity(virDomainObjPtr vm,
VIR_DEBUG("Setting up launch security"); VIR_DEBUG("Setting up launch security");
if (qemuDomainCreateDevice(QEMU_DEV_SEV, data, false) < 0) if (virStringListAdd(paths, QEMU_DEV_SEV) < 0)
return -1; return -1;
VIR_DEBUG("Set up launch security"); VIR_DEBUG("Set up launch security");
@ -894,6 +894,9 @@ qemuDomainBuildNamespace(virQEMUDriverConfigPtr cfg,
if (qemuDomainSetupLoader(vm, &paths) < 0) if (qemuDomainSetupLoader(vm, &paths) < 0)
return -1; return -1;
if (qemuDomainSetupLaunchSecurity(vm, &paths) < 0)
return -1;
if (qemuNamespaceMknodPaths(vm, (const char **) paths) < 0) if (qemuNamespaceMknodPaths(vm, (const char **) paths) < 0)
return -1; return -1;
@ -906,7 +909,6 @@ qemuDomainUnshareNamespace(virQEMUDriverConfigPtr cfg,
virSecurityManagerPtr mgr, virSecurityManagerPtr mgr,
virDomainObjPtr vm) virDomainObjPtr vm)
{ {
struct qemuDomainCreateDeviceData data;
const char *devPath = NULL; const char *devPath = NULL;
char **devMountsPath = NULL, **devMountsSavePath = NULL; char **devMountsPath = NULL, **devMountsSavePath = NULL;
size_t ndevMountsPath = 0, i; size_t ndevMountsPath = 0, i;
@ -935,19 +937,12 @@ qemuDomainUnshareNamespace(virQEMUDriverConfigPtr cfg,
goto cleanup; goto cleanup;
} }
data.path = devPath;
data.devMountsPath = devMountsPath;
data.ndevMountsPath = ndevMountsPath;
if (virProcessSetupPrivateMountNS() < 0) if (virProcessSetupPrivateMountNS() < 0)
goto cleanup; goto cleanup;
if (qemuDomainSetupDev(mgr, vm, devPath) < 0) if (qemuDomainSetupDev(mgr, vm, devPath) < 0)
goto cleanup; goto cleanup;
if (qemuDomainSetupLaunchSecurity(vm, &data) < 0)
goto cleanup;
/* Save some mount points because we want to share them with the host */ /* Save some mount points because we want to share them with the host */
for (i = 0; i < ndevMountsPath; i++) { for (i = 0; i < ndevMountsPath; i++) {
struct stat sb; struct stat sb;