security: dac: gfx: egl-headless: Relabel the DRI device

Just like for SPICE, we need to change the permissions on the DRI device used as the @rendernode for egl-headless graphics type. Signed-off-by: Erik Skultety <eskultet@redhat.com> Reviewed-by: Ján Tomko <jtomko@redhat.com>
2024-07-11 12:25:52 +00:00 · 2018-11-16 08:44:08 +01:00 · 2018-11-16 08:44:08 +01:00 · ae00e73cfe
commit ae00e73cfe
parent dc87ee0f3e
1 changed files with 7 additions and 8 deletions
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@ -1492,11 +1492,16 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
                               virDomainGraphicsDefPtr gfx)

 {
+    const char *rendernode = virDomainGraphicsGetRenderNode(gfx);
    virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
    virSecurityLabelDefPtr seclabel;
    uid_t user;
    gid_t group;

+    /* There's nothing to relabel */
+    if (!rendernode)
+        return 0;
+
    /* Skip chowning the shared render file if namespaces are disabled */
    if (!priv->mountNamespace)
        return 0;
@ -1508,14 +1513,8 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
    if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
        return -1;

-    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
-        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
-        gfx->data.spice.rendernode) {
-        if (virSecurityDACSetOwnership(mgr, NULL,
-                                       gfx->data.spice.rendernode,
-                                       user, group) < 0)
-            return -1;
-    }
+    if (virSecurityDACSetOwnership(mgr, NULL, rendernode, user, group) < 0)
+        return -1;

    return 0;
 }