mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-05 04:25:19 +00:00
virt-aa-helper: don't deny writes to readonly mounts
There is no need to deny writes on a readonly mount: write still won't be accepted, even if the user remounts the folder as RW in the guest as qemu sets the 9p mount as ro. This deny rule was leading to problems for example with readonly /: The qemu process had to write to a bunch of files in / like logs, sockets, etc. This deny rule was also preventing auditing of these denials, making it harder to debug.
This commit is contained in:
parent
3e2d637458
commit
c726af2d5a
@ -1127,7 +1127,10 @@ get_files(vahControl * ctl)
|
|||||||
ctl->def->fss[i]->src) {
|
ctl->def->fss[i]->src) {
|
||||||
virDomainFSDefPtr fs = ctl->def->fss[i];
|
virDomainFSDefPtr fs = ctl->def->fss[i];
|
||||||
|
|
||||||
if (vah_add_path(&buf, fs->src, fs->readonly ? "r" : "rw", true) != 0)
|
/* We don't need to add deny rw rules for readonly mounts,
|
||||||
|
* this can only lead to troubles when mounting / readonly.
|
||||||
|
*/
|
||||||
|
if (vah_add_path(&buf, fs->src, "rw", true) != 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user