mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-11 07:17:44 +00:00
security: dac: also label listen UNIX sockets
We switched to opening mode='bind' sockets ourselves: commit30fb2276d8
qemu: support passing pre-opened UNIX socket listen FD in v4.5.0-rc1~251 Then fixed qemuBuildChrChardevStr to change libvirtd's label while creating the socket: commitb0c6300fc4
qemu: ensure FDs passed to QEMU for chardevs have correct SELinux labels v4.5.0-rc1~52 Also add labeling of these sockets to the DAC driver. Instead of duplicating the logic which decides whether libvirt should pre-create the socket, assume an existing path meaning that it was created by libvirt. https://bugzilla.redhat.com/show_bug.cgi?id=1633389 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Erik Skultety <eskultet@redhat.com>
This commit is contained in:
parent
9f81dc1081
commit
d6b8838dd8
@ -1308,7 +1308,12 @@ virSecurityDACSetChardevLabel(virSecurityManagerPtr mgr,
|
||||
break;
|
||||
|
||||
case VIR_DOMAIN_CHR_TYPE_UNIX:
|
||||
if (!dev_source->data.nix.listen) {
|
||||
if (!dev_source->data.nix.listen ||
|
||||
(dev_source->data.nix.path &&
|
||||
virFileExists(dev_source->data.nix.path))) {
|
||||
/* Also label mode='bind' sockets if they exist,
|
||||
* e.g. because they were created by libvirt
|
||||
* and passed via FD */
|
||||
if (virSecurityDACSetOwnership(mgr, NULL,
|
||||
dev_source->data.nix.path,
|
||||
user, group) < 0)
|
||||
|
Loading…
Reference in New Issue
Block a user