Do nor clear caps when invoking virt-aa-helper

The calls to virExec() in security_apparmor.c when
invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without
libcap-ng, this is not a problem (it's effectively a no-op) but with
libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by
virt-aa-helper to manipulate apparmor profiles and without it VMs will
not start[1]. This patch calls virExec with the default VIR_EXEC_NONE
instead.
* src/security/security_apparmor.c: fallback to VIR_EXEC_NONE flags for
  virExec of virt_aa_helper
This commit is contained in:
Jamie Strandboge 2010-04-06 16:05:47 +02:00 committed by Daniel Veillard
parent 94dcf953ff
commit e68792c112

View File

@ -174,19 +174,19 @@ load_profile(const char *profile, virDomainObjPtr vm,
VIRT_AA_HELPER, "-c", "-u", profile, NULL VIRT_AA_HELPER, "-c", "-u", profile, NULL
}; };
ret = virExec(argv, NULL, NULL, &child, ret = virExec(argv, NULL, NULL, &child,
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); pipefd[0], NULL, NULL, VIR_EXEC_NONE);
} else if (disk && disk->src) { } else if (disk && disk->src) {
const char *const argv[] = { const char *const argv[] = {
VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
}; };
ret = virExec(argv, NULL, NULL, &child, ret = virExec(argv, NULL, NULL, &child,
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); pipefd[0], NULL, NULL, VIR_EXEC_NONE);
} else { } else {
const char *const argv[] = { const char *const argv[] = {
VIRT_AA_HELPER, "-r", "-u", profile, NULL VIRT_AA_HELPER, "-r", "-u", profile, NULL
}; };
ret = virExec(argv, NULL, NULL, &child, ret = virExec(argv, NULL, NULL, &child,
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); pipefd[0], NULL, NULL, VIR_EXEC_NONE);
} }
if (ret < 0) if (ret < 0)
goto clean; goto clean;