mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-24 22:55:23 +00:00
Do nor clear caps when invoking virt-aa-helper
The calls to virExec() in security_apparmor.c when invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, this is not a problem (it's effectively a no-op) but with libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to manipulate apparmor profiles and without it VMs will not start[1]. This patch calls virExec with the default VIR_EXEC_NONE instead. * src/security/security_apparmor.c: fallback to VIR_EXEC_NONE flags for virExec of virt_aa_helper
This commit is contained in:
parent
94dcf953ff
commit
e68792c112
@ -174,19 +174,19 @@ load_profile(const char *profile, virDomainObjPtr vm,
|
|||||||
VIRT_AA_HELPER, "-c", "-u", profile, NULL
|
VIRT_AA_HELPER, "-c", "-u", profile, NULL
|
||||||
};
|
};
|
||||||
ret = virExec(argv, NULL, NULL, &child,
|
ret = virExec(argv, NULL, NULL, &child,
|
||||||
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
|
pipefd[0], NULL, NULL, VIR_EXEC_NONE);
|
||||||
} else if (disk && disk->src) {
|
} else if (disk && disk->src) {
|
||||||
const char *const argv[] = {
|
const char *const argv[] = {
|
||||||
VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
|
VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL
|
||||||
};
|
};
|
||||||
ret = virExec(argv, NULL, NULL, &child,
|
ret = virExec(argv, NULL, NULL, &child,
|
||||||
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
|
pipefd[0], NULL, NULL, VIR_EXEC_NONE);
|
||||||
} else {
|
} else {
|
||||||
const char *const argv[] = {
|
const char *const argv[] = {
|
||||||
VIRT_AA_HELPER, "-r", "-u", profile, NULL
|
VIRT_AA_HELPER, "-r", "-u", profile, NULL
|
||||||
};
|
};
|
||||||
ret = virExec(argv, NULL, NULL, &child,
|
ret = virExec(argv, NULL, NULL, &child,
|
||||||
pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS);
|
pipefd[0], NULL, NULL, VIR_EXEC_NONE);
|
||||||
}
|
}
|
||||||
if (ret < 0)
|
if (ret < 0)
|
||||||
goto clean;
|
goto clean;
|
||||||
|
Loading…
Reference in New Issue
Block a user