qemu_conf: Don't even attempt to enable rememberOwner if unsupported

The remember owner feature uses XATTRs to store original
seclabels. But that means we don't want a regular user to be able
to change what we stored and thus trick us into setting different
seclabel. Therefore, we use namespaces that are reserved to
CAP_SYS_ADMIN only. Such namespaces exist on Linux and FreeBSD.
That also means, that the whole feature is enabled only for
qemu:///system. Now, while the secdriver code is capable of
dealing with XATTRs being unsupported (it has to, not all
filesystems support them) if the feature is enabled users will
get an harmless error message in the logs and the feature
disables itself.

Since we have virSecurityXATTRNamespaceDefined() we can use it to
make a wiser decision on the default state of the feature.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Roman Bolshakov <r.bolshakov@yadro.com>
Reviewed-by: Andrea Bolognani <abologna@redhat.com>
This commit is contained in:
Michal Privoznik 2020-11-03 13:26:22 +01:00
parent 995394c5a3
commit ef164fb3f9

View File

@ -49,6 +49,7 @@
#include "storage_conf.h" #include "storage_conf.h"
#include "virutil.h" #include "virutil.h"
#include "configmake.h" #include "configmake.h"
#include "security/security_util.h"
#define VIR_FROM_THIS VIR_FROM_QEMU #define VIR_FROM_THIS VIR_FROM_QEMU
@ -131,7 +132,11 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged,
cfg->group = (gid_t)-1; cfg->group = (gid_t)-1;
} }
cfg->dynamicOwnership = privileged; cfg->dynamicOwnership = privileged;
cfg->rememberOwner = privileged;
if (privileged)
cfg->rememberOwner = virSecurityXATTRNamespaceDefined();
else
cfg->rememberOwner = false;
cfg->cgroupControllers = -1; /* -1 == auto-detect */ cfg->cgroupControllers = -1; /* -1 == auto-detect */