mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-24 08:25:45 +00:00
0345c7281b
The qemu driver had been calling virSecurityManagerSetProcessLabel() from a "pre-exec hook" function that is run after the child is forked, but before exec'ing qemu. This is problematic because the uid and gid of the child are set by the security driver, but capabilities are dropped by virCommand - such separation doesn't work; the two operations must be done together or the capabilities do not transfer properly to the child process. This patch switches to using virSecurityManagerSetChildProcessLabel(), which is called prior to virCommandRun() (rather than being called *during* virCommandrun() by the hook function), and doesn't set the UID/GID/security label directly, but instead merely informs virCommand what it should set them all to when the time is appropriate. This lets virCommand choose to do the uid/gid and caps dropping all at the same time if it wants (it does *want* to, but isn't doing so yet; that's for an upcoming patch). |
||
|---|---|---|
| .. | ||
| libvirtd_qemu.aug | ||
| MIGRATION.txt | ||
| qemu_agent.c | ||
| qemu_agent.h | ||
| qemu_bridge_filter.c | ||
| qemu_bridge_filter.h | ||
| qemu_capabilities.c | ||
| qemu_capabilities.h | ||
| qemu_cgroup.c | ||
| qemu_cgroup.h | ||
| qemu_command.c | ||
| qemu_command.h | ||
| qemu_conf.c | ||
| qemu_conf.h | ||
| qemu_domain.c | ||
| qemu_domain.h | ||
| qemu_driver.c | ||
| qemu_driver.h | ||
| qemu_hostdev.c | ||
| qemu_hostdev.h | ||
| qemu_hotplug.c | ||
| qemu_hotplug.h | ||
| qemu_migration.c | ||
| qemu_migration.h | ||
| qemu_monitor_json.c | ||
| qemu_monitor_json.h | ||
| qemu_monitor_text.c | ||
| qemu_monitor_text.h | ||
| qemu_monitor.c | ||
| qemu_monitor.h | ||
| qemu_process.c | ||
| qemu_process.h | ||
| qemu.conf | ||
| test_libvirtd_qemu.aug.in | ||
| THREADS.txt | ||