render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
dc2b6e
From 7c7ec6e6c20675a99abe8685c715dc95e7e8dbff Mon Sep 17 00:00:00 2001
dc2b6e
Message-Id: <7c7ec6e6c20675a99abe8685c715dc95e7e8dbff@dist-git>
dc2b6e
From: Michal Privoznik <mprivozn@redhat.com>
dc2b6e
Date: Tue, 6 Sep 2022 13:37:23 +0200
dc2b6e
Subject: [PATCH] qemu_namespace: Tolerate missing ACLs when creating a path in
dc2b6e
 namespace
dc2b6e
dc2b6e
When creating a path in a domain's mount namespace we try to set
dc2b6e
ACLs on it, so that it's a verbatim copy of the path in parent's
dc2b6e
namespace. The ACLs are queried upfront (by
dc2b6e
qemuNamespaceMknodItemInit()) but this is fault tolerant so the
dc2b6e
pointer to ACLs might be NULL (meaning no ACLs were queried, for
dc2b6e
instance because the underlying filesystem does not support
dc2b6e
them). But then we take this NULL and pass it to virFileSetACLs()
dc2b6e
which immediately returns an error because NULL is invalid value.
dc2b6e
dc2b6e
Mimic what we do with SELinux label - only set ACLs if they are
dc2b6e
non-NULL which includes symlinks.
dc2b6e
dc2b6e
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
dc2b6e
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
dc2b6e
(cherry picked from commit 687374959e160dc566bd4b6d43c7bf1beb470c59)
dc2b6e
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196
dc2b6e
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
dc2b6e
---
dc2b6e
 src/qemu/qemu_namespace.c | 3 +--
dc2b6e
 1 file changed, 1 insertion(+), 2 deletions(-)
dc2b6e
dc2b6e
diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c
dc2b6e
index 94453033f5..4bff325a2c 100644
dc2b6e
--- a/src/qemu/qemu_namespace.c
dc2b6e
+++ b/src/qemu/qemu_namespace.c
dc2b6e
@@ -1023,8 +1023,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)
dc2b6e
         goto cleanup;
dc2b6e
     }
dc2b6e
 
dc2b6e
-    /* Symlinks don't have ACLs. */
dc2b6e
-    if (!isLink &&
dc2b6e
+    if (data->acl &&
dc2b6e
         virFileSetACLs(data->file, data->acl) < 0 &&
dc2b6e
         errno != ENOTSUP) {
dc2b6e
         virReportSystemError(errno,
dc2b6e
-- 
dc2b6e
2.38.0
dc2b6e