File 673f805d-qemu-chown-uniqDir.patch of Package libvirt.11700

commit 673f805d4df2484bc2a5cc637524e92c0cbc5584
Author: Martin Kletzander <mkletzan@redhat.com>
Date:   Fri Apr 12 15:22:48 2019 +0200

    qemu: Label uniqDir when probing capabilities
    
    This does not cause a problem in usual scenarios thanks to us allowing
    CAP_DAC_OVERRIDE for the qemu process, however in some scenarios this might be
    an issue because the directory is created with mkdtemp(3) which explicitly
    creates that with 0700 permissions and qemu running as non-root cannot access
    that.
    
    The scenarios include:
     - Builds without CAPNG
     - Running libvirtd in certain container configurations [1]
     - and possibly others.
    
    [1] https://github.com/kubevirt/kubevirt/pull/2181#issuecomment-481840304
    
    Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
    Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>

Index: libvirt-5.1.0/src/qemu/qemu_process.c
===================================================================
--- libvirt-5.1.0.orig/src/qemu/qemu_process.c
+++ libvirt-5.1.0/src/qemu/qemu_process.c
@@ -8431,6 +8431,21 @@ qemuProcessQMPNew(const char *binary,
 
 
 static int
+qemuProcessQEMULabelUniqPath(qemuProcessQMPPtr proc)
+{
+    /* We cannot use the security driver here, but we should not need to. */
+    if (chown(proc->uniqDir, proc->runUid, -1) < 0) {
+        virReportSystemError(errno,
+                             _("Cannot chown uniq path: %s"),
+                             proc->uniqDir);
+        return -1;
+    }
+
+    return 0;
+}
+
+
+static int
 qemuProcessQMPInit(qemuProcessQMPPtr proc)
 {
     char *template = NULL;
@@ -8449,6 +8464,9 @@ qemuProcessQMPInit(qemuProcessQMPPtr pro
         goto cleanup;
     }
 
+    if (qemuProcessQEMULabelUniqPath(proc) < 0)
+        goto cleanup;
+
     if (virAsprintf(&proc->monpath, "%s/%s", proc->uniqDir,
                     "qmp.monitor") < 0)
         goto cleanup;
openSUSE Build Service is sponsored by