Re: [libvirt] [Qemu-devel] [PATCH v2 3/3] raw-posix: Re-open host CD-ROM after media change

["Daniel P. Berrange" <berrange@redhat.com>]

On Mon, Apr 04, 2011 at 08:02:26AM -0500, Anthony Liguori wrote:
> On 04/04/2011 05:47 AM, Daniel P. Berrange wrote:
> >>I'm hoping libvirt's behavior can be made to just work rather than
> >>adding new features to QEMU.  But perhaps passing file descriptors is
> >>useful for more than just reopening host devices.  This would
> >>basically be a privilege separation model where the QEMU process isn't
> >>able to open files itself but can request libvirt to open them on its
> >>behalf.
> >It is rather frickin' annoying the way udev resets the ownership
> >when the media merely changes. If it isn't possible to stop udev
> >doing this, then i think the only practical thing is to use ACLs
> >instead of user/group ownership. We wanted to switch to ACLs in
> >libvirt for other reasons already, but it isn't quite as simple
> >as it sounds[1] so we've not done it just yet.
> 
> Isn't the root of the problem that you're not running a guest in the
> expected security context?

That doesn't really have any impact. If a desktop user is logged
in, udev may change the ownership to match that user, but if they
aren't, then udev may reset it to root:disk. Either way, QEMU
may loose permissions to the disk.

> How much of a leap would it be to spawn a guest with the credentials
> of the user that created/defined it?  Or better yet, to let the user
> be specified in the XML.

That's a completely independent RFE which won't fix this issue in
the general case.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|