From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from [140.186.70.92] (port=46014 helo=eggs.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1Q6k0H-0007sh-Cx
	for qemu-devel@nongnu.org; Mon, 04 Apr 2011 09:39:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Q6k07-0004r0-8c
	for qemu-devel@nongnu.org; Mon, 04 Apr 2011 09:39:29 -0400
Received: from mx1.redhat.com ([209.132.183.28]:63487)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <berrange@redhat.com>) id 1Q6jeJ-0006Oy-O3
	for qemu-devel@nongnu.org; Mon, 04 Apr 2011 09:16:55 -0400
Date: Mon, 4 Apr 2011 14:16:39 +0100
From: "Daniel P. Berrange" <berrange@redhat.com>
Subject: Re: [libvirt] [Qemu-devel] [PATCH v2 3/3] raw-posix: Re-open host
	CD-ROM after media change
Message-ID: <20110404131639.GB13616@redhat.com>
References: <1301425482-8722-1-git-send-email-stefanha@linux.vnet.ibm.com>
	<1301425482-8722-4-git-send-email-stefanha@linux.vnet.ibm.com>
	<BANLkTik1LNYoJ6O2C+bPM80LBx8bGnr+uw@mail.gmail.com>
	<BANLkTi=SY7pbELSnkULR4fL-C3uOUehoWg@mail.gmail.com>
	<BANLkTim8amWSQFisovA18YbDMoe8oyNVrg@mail.gmail.com>
	<20110404104753.GX13616@redhat.com> <4D99C162.7060706@us.ibm.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <4D99C162.7060706@us.ibm.com>
Reply-To: "Daniel P. Berrange" <berrange@redhat.com>
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.nongnu.org/archive/html/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: Anthony Liguori <aliguori@us.ibm.com>
Cc: Kevin Wolf <kwolf@redhat.com>, Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>, Juan Quintela <quintela@redhat.com>, libvir-list@redhat.com, Stefan Hajnoczi <stefanha@gmail.com>, qemu-devel@nongnu.org, Blue Swirl <blauwirbel@gmail.com>

On Mon, Apr 04, 2011 at 08:02:26AM -0500, Anthony Liguori wrote:
> On 04/04/2011 05:47 AM, Daniel P. Berrange wrote:
> >>I'm hoping libvirt's behavior can be made to just work rather than
> >>adding new features to QEMU.  But perhaps passing file descriptors is
> >>useful for more than just reopening host devices.  This would
> >>basically be a privilege separation model where the QEMU process isn't
> >>able to open files itself but can request libvirt to open them on its
> >>behalf.
> >It is rather frickin' annoying the way udev resets the ownership
> >when the media merely changes. If it isn't possible to stop udev
> >doing this, then i think the only practical thing is to use ACLs
> >instead of user/group ownership. We wanted to switch to ACLs in
> >libvirt for other reasons already, but it isn't quite as simple
> >as it sounds[1] so we've not done it just yet.
> 
> Isn't the root of the problem that you're not running a guest in the
> expected security context?

That doesn't really have any impact. If a desktop user is logged
in, udev may change the ownership to match that user, but if they
aren't, then udev may reset it to root:disk. Either way, QEMU
may loose permissions to the disk.

> How much of a leap would it be to spawn a guest with the credentials
> of the user that created/defined it?  Or better yet, to let the user
> be specified in the XML.

That's a completely independent RFE which won't fix this issue in
the general case.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|