Accepting request 677536 from home:jfehlig:branches:Virtualization

- qemu: don't use CAP_DAC_OVERRIDE capability if non-root 620d9dd5-qemu-no-dac-override-nonroot.patch boo#1125665 OBS-URL: https://build.opensuse.org/request/show/677536 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=730
2019-02-20 01:23:34 +00:00 · 2019-02-20 01:23:34 +00:00 · 61b77bff2e
commit 61b77bff2e
parent 3558b40b5b
3 changed files with 34 additions and 0 deletions
--- a/620d9dd5-qemu-no-dac-override-nonroot.patch
+++ b/620d9dd5-qemu-no-dac-override-nonroot.patch
@ -0,0 +1,25 @@
+commit 620d9dd598fde388f56ac37bcd3b31168c2f9fc6
+Author: Peter Krempa <pkrempa@redhat.com>
+Date:   Mon Feb 4 16:24:15 2019 +0100
+
+    qemu: caps: Don't try to ask for CAP_DAC_OVERRIDE if non-root
+    
+    It will not work. This breaks qemu capabilities probing as a user.
+    
+    Signed-off-by: Peter Krempa <pkrempa@redhat.com>
+    Reviewed-by: Erik Skultety <eskultet@redhat.com>
+
+Index: libvirt-5.0.0/src/qemu/qemu_capabilities.c
+===================================================================
+--- libvirt-5.0.0.orig/src/qemu/qemu_capabilities.c
+++ libvirt-5.0.0/src/qemu/qemu_capabilities.c
+@@ -4529,7 +4529,8 @@ virQEMUCapsInitQMPCommandRun(virQEMUCaps
+ #if WITH_CAPNG
+     /* QEMU might run into permission issues, e.g. /dev/sev (0600), override
+      * them just for the purpose of probing */
+-    virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
+    if (geteuid() == 0)
+        virCommandAllowCap(cmd->cmd, CAP_DAC_OVERRIDE);
+ #endif
+ 
+     virCommandSetGID(cmd->cmd, cmd->runGid);
--- a/libvirt.changes
+++ b/libvirt.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Feb 19 23:36:28 UTC 2019 - James Fehlig <jfehlig@suse.com>
+
+- qemu: don't use CAP_DAC_OVERRIDE capability if non-root
+  620d9dd5-qemu-no-dac-override-nonroot.patch
+  boo#1125665
+
 -------------------------------------------------------------------
 Fri Feb  8 21:32:29 UTC 2019 - James Fehlig <jfehlig@suse.com>

--- a/libvirt.spec
+++ b/libvirt.spec
@ -340,6 +340,7 @@ Patch4:         a404ac34-qemu-cgroup-sev.patch
 Patch5:         6fd4c8f8-qemu-domain-sev.patch
 Patch6:         17f6a257-security-dac-sev.patch
 Patch7:         a2d3dea9-qemu-caps-dac-override-sev.patch
+Patch8:         620d9dd5-qemu-no-dac-override-nonroot.patch
 # Patches pending upstream review
 Patch100:       libxl-dom-reset.patch
 Patch101:       network-don-t-use-dhcp-authoritative-on-static-netwo.patch
@ -881,6 +882,7 @@ libvirt plugin for NSS for translating domain names into IP addresses.
 %patch5 -p1
 %patch6 -p1
 %patch7 -p1
+%patch8 -p1
 %patch100 -p1
 %patch101 -p1
 %patch150 -p1