Re: [Qemu-block] question：about pr-helper unlink sock file fail

qemu-block

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-block] question：about pr-helper unlink sock file fail

From:	Paolo Bonzini
Subject:	Re: [Qemu-block] question：about pr-helper unlink sock file fail
Date:	Tue, 18 Jun 2019 19:34:20 +0200
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1

On 17/06/19 06:10, wangjie (P) wrote:
> Hi, I found there is a bug in pr-helper:
> 
>     We run pr-helper process in root, and drop all capabilities  expect
> CAP_SYS_RAWIO.
> 
>     But the sock file which connect from qemu is owned by qemu group,
> when pr-helper exit, 
> 
>     it will call  “close_server_socket ->
> object_unref(OBJECT(server_ioc)) -> qio_channel_socket_finalize ->
> socket_listen_cleanup” ,
> 
>     unlink sock file  will fail and output “Failed to unlink socket xxx,
> Permission denied”.
> 
>       I tried to add capability CAP_DAC_OVERRIDE in pr-helper, it will
> unlink sock success, but I think capability CAP_DAC_OVERRIDE is too
> dangerous.

Interesting... yeah, CAP_DAC_OVERRIDE is a big big hammer.  I think this
would be fixed by also changing owner and group of the pr-helper to
qemu; it should work because it uses CAP_SYS_RAWIO.

Paolo

[Prev in Thread]

Current Thread

[Next in Thread]

[Qemu-block] question：about pr-helper unlink sock file fail, wangjie (P), 2019/06/17
- Re: [Qemu-block] question：about pr-helper unlink sock file fail, Paolo Bonzini <=

Prev by Date: Re: [Qemu-block] [Qemu-devel] [PULL 00/14] Block layer patches
Next by Date: [Qemu-block] [PATCH] iotests: Fix 205 for concurrent runs
Previous by thread: [Qemu-block] question：about pr-helper unlink sock file fail
Next by thread: [Qemu-block] [RFC] nvme: how to support multiple namespaces
Index(es):
- Date
- Thread