On 27/11/2017 14:35, Michal Privoznik wrote:
>>> But can you also test _more_ permissions if you want?  So if QEMU passed
>>> to the helper a file for which it has "lock" but not "ioctl" access,
>>> would it make sense for the helper to let it through?  Together with the
>>> socket MAC, this should be precise enough.
>> Sure, you can check any of the permissions which are defined for the
>> type of object you've got. The goal is to check permissions which
>> correspond to actions you're taking on the object. So if you do
>> something other than just ioctl() on the passed in FD, it would make
>> sense to check further permissions as appropriate.
> Just to make sure I understand correctly: the PD passing is done by qemu
> and not libvirt, right? Technically, we don't open the disks.

Correct.

Paolo

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to