Hi ----- Original Message ----- > On Tue, Sep 27, 2016 at 07:13:55AM -0400, Marc-André Lureau wrote: > > Hi > > > > ----- Original Message ----- > > > > > > > On Sep 27, 2016, at 05:36, Daniel P. Berrange <berra...@redhat.com> > > > > wrote: > > > > > > > > On Tue, Sep 27, 2016 at 03:06:21AM +0000, Rafael David Tinoco wrote: > > > > We should not have QEMU creating unpredictabile filenames in the > > > > first place - any filenames should be determined by libvirt > > > > explicitly. > > > > > > Note that the filename, per se, is not as important as other files, > > > since qemu won't provide it for being accessed by external programs, and, > > > deletes the file, while keeping the descriptor, right after its creation > > > (due to its nature, that is probably why it was created in /tmp). > > > > > > Having libvirt to define a filename that would not be used for recent > > > kernels (> 3.17) and would exist for a fraction of second doesn't seem > > > right to me. > > > > > > > There are other parts of qemu that rely on creating temporary files, and > > this seems to lack a bit of uniformity. Would it make sense to define a > > place where qemu could create those? Or setting TMPDIR should help too. > > Could libvirt set a per-vm TMPDIR with appropriate security rules? > > The other places that use mkstemp are block for snapshot=on, which > libvirt does not support as we want control over the filename. This > needs fixing by allowing a filename to be given. The qemu sockets code > uses it for auto-creating a UNIX domain socket path, but again libvirt > doesn't support that usage. The exec.c file uses it, but that honours > an explicit directory path provided on the command line. So this memfd > code really is the first place which is causing a real
Have you reviewed the hundreds of libraries qemu link to? :) > Just setting TMPDIR per VM doesn't magically solve all these cases as > it isn't reasonable to assume that all these files should be in the > same location. Certainly block snapshot file will be somewhere different > from others, due to its size. I am not claiming it solves all problems, but at least it seems it would be quite appropriate for security concerns to have per-vm TMPDIR.