qemu_conf: add new configuration key bridge_helper

Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>

qemu_conf: add new configuration key bridge_helper
Signed-off-by: N Paolo Bonzini <pbonzini@redhat.com>
78d7c3c5 · Paolo Bonzini · Eric Blake · 5c1cfea4 · 78d7c3c5 · 78d7c3c5
5 changed file
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -60,6 +60,7 @@ module Libvirtd_qemu =

   let process_entry = str_entry "hugetlbfs_mount"
                 | bool_entry "clear_emulator_capabilities"
+                 | str_entry "bridge_helper"
                 | bool_entry "set_process_name"
                 | int_entry "max_processes"
                 | int_entry "max_files"

--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -301,6 +301,14 @@
 #hugetlbfs_mount = "/dev/hugepages"


+# Path to the setuid helper for creating tap devices.  This executable
+# is used to create <source type='bridge'> interfaces when libvirtd is
+# running unprivileged.  libvirt invokes the helper directly, instead
+# of using "-netdev bridge", for security reasons.
+#bridge_helper = "/usr/libexec/qemu-bridge-helper"
+
+
+
 # If clear_emulator_capabilities is enabled, libvirt will drop all
 # privileged capabilities of the QEmu/KVM emulator. This is enabled by
 # default.

--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -241,6 +241,7 @@ virQEMUDriverConfigPtr virQEMUDriverConfigNew(bool privileged)
        }
    }
 #endif
+    cfg->bridgeHelperName = strdup("/usr/libexec/qemu-bridge-helper");

    cfg->clearEmulatorCapabilities = true;

@@ -290,6 +291,7 @@ static void virQEMUDriverConfigDispose(void *obj)

    VIR_FREE(cfg->hugetlbfsMount);
    VIR_FREE(cfg->hugepagePath);
+    VIR_FREE(cfg->bridgeHelperName);

    VIR_FREE(cfg->saveImageFormat);
    VIR_FREE(cfg->dumpImageFormat);
@@ -497,6 +499,7 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
    GET_VALUE_BOOL("auto_start_bypass_cache", cfg->autoStartBypassCache);

    GET_VALUE_STR("hugetlbfs_mount", cfg->hugetlbfsMount);
+    GET_VALUE_STR("bridge_helper", cfg->bridgeHelperName);

    GET_VALUE_BOOL("mac_filter", cfg->macFilter);


--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -116,6 +116,7 @@ struct _virQEMUDriverConfig {

    char *hugetlbfsMount;
    char *hugepagePath;
+    char *bridgeHelperName;

    bool macFilter;


--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -49,6 +49,7 @@ module Test_libvirtd_qemu =
 { "auto_dump_bypass_cache" = "0" }
 { "auto_start_bypass_cache" = "0" }
 { "hugetlbfs_mount" = "/dev/hugepages" }
+{ "bridge_helper" = "/usr/libexec/qemu-bridge-helper" }
 { "clear_emulator_capabilities" = "1" }
 { "set_process_name" = "1" }
 { "max_processes" = "0" }