Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
openeuler
libvirt
提交
96619805
L
libvirt
项目概览
openeuler
/
libvirt
通知
3
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
L
libvirt
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
96619805
编写于
6月 29, 2009
作者:
D
Daniel P. Berrange
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Use libcap-ng to clear capabilities for many child processes
上级
1a982aef
变更
8
隐藏空白更改
内联
并排
Showing
8 changed file
with
58 addition
and
7 deletion
+58
-7
ChangeLog
ChangeLog
+12
-0
src/Makefile.am
src/Makefile.am
+4
-2
src/qemu_conf.c
src/qemu_conf.c
+1
-1
src/qemu_driver.c
src/qemu_driver.c
+1
-1
src/remote_internal.c
src/remote_internal.c
+4
-2
src/uml_driver.c
src/uml_driver.c
+2
-1
src/util.c
src/util.c
+33
-0
src/util.h
src/util.h
+1
-0
未找到文件。
ChangeLog
浏览文件 @
96619805
Mon Jun 29 12:48:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
Use libcap-ng to clear capabilities for many child processes
* src/Makefile.am: Link to libcap-ng in util code
* src/qemu_conf.c: Clear capabilities when running qemu -help
* src/qemu_driver.c: Clear capabilities when running VMs
* src/remote_internal.c: Clear capabilities for auto-spawned
libvirtd session daemon, and SSH tunnel client
* src/uml_driver.c: Clear capabilities for UML VMs
* src/util.h, src/util.c: Add virExec() flag to allow
clearing of capabilities when spawning processes
Mon Jun 29 12:28:20 BST 2009 Daniel P. Berrange <berrange@redhat.com>
Prepare for using libcap-ng
...
...
src/Makefile.am
浏览文件 @
96619805
...
...
@@ -215,6 +215,8 @@ noinst_LTLIBRARIES = libvirt_util.la
libvirt_la_LIBADD
=
libvirt_util.la
libvirt_util_la_SOURCES
=
\
$(UTIL_SOURCES)
libvirt_util_la_CFLAGS
=
$(CAPNG_CFLAGS)
libvirt_util_la_LDFLAGS
=
$(CAPNG_LIBS)
noinst_LTLIBRARIES
+=
libvirt_driver.la
libvirt_la_LIBADD
+=
libvirt_driver.la
...
...
@@ -664,9 +666,9 @@ libvirt_lxc_SOURCES = \
$(LXC_CONTROLLER_SOURCES)
\
$(UTIL_SOURCES)
\
$(DOMAIN_CONF_SOURCES)
libvirt_lxc_LDFLAGS
=
$(WARN_CFLAGS)
$(COVERAGE_LDCFLAGS)
libvirt_lxc_LDFLAGS
=
$(WARN_CFLAGS)
$(COVERAGE_LDCFLAGS)
$(CAPNG_LIBS)
libvirt_lxc_LDADD
=
$(LIBXML_LIBS)
$(NUMACTL_LIBS)
../gnulib/lib/libgnu.la
libvirt_lxc_CFLAGS
=
$(LIBPARTED_CFLAGS)
$(NUMACTL_CFLAGS)
libvirt_lxc_CFLAGS
=
$(LIBPARTED_CFLAGS)
$(NUMACTL_CFLAGS)
$(CAPNG_CFLAGS)
endif
endif
EXTRA_DIST
+=
$(LXC_CONTROLLER_SOURCES)
...
...
src/qemu_conf.c
浏览文件 @
96619805
...
...
@@ -596,7 +596,7 @@ int qemudExtractVersionInfo(const char *qemu,
*
retversion
=
0
;
if
(
virExec
(
NULL
,
qemuarg
,
qemuenv
,
NULL
,
&
child
,
-
1
,
&
newstdout
,
NULL
,
VIR_EXEC_
NONE
)
<
0
)
&
child
,
-
1
,
&
newstdout
,
NULL
,
VIR_EXEC_
CLEAR_CAPS
)
<
0
)
return
-
1
;
char
*
help
=
NULL
;
...
...
src/qemu_driver.c
浏览文件 @
96619805
...
...
@@ -1461,7 +1461,7 @@ static int qemudStartVMDaemon(virConnectPtr conn,
ret
=
virExecDaemonize
(
conn
,
argv
,
progenv
,
&
keepfd
,
&
child
,
stdin_fd
,
&
logfile
,
&
logfile
,
VIR_EXEC_NONBLOCK
,
VIR_EXEC_NONBLOCK
|
VIR_EXEC_CLEAR_CAPS
,
qemudSecurityHook
,
&
hookData
,
pidfile
);
VIR_FREE
(
pidfile
);
...
...
src/remote_internal.c
浏览文件 @
96619805
...
...
@@ -295,7 +295,8 @@ remoteForkDaemon(virConnectPtr conn)
}
if
(
virExecDaemonize
(
NULL
,
daemonargs
,
NULL
,
NULL
,
&
pid
,
-
1
,
NULL
,
NULL
,
0
,
&
pid
,
-
1
,
NULL
,
NULL
,
VIR_EXEC_CLEAR_CAPS
,
NULL
,
NULL
,
NULL
)
<
0
)
return
-
1
;
...
...
@@ -749,7 +750,8 @@ doRemoteOpen (virConnectPtr conn,
}
if
(
virExec
(
conn
,
(
const
char
**
)
cmd_argv
,
NULL
,
NULL
,
&
pid
,
sv
[
1
],
&
(
sv
[
1
]),
NULL
,
VIR_EXEC_NONE
)
<
0
)
&
pid
,
sv
[
1
],
&
(
sv
[
1
]),
NULL
,
VIR_EXEC_CLEAR_CAPS
)
<
0
)
goto
failed
;
/* Parent continues here. */
...
...
src/uml_driver.c
浏览文件 @
96619805
...
...
@@ -845,7 +845,8 @@ static int umlStartVMDaemon(virConnectPtr conn,
ret
=
virExecDaemonize
(
conn
,
argv
,
progenv
,
&
keepfd
,
&
pid
,
-
1
,
&
logfd
,
&
logfd
,
0
,
NULL
,
NULL
,
NULL
);
VIR_EXEC_CLEAR_CAPS
,
NULL
,
NULL
,
NULL
);
close
(
logfd
);
for
(
i
=
0
;
argv
[
i
]
;
i
++
)
...
...
src/util.c
浏览文件 @
96619805
...
...
@@ -56,6 +56,10 @@
#ifdef HAVE_GETPWUID_R
#include <pwd.h>
#endif
#if HAVE_CAPNG
#include <cap-ng.h>
#endif
#include "virterror_internal.h"
#include "logging.h"
...
...
@@ -264,6 +268,29 @@ int virSetCloseExec(int fd) {
return
0
;
}
#if HAVE_CAPNG
static
int
virClearCapabilities
(
void
)
{
int
ret
;
capng_clear
(
CAPNG_SELECT_BOTH
);
if
((
ret
=
capng_apply
(
CAPNG_SELECT_BOTH
))
<
0
)
{
VIR_ERROR
(
"cannot clear process capabilities %d"
,
ret
);
return
-
1
;
}
return
0
;
}
#else
static
int
virClearCapabilities
(
void
)
{
// VIR_WARN0("libcap-ng support not compiled in, unable to clear capabilities");
return
0
;
}
#endif
/*
* @conn Connection to report errors against
* @argv argv to exec
...
...
@@ -481,6 +508,12 @@ __virExec(virConnectPtr conn,
if
((
hook
)(
data
)
!=
0
)
_exit
(
1
);
/* The hook above may need todo something privileged, so
* we delay clearing capabilities until now */
if
((
flags
&
VIR_EXEC_CLEAR_CAPS
)
&&
virClearCapabilities
()
<
0
)
_exit
(
1
);
/* Daemonize as late as possible, so the parent process can detect
* the above errors with wait* */
if
(
flags
&
VIR_EXEC_DAEMON
)
{
...
...
src/util.h
浏览文件 @
96619805
...
...
@@ -37,6 +37,7 @@ enum {
VIR_EXEC_NONE
=
0
,
VIR_EXEC_NONBLOCK
=
(
1
<<
0
),
VIR_EXEC_DAEMON
=
(
1
<<
1
),
VIR_EXEC_CLEAR_CAPS
=
(
1
<<
2
),
};
int
virSetNonBlock
(
int
fd
);
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录