From 7c7ec6e6c20675a99abe8685c715dc95e7e8dbff Mon Sep 17 00:00:00 2001

Message-Id: <7c7ec6e6c20675a99abe8685c715dc95e7e8dbff@dist-git>

From: Michal Privoznik <mprivozn@redhat.com>

Date: Tue, 6 Sep 2022 13:37:23 +0200

Subject: [PATCH] qemu_namespace: Tolerate missing ACLs when creating a path in

 namespace

When creating a path in a domain's mount namespace we try to set

ACLs on it, so that it's a verbatim copy of the path in parent's

namespace. The ACLs are queried upfront (by

qemuNamespaceMknodItemInit()) but this is fault tolerant so the

pointer to ACLs might be NULL (meaning no ACLs were queried, for

instance because the underlying filesystem does not support

them). But then we take this NULL and pass it to virFileSetACLs()

which immediately returns an error because NULL is invalid value.

Mimic what we do with SELinux label - only set ACLs if they are

non-NULL which includes symlinks.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

(cherry picked from commit 687374959e160dc566bd4b6d43c7bf1beb470c59)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2123196

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

---

 src/qemu/qemu_namespace.c | 3 +--

 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c

index 94453033f5..4bff325a2c 100644

--- a/src/qemu/qemu_namespace.c

+++ b/src/qemu/qemu_namespace.c

@@ -1023,8 +1023,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)

         goto cleanup;

     }

-    /* Symlinks don't have ACLs. */

-    if (!isLink &&

+    if (data->acl &&

         virFileSetACLs(data->file, data->acl) < 0 &&

         errno != ENOTSUP) {

         virReportSystemError(errno,

-- 

2.38.0