From 1f0a6e441617da6a95e2188408ad1ed2dd4665e4 Mon Sep 17 00:00:00 2001

Message-Id: <1f0a6e441617da6a95e2188408ad1ed2dd4665e4@dist-git>

From: Michal Privoznik <mprivozn@redhat.com>

Date: Tue, 6 Sep 2022 13:37:23 +0200

Subject: [PATCH] qemu_namespace: Tolerate missing ACLs when creating a path in

 namespace

When creating a path in a domain's mount namespace we try to set

ACLs on it, so that it's a verbatim copy of the path in parent's

namespace. The ACLs are queried upfront (by

qemuNamespaceMknodItemInit()) but this is fault tolerant so the

pointer to ACLs might be NULL (meaning no ACLs were queried, for

instance because the underlying filesystem does not support

them). But then we take this NULL and pass it to virFileSetACLs()

which immediately returns an error because NULL is invalid value.

Mimic what we do with SELinux label - only set ACLs if they are

non-NULL which includes symlinks.

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

Reviewed-by: Martin Kletzander <mkletzan@redhat.com>

(cherry picked from commit 687374959e160dc566bd4b6d43c7bf1beb470c59)

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2152083

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>

---

 src/qemu/qemu_namespace.c | 3 +--

 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/qemu/qemu_namespace.c b/src/qemu/qemu_namespace.c

index 98cd794666..71e3366ca5 100644

--- a/src/qemu/qemu_namespace.c

+++ b/src/qemu/qemu_namespace.c

@@ -1040,8 +1040,7 @@ qemuNamespaceMknodOne(qemuNamespaceMknodItem *data)

         goto cleanup;

     }

-    /* Symlinks don't have ACLs. */

-    if (!isLink &&

+    if (data->acl &&

         virFileSetACLs(data->file, data->acl) < 0 &&

         errno != ENOTSUP) {

         virReportSystemError(errno,

-- 

2.39.0