99cbc7
From 98189cd7e622bb89ee4916307c1287d97487233a Mon Sep 17 00:00:00 2001
99cbc7
Message-Id: <98189cd7e622bb89ee4916307c1287d97487233a@dist-git>
99cbc7
From: Erik Skultety <eskultet@redhat.com>
99cbc7
Date: Tue, 9 Apr 2019 08:34:34 +0200
99cbc7
Subject: [PATCH] security: dac: gfx: egl-headless: Relabel the DRI device
99cbc7
MIME-Version: 1.0
99cbc7
Content-Type: text/plain; charset=UTF-8
99cbc7
Content-Transfer-Encoding: 8bit
99cbc7
99cbc7
Just like for SPICE, we need to change the permissions on the DRI device
99cbc7
used as the @rendernode for egl-headless graphics type.
99cbc7
99cbc7
Signed-off-by: Erik Skultety <eskultet@redhat.com>
99cbc7
Reviewed-by: Ján Tomko <jtomko@redhat.com>
99cbc7
(cherry picked from commit ae00e73cfe91b76849712fb7d928cfefef39a6eb)
99cbc7
99cbc7
https://bugzilla.redhat.com/show_bug.cgi?id=1628892
99cbc7
Signed-off-by: Erik Skultety <eskultet@redhat.com>
99cbc7
99cbc7
 Conflicts:
99cbc7
	src/security/security_dac.c
99cbc7
            v4.7.0-58-g3ac7793ad1 was not backported
99cbc7
Message-Id: <f564d1859c197fb7477e49ce801124e0cc2d506f.1554791287.git.eskultet@redhat.com>
99cbc7
99cbc7
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
99cbc7
---
99cbc7
 src/security/security_dac.c | 15 +++++++--------
99cbc7
 1 file changed, 7 insertions(+), 8 deletions(-)
99cbc7
99cbc7
diff --git a/src/security/security_dac.c b/src/security/security_dac.c
99cbc7
index 74c70dd092..cc2ed10157 100644
99cbc7
--- a/src/security/security_dac.c
99cbc7
+++ b/src/security/security_dac.c
99cbc7
@@ -1419,11 +1419,16 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
99cbc7
                                virDomainGraphicsDefPtr gfx)
99cbc7
 
99cbc7
 {
99cbc7
+    const char *rendernode = virDomainGraphicsGetRenderNode(gfx);
99cbc7
     virSecurityDACDataPtr priv = virSecurityManagerGetPrivateData(mgr);
99cbc7
     virSecurityLabelDefPtr seclabel;
99cbc7
     uid_t user;
99cbc7
     gid_t group;
99cbc7
 
99cbc7
+    /* There's nothing to relabel */
99cbc7
+    if (!rendernode)
99cbc7
+        return 0;
99cbc7
+
99cbc7
     /* Skip chowning the shared render file if namespaces are disabled */
99cbc7
     if (!priv->mountNamespace)
99cbc7
         return 0;
99cbc7
@@ -1435,14 +1440,8 @@ virSecurityDACSetGraphicsLabel(virSecurityManagerPtr mgr,
99cbc7
     if (virSecurityDACGetIds(seclabel, priv, &user, &group, NULL, NULL) < 0)
99cbc7
         return -1;
99cbc7
 
99cbc7
-    if (gfx->type == VIR_DOMAIN_GRAPHICS_TYPE_SPICE &&
99cbc7
-        gfx->data.spice.gl == VIR_TRISTATE_BOOL_YES &&
99cbc7
-        gfx->data.spice.rendernode) {
99cbc7
-        if (virSecurityDACSetOwnership(priv, NULL,
99cbc7
-                                       gfx->data.spice.rendernode,
99cbc7
-                                       user, group) < 0)
99cbc7
-            return -1;
99cbc7
-    }
99cbc7
+    if (virSecurityDACSetOwnership(priv, NULL, rendernode, user, group) < 0)
99cbc7
+        return -1;
99cbc7
 
99cbc7
     return 0;
99cbc7
 }
99cbc7
-- 
99cbc7
2.21.0
99cbc7