From e68792c1120d2ea1604d315ae4aa0f193d03a4e6 Mon Sep 17 00:00:00 2001 From: Jamie Strandboge Date: Tue, 6 Apr 2010 16:05:47 +0200 Subject: [PATCH] Do nor clear caps when invoking virt-aa-helper The calls to virExec() in security_apparmor.c when invoking virt-aa-helper use VIR_EXEC_CLEAR_CAPS. When compiled without libcap-ng, this is not a problem (it's effectively a no-op) but with libcap-ng this causes MAC_ADMIN to be cleared. MAC_ADMIN is needed by virt-aa-helper to manipulate apparmor profiles and without it VMs will not start[1]. This patch calls virExec with the default VIR_EXEC_NONE instead. * src/security/security_apparmor.c: fallback to VIR_EXEC_NONE flags for virExec of virt_aa_helper --- src/security/security_apparmor.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c index 8e1c794856..c0c91ccb4a 100644 --- a/src/security/security_apparmor.c +++ b/src/security/security_apparmor.c @@ -174,19 +174,19 @@ load_profile(const char *profile, virDomainObjPtr vm, VIRT_AA_HELPER, "-c", "-u", profile, NULL }; ret = virExec(argv, NULL, NULL, &child, - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); + pipefd[0], NULL, NULL, VIR_EXEC_NONE); } else if (disk && disk->src) { const char *const argv[] = { VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL }; ret = virExec(argv, NULL, NULL, &child, - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); + pipefd[0], NULL, NULL, VIR_EXEC_NONE); } else { const char *const argv[] = { VIRT_AA_HELPER, "-r", "-u", profile, NULL }; ret = virExec(argv, NULL, NULL, &child, - pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); + pipefd[0], NULL, NULL, VIR_EXEC_NONE); } if (ret < 0) goto clean;