On 17/06/19 06:10, wangjie (P) wrote: > Hi, I found there is a bug in pr-helper: > > We run pr-helper process in root, and drop all capabilities expect > CAP_SYS_RAWIO. > > But the sock file which connect from qemu is owned by qemu group, > when pr-helper exit, > > it will call “close_server_socket -> > object_unref(OBJECT(server_ioc)) -> qio_channel_socket_finalize -> > socket_listen_cleanup” , > > unlink sock file will fail and output “Failed to unlink socket xxx, > Permission denied”. > > I tried to add capability CAP_DAC_OVERRIDE in pr-helper, it will > unlink sock success, but I think capability CAP_DAC_OVERRIDE is too > dangerous.
Interesting... yeah, CAP_DAC_OVERRIDE is a big big hammer. I think this would be fixed by also changing owner and group of the pr-helper to qemu; it should work because it uses CAP_SYS_RAWIO. Paolo
