libvirt users - Sep 2018 - Which objects does dynamic_ownership apply to?

Hi, I'm playing with dynamic ownership and not all objects have their
owners changed.

Is dynamic_ownership and its scope documented somewhere, besides the
comment in qemu.conf?

And what kinds of objects are handled by dynamic ownership?  While some
objects seem to be handled, other objects are apparently unaffected.
For instance /dev/hwrng or a USB host device keep their root owners and
are inaccessible to the VM.  Is that expected or do I have anything
wrong?

Thanks,
Milan

On 09/19/2018 12:39 PM, Milan Zamazal wrote:
> Hi, I'm playing with dynamic ownership and not all objects have their
> owners changed.
> 
> Is dynamic_ownership and its scope documented somewhere, besides the
> comment in qemu.conf?
> 
> And what kinds of objects are handled by dynamic ownership?  While some
> objects seem to be handled, other objects are apparently unaffected.
> For instance /dev/hwrng or a USB host device keep their root owners and
> are inaccessible to the VM.  Is that expected or do I have anything
> wrong?
Basically, if a file is used solely by a domain we can relabel it.
However, if a file can be used by other processes (not only qemu) then
we must not change its label as we would be effectively cutting of the
other processes we know nothing about. In this case, /dev/hwrng might be
used by some other process in the system. Also the fact that it's owned
by root:root and not readable by anybody except the root user, tells me
that we might not want to pass the file to any domain?

Michal

Michal Prívozník <mprivozn@redhat.com> writes:
> On 09/19/2018 12:39 PM, Milan Zamazal wrote:
>> Hi, I'm playing with dynamic ownership and not all objects have
their
>> owners changed.
>
>> 
>> Is dynamic_ownership and its scope documented somewhere, besides the
>> comment in qemu.conf?
>> 
>> And what kinds of objects are handled by dynamic ownership?  While some
>> objects seem to be handled, other objects are apparently unaffected.
>> For instance /dev/hwrng or a USB host device keep their root owners and
>> are inaccessible to the VM.  Is that expected or do I have anything
>> wrong?
>
> Basically, if a file is used solely by a domain we can relabel it.
> However, if a file can be used by other processes (not only qemu) then
> we must not change its label as we would be effectively cutting of the
> other processes we know nothing about. In this case, /dev/hwrng might be
> used by some other process in the system. Also the fact that it's owned
> by root:root and not readable by anybody except the root user, tells me
> that we might not want to pass the file to any domain?
Well, /dev/hwrng may be arguable, although oVirt permits passing it to a
VM, of course only on explicit user's request.

But how about host devices such as USB and PCI devices?  For example

  <hostdev managed="no" mode="subsystem"
type="usb">
      <source>
          <address bus="3" device="2" />
      </source>
      <alias name="ua-3773b389-54be-4fd5-ae8b-2f954470b1a9" />
      <address bus="0" port="1" type="usb"
/>
  </hostdev>

doesn't change the owner of /dev/bus/usb/003/002 (the same for
managed="yes").  Similarly for a PCI hostdev device /dev/vfio/* owners
are not changed.  Does the same argument apply?

OTOH, a CD-ROM image, which can be shared across domains and at least in
theory can be accessed by other processes, gets its owner changed.

My primary concern right now is what exactly is handled.  We can deal
with manual ownership changes of certain devices as we have done so far.
But I'm looking for a more reliable source of information than my
experiments, to prevent future breakages.  Is it documented anywhere
what is handled by libvirt and what is not?  Or can it be defined in
less ambiguous terms than above?

Thanks,
Milan