> >> > >> I believe the correct fix here is to unveil the base image in the > >> virtio_qcow2_get_base function in vioqcow2.c and not move around all the > >> unveil calls like you're doing. There's no reason to postpone them. > >> > >> I think virtio_qcow2_get_base is only used by vmctl (haven't confirmed) > >> but if so it should be safe to add the unveil call there. I did a quick > >> 1-line change and checked that it at least resolves the error you're > >> reporting. > > > > virtio_qcow2_get_base is also called by virtio_get_base in > > usr.sbin/vmd/virtio.c. Maybe add an "unveil" flag as an additional > > input to virtio_qcow2_get_base? > > > > Good catch. Can you try the diff at the end of this email? > > I've split virtio_qcow2_get_base into 2 functions: > - the base image extraction > - resolving the path to the base image > > I've updated vmd(8) and vmctl(8) accordingly. This allows vmctl to > properly unveil the base image without having to introduce unveil(2) > calls in vmd(8) where there are none currently.
It does not work if you change directories: vmctl create -s 10m base.qcow2 vmctl create -b base.qcow2 source.qcow2 mkdir d cd d vmctl create -i ../source.qcow2 dest.qcow2 the last command gives: unable to resolve base.qcow2 vmctl: failed to open source image file I think the problem is that the call to unveil in open_imagefile is unveiling the wrong path --- it should be unveiling ../base.qcow2 but it is unveiling base.qcow2. My original patch works with the above example. I imagine it would also work to (a) optionally call unveil from vioqcow2.c or (b) split that function at a slightly different place --- after the snprintf(..., "%s/%s, ...) but before calling realpath. -- James
