On Sun, Mar 14, 2021 at 12:50:52AM +0000, James Cook wrote: > > >> > > >> I believe the correct fix here is to unveil the base image in the > > >> virtio_qcow2_get_base function in vioqcow2.c and not move around all the > > >> unveil calls like you're doing. There's no reason to postpone them. > > >> > > >> I think virtio_qcow2_get_base is only used by vmctl (haven't confirmed) > > >> but if so it should be safe to add the unveil call there. I did a quick > > >> 1-line change and checked that it at least resolves the error you're > > >> reporting. > > > > > > virtio_qcow2_get_base is also called by virtio_get_base in > > > usr.sbin/vmd/virtio.c. Maybe add an "unveil" flag as an additional > > > input to virtio_qcow2_get_base? > > > > > > > Good catch. Can you try the diff at the end of this email? > > > > I've split virtio_qcow2_get_base into 2 functions: > > - the base image extraction > > - resolving the path to the base image > > > > I've updated vmd(8) and vmctl(8) accordingly. This allows vmctl to > > properly unveil the base image without having to introduce unveil(2) > > calls in vmd(8) where there are none currently. > > It does not work if you change directories: > > > vmctl create -s 10m base.qcow2 > vmctl create -b base.qcow2 source.qcow2 > mkdir d > cd d > vmctl create -i ../source.qcow2 dest.qcow2 > > > the last command gives: > > unable to resolve base.qcow2 > vmctl: failed to open source image file > > > I think the problem is that the call to unveil in open_imagefile is > unveiling the wrong path --- it should be unveiling ../base.qcow2 but > it is unveiling base.qcow2. > > My original patch works with the above example. I imagine it would also > work to (a) optionally call unveil from vioqcow2.c or (b) split that > function at a slightly different place --- after the snprintf(..., > "%s/%s, ...) but before calling realpath. > > -- > James
Another thought --- is it necessary to call realpath at all? -- James
