SDL, access authority issue in qemu-kvm

Wayne_Xia · August 8, 2011, 9:44am

The open virtualization solution --qemu-kvm now supports SDL frame
buffer for its guest, but there is some problem when using it, it seems
some authority was needed to use SDL.

issue description:
the management stack would take out super user authority for
security reason before invoking qemu by calling:

"capng_clear(CAPNG_SELECT_BOTH);"

then qemu fail when following code excute:

flags = SDL_INIT_VIDEO | SDL_INIT_NOPARACHUTE;
if (SDL_Init (flags)) {
    fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
            SDL_GetError());
    exit(1);
}

the environment arguments is set as
XAUTHORITY=/root/.Xauthority DISPLAY=:0.0

When “capng_clear(CAPNG_SELECT_BOTH);” is not called, then everything
is OK. So I wonder any special authority is needed to enable SDL, could
any one help check about it?–
Best Regards

Wayne Xia
mail:@Wayne_Xia
tel:86-010-82450803

icculus · August 23, 2011, 5:28am

 if (SDL_Init (flags)) {
     fprintf(stderr, "Could not initialize SDL(%s) - exiting\n",
             SDL_GetError());
     exit(1);
 }
the environment arguments is set as
XAUTHORITY=/root/.Xauthority DISPLAY=:0.0

When “capng_clear(CAPNG_SELECT_BOTH);” is not called, then everything
is OK. So I wonder any special authority is needed to enable SDL, could
any one help check about it?

Did this ever get resolved?

If not, it would be useful to know what that fprintf() call reports.

SDL doesn’t need elevated privileges to run, but it will try to access
various system resources (such as the socket for the X11 server, or
/dev/fb* for direct video access, etc). I’m not sure exactly what
capabilities end up being cleared by that capng_clear() call.

–ryan.