Re: [PATCH] virt-aa-helper: Fix permissions for vhost-user socket files

John Ferlan <jferlan@xxxxxxxxxx> · Fri, 19 Jun 2015 15:55:36 -0400

On 06/19/2015 03:30 PM, Serge Hallyn wrote:
> Quoting Michal Dubiel (md@xxxxxxxxxxxx):
>> QEMU working in vhost-user mode communicates with the other end (i.e.
>> some virtual router application) via unix domain sockets. This requires
>> that permissions for the socket files are correctly written into
>> /etc/apparmor.d/libvirt/libvirt-UUID.files.
>>
>> Signed-off-by: Michal Dubiel <md@xxxxxxxxxxxx>
>> ---
>>  src/security/virt-aa-helper.c | 24 +++++++++++++-----------
>>  1 file changed, 13 insertions(+), 11 deletions(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 35423b5..a097aa6 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -592,19 +592,9 @@ valid_path(const char *path, const bool readonly)
>>  
>>      if (!virFileExists(path)) {
>>          vah_warning(_("path does not exist, skipping file type checks"));
>> -    } else {
>> -        if (stat(path, &sb) == -1)
>> +    } else if (stat(path, &sb) == -1)
>>              return -1;
> 
> Hi,
> 
> Why keep this bit?  sb is not used later in the fn, and you
> already know that access(2) didn't return ENOENT.
> 

Besides by changing from :

    } else {
        if ((x) == -1))
            return -1;

to

    } else if ((x) == -1) {
            return -1;

Everything else inside the else if after the return -1 becomes dead

John
>>  
>> -        switch (sb.st_mode & S_IFMT) {
>> -            case S_IFSOCK:
>> -                return 1;
>> -                break;
>> -            default:
>> -                break;
>> -        }
>> -    }
>> -
>>      opaths = sizeof(override)/sizeof(*(override));
>>  
>>      npaths = sizeof(restricted)/sizeof(*(restricted));
>> @@ -1101,6 +1091,18 @@ get_files(vahControl * ctl)
>>          }
>>      }
>>  
>> +    for (i = 0; i < ctl->def->nnets; i++) {
>> +        if (ctl->def->nets[i] &&
>> +                ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
>> +                ctl->def->nets[i]->data.vhostuser) {
>> +            virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
>> +
>> +            if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
>> +                       vhu->type) != 0)
>> +                goto cleanup;
>> +        }
>> +    }
>> +
>>      if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>>          for (i = 0; i < ctl->def->nnets; i++) {
>>              virDomainNetDefPtr net = ctl->def->nets[i];
>> -- 
>> 1.9.1
>>
>> --
>> libvir-list mailing list
>> libvir-list@xxxxxxxxxx
>> https://www.redhat.com/mailman/listinfo/libvir-list
> 
> --
> libvir-list mailing list
> libvir-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/libvir-list
> 

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list