On Wed, Jun 24, 2015 at 09:58:45AM +0200, Cédric Bosdonnat wrote:
Rules generated for a path like '/' were having '//' which isn't
That applies only for those that were recursive, right? Looks good to me, ACK.
correct for apparmor. Make virt-aa-helper smarter to avoid these. --- src/security/virt-aa-helper.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 35423b5..9f1c570 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -773,6 +773,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi char *tmp = NULL; int rc = -1; bool readonly = true; + bool trailingSlash; if (path == NULL) return rc; @@ -809,14 +810,18 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi goto cleanup; } - virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms); + trailingSlash = (tmp[strlen(tmp) - 1] == '/'); + + virBufferAsprintf(buf, " \"%s%s%s\" %s,\n", tmp, trailingSlash ? "" : "/", + recursive ? "**" : "", perms); if (readonly) { virBufferAddLit(buf, " # don't audit writes to readonly files\n"); - virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : ""); + virBufferAsprintf(buf, " deny \"%s%s%s\" w,\n", tmp, + trailingSlash ? "" : "/", recursive ? "**" : ""); } if (recursive) { /* allow reading (but not creating) the dir */ - virBufferAsprintf(buf, " \"%s/\" r,\n", tmp); + virBufferAsprintf(buf, " \"%s%s\" r,\n", tmp, trailingSlash ? "" : "/"); } cleanup: -- 2.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list
Attachment:
signature.asc
Description: PGP signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list