First check overrides, then read only files then restricted access itself. as proposed by Martin Kletzander --- src/security/virt-aa-helper.c | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 4ce1e7a..963cba6 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -544,7 +544,7 @@ array_starts_with(const char *str, const char * const *arr, const long size) static int valid_path(const char *path, const bool readonly) { - int npaths, opaths; + int npaths; const char * const restricted[] = { "/bin/", "/etc/", @@ -594,19 +594,20 @@ valid_path(const char *path, const bool readonly) if (!virFileExists(path)) vah_warning(_("path does not exist, skipping file type checks")); - opaths = sizeof(override)/sizeof(*(override)); - - npaths = sizeof(restricted)/sizeof(*(restricted)); - if (array_starts_with(path, restricted, npaths) == 0 && - array_starts_with(path, override, opaths) != 0) - return 1; + npaths = sizeof(override)/sizeof(*(override)); + if (array_starts_with(path, override, npaths) == 0) + return 0; npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); - if (!readonly) { + if (readonly) { if (array_starts_with(path, restricted_rw, npaths) == 0) - return 1; + return 0; } + npaths = sizeof(restricted)/sizeof(*(restricted)); + if (array_starts_with(path, restricted, npaths) != 0) + return 1; + return 0; } -- 2.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list