[PATCH v2 2/3] virt-aa-helper: Simplify restriction logic

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
---
 src/security/virt-aa-helper.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 178569e..8e01bf6 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -546,7 +546,9 @@ array_starts_with(const char *str, const char * const *arr, const long size)
 static int
 valid_path(const char *path, const bool readonly)
 {
-    int npaths, opaths;
+    int npaths;
+    int nropaths;
+
     const char * const restricted[] = {
         "/bin/",
         "/etc/",
@@ -596,19 +598,24 @@ valid_path(const char *path, const bool readonly)
     if (!virFileExists(path))
         vah_warning(_("path does not exist, skipping file type checks"));
 
-    opaths = sizeof(override)/sizeof(*(override));
-
-    npaths = sizeof(restricted)/sizeof(*(restricted));
-    if (array_starts_with(path, restricted, npaths) == 0 &&
-        array_starts_with(path, override, opaths) != 0)
-            return 1;
+    /* overrides are always allowed */
+    npaths = sizeof(override)/sizeof(*(override));
+    if (array_starts_with(path, override, npaths) == 0)
+        return 0;
 
-    npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
-    if (!readonly) {
-        if (array_starts_with(path, restricted_rw, npaths) == 0)
-            return 1;
+    /* allow read only paths upfront */
+    if (readonly) {
+        nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
+        if (array_starts_with(path, restricted_rw, nropaths) == 0)
+            return 0;
     }
 
+    /* disallow RW acess to all paths in restricted and restriced_rw */
+    npaths = sizeof(restricted)/sizeof(*(restricted));
+    if ((array_starts_with(path, restricted, npaths) == 0
+        || array_starts_with(path, restricted_rw, nropaths) == 0))
+        return 1;
+
     return 0;
 }
 
-- 
2.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]