First check overrides, then read only files then restricted access itself. This allows us to mark files for read only access whose parents were already restricted for read write. Based on a proposal by Martin Kletzander --- src/security/virt-aa-helper.c | 29 ++++++++++++++++++----------- 1 file changed, 18 insertions(+), 11 deletions(-) diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c index 178569e..8e01bf6 100644 --- a/src/security/virt-aa-helper.c +++ b/src/security/virt-aa-helper.c @@ -546,7 +546,9 @@ array_starts_with(const char *str, const char * const *arr, const long size) static int valid_path(const char *path, const bool readonly) { - int npaths, opaths; + int npaths; + int nropaths; + const char * const restricted[] = { "/bin/", "/etc/", @@ -596,19 +598,24 @@ valid_path(const char *path, const bool readonly) if (!virFileExists(path)) vah_warning(_("path does not exist, skipping file type checks")); - opaths = sizeof(override)/sizeof(*(override)); - - npaths = sizeof(restricted)/sizeof(*(restricted)); - if (array_starts_with(path, restricted, npaths) == 0 && - array_starts_with(path, override, opaths) != 0) - return 1; + /* overrides are always allowed */ + npaths = sizeof(override)/sizeof(*(override)); + if (array_starts_with(path, override, npaths) == 0) + return 0; - npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); - if (!readonly) { - if (array_starts_with(path, restricted_rw, npaths) == 0) - return 1; + /* allow read only paths upfront */ + if (readonly) { + nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw)); + if (array_starts_with(path, restricted_rw, nropaths) == 0) + return 0; } + /* disallow RW acess to all paths in restricted and restriced_rw */ + npaths = sizeof(restricted)/sizeof(*(restricted)); + if ((array_starts_with(path, restricted, npaths) == 0 + || array_starts_with(path, restricted_rw, nropaths) == 0)) + return 1; + return 0; } -- 2.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list