On Thu, 12 Nov 2009, Jamie Strandboge wrote: > 2_aa_require_absolute_path.patch: > Require absolute path for dynamic added files. This is required by > AppArmor and conveniently prevents adding tcp consoles to the profile. > This fixes https://launchpad.net/bugs/460271. > -- Jamie Strandboge | http://www.canonical.com
diff -Naurp libvirt.orig/src/security/virt-aa-helper.c libvirt/src/security/virt-aa-helper.c
--- libvirt.orig/src/security/virt-aa-helper.c 2009-11-06 16:50:19.000000000 -0600
+++ libvirt/src/security/virt-aa-helper.c 2009-11-06 17:05:12.000000000 -0600
@@ -517,6 +517,10 @@ valid_path(const char *path, const bool
if (strchr(path, '"') != NULL)
return 1;
+ /* Require an absolute path */
+ if (STRNEQLEN(path, "/", 1))
+ return 1;
+
if (!virFileExists(path))
vah_warning("path does not exist, skipping file type checks");
else {
@@ -718,6 +722,16 @@ vah_add_file(virBufferPtr buf, const cha
if (path == NULL)
return rc;
+ /* Skip files without an absolute path. Not having one confuses the
+ * apparmor parser and this also ensures things like tcp consoles don't
+ * get added to the profile.
+ */
+ if (STRNEQLEN(path, "/", 1)) {
+ vah_warning(path);
+ vah_warning(" skipped non-absolute path");
+ return 0;
+ }
+
if (virFileExists(path)) {
if ((tmp = realpath(path, NULL)) == NULL) {
vah_error(NULL, 0, path);
Attachment:
signature.asc
Description: Digital signature
-- Libvir-list mailing list Libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list