On Mon, 2010-04-05 at 16:15 -0500, Jamie Strandboge wrote: > 7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci > devices. Update valid_path() to have an override array to check against, > and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to > file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it. -- Jamie Strandboge | http://www.canonical.com
Author: Jamie Strandboge <jamie@xxxxxxxxxxxxx> Description: adjust virt-aa-helper to handle pci devices. Update valid_path() to have an override array to check against, and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it. Bug-Ubuntu: https://launchpad.net/bugs/545795 Index: libvirt-0.7.7/src/security/virt-aa-helper.c =================================================================== --- libvirt-0.7.7.orig/src/security/virt-aa-helper.c 2010-04-05 12:45:39.000000000 -0500 +++ libvirt-0.7.7/src/security/virt-aa-helper.c 2010-04-05 12:45:39.000000000 -0500 @@ -490,7 +490,7 @@ valid_path(const char *path, const bool readonly) { struct stat sb; - int npaths; + int npaths, opaths; const char * const restricted[] = { "/bin/", "/etc/", @@ -516,6 +516,10 @@ "/initrd", "/initrd.img" }; + /* override the above with these */ + const char * const override[] = { + "/sys/devices/pci" /* for hostdev pci devices */ + }; if (path == NULL || strlen(path) > PATH_MAX - 1) { vah_error(NULL, 0, "bad pathname"); @@ -553,9 +557,12 @@ } } + opaths = sizeof(override)/sizeof *(override); + npaths = sizeof(restricted)/sizeof *(restricted); - if (array_starts_with(path, restricted, npaths) == 0) - return 1; + if (array_starts_with(path, restricted, npaths) == 0 && + array_starts_with(path, override, opaths) != 0) + return 1; npaths = sizeof(restricted_rw)/sizeof *(restricted_rw); if (!readonly) { @@ -779,8 +786,16 @@ } static int -file_iterate_cb(usbDevice *dev ATTRIBUTE_UNUSED, - const char *file, void *opaque) +file_iterate_hostdev_cb(usbDevice *dev ATTRIBUTE_UNUSED, + const char *file, void *opaque) +{ + virBufferPtr buf = opaque; + return vah_add_file(buf, file, "rw"); +} + +static int +file_iterate_pci_cb(pciDevice *dev ATTRIBUTE_UNUSED, + const char *file, void *opaque) { virBufferPtr buf = opaque; return vah_add_file(buf, file, "rw"); @@ -825,7 +840,7 @@ path = NULL; if (ret < 0) { - vah_warning("skipping backingStore check (open failed)"); + vah_warning("could not open path, skipping"); continue; } @@ -880,13 +895,13 @@ if (usb == NULL) continue; - rc = usbDeviceFileIterate(usb, file_iterate_cb, &buf); + rc = usbDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf); usbFreeDevice(usb); if (rc != 0) goto clean; break; } -/* TODO: update so files in /sys are readonly + case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: { pciDevice *pci = pciGetDevice( dev->source.subsys.u.pci.domain, @@ -897,12 +912,12 @@ if (pci == NULL) continue; - rc = pciDeviceFileIterate(NULL, pci, file_iterate_cb, &buf); + rc = pciDeviceFileIterate(pci, file_iterate_pci_cb, &buf); pciFreeDevice(pci); break; } -*/ + default: rc = 0; break;
Attachment:
signature.asc
Description: This is a digitally signed message part
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list