On a Monday in 2023, Michal Privoznik wrote:
We allow (some) domain devices to have a different <seclabel/> than the top level domain one (this is mostly to allow access to a resource for multiple domains). Now, we do couple of sanity checks for such <seclabel/>, e.g. when the <label/> is specified, but '@relabel' is set to no. But what we are missing is the opposite: then '@relabel' is set, but no <label/> was provided.
s/then/if/?
Our schema already denies such combination. Make our parser behave the same. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2160356 Signed-off-by: Michal Privoznik <mprivozn@xxxxxxxxxx> --- src/conf/domain_conf.c | 14 +++++++- .../seclabel-device-relabel-invalid.err | 1 + .../seclabel-device-relabel-invalid.xml | 35 +++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 4 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 tests/qemuxml2argvdata/seclabel-device-relabel-invalid.err create mode 100644 tests/qemuxml2argvdata/seclabel-device-relabel-invalid.xml
Reviewed-by: Ján Tomko <jtomko@xxxxxxxxxx> Jano
Attachment:
signature.asc
Description: PGP signature
