On 10/02/2012 11:57 AM, Marcelo Cerri wrote: > The DAC driver is missing parsing of group and user names for DAC labels > and currently just parses uid and gid. This patch extends it to support > names, so the following security label definition is now valid: > > <seclabel type='static' model='dac' relabel='yes'> > <label>qemu:qemu</label> > <imagelabel>qemu:qemu</imagelabel> > </seclabel> > > When it tries to parse an owner or a group, it first tries to resolve it as > a name, if it fails or it's an invalid user/group name then it tries to > parse it as an UID or GID. A leading '+' can also be used for both owner and > group to force it to be parsed as IDs, so the following example is also > valid: > > <seclabel type='static' model='dac' relabel='yes'> > <label>+101:+101</label> > <imagelabel>+101:+101</imagelabel> > </seclabel> > Yuck. With this patch, I'm seeing lots of ugly error messages in the log: 2012-10-04 22:59:52.584+0000: 9225: error : virGetUserID:2535 : Failed to find user record for name '0': Success I think the correct fix is to move this logic... > + /* Parse owner */ > + if (*owner == '+') { > + if (virStrToLong_ui(++owner, NULL, 10, &theuid) < 0) { > + virReportError(VIR_ERR_INVALID_ARG, > + _("Invalid uid \"%s\" in DAC label \"%s\""), > + owner, label); > + goto cleanup; > + } > + } else { > + if (virGetUserID(owner, &theuid) < 0 && > + virStrToLong_ui(owner, NULL, 10, &theuid) < 0) { > + virReportError(VIR_ERR_INVALID_ARG, > + _("Invalid owner \"%s\" in DAC label \"%s\""), > + owner, label); > + goto cleanup; > + } > } ...out of security_dac.c and into src/util/util.c:virGetUserID(), so that we are consistently parsing in this manner for ALL places where we convert a string into a user id, and also so that virGetUserID will quit logging such a bogus error message when it fails to find a given id string that happens to be a valid number. Likewise for virGetGroupID. -- Eric Blake eblake@xxxxxxxxxx +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list