We've already scrubbed for comparisons of 'uid_t == -1' (which fail
on platforms where uid_t is a u16), but another one snuck in.
* src/util/virutil.c (virSetUIDGIDWithCaps): Correct uid comparison.
* cfg.mk (sc_prohibit_risky_id_promotion): New rule.
---
cfg.mk | 6 ++++++
src/util/virutil.c | 2 +-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/cfg.mk b/cfg.mk
index b95a90b..394521e 100644
--- a/cfg.mk
+++ b/cfg.mk
@@ -389,6 +389,12 @@ sc_prohibit_setuid:
halt='use virSetUIDGID, not raw set*id' \
$(_sc_search_regexp)
+# Don't compare *id_t against raw -1.
+sc_prohibit_risky_id_promotion:
+ @prohibit='\b(user|group|[ug]id) *[=!]= *-' \
+ halt='cast -1 to ([ug]id_t) before comparing against id' \
+ $(_sc_search_regexp)
+
# Use snprintf rather than s'printf, even if buffer is provably large enough,
# since gnulib has more guarantees for snprintf portability
sc_prohibit_sprintf:
diff --git a/src/util/virutil.c b/src/util/virutil.c
index a0d1530..42b4295 100644
--- a/src/util/virutil.c
+++ b/src/util/virutil.c
@@ -3011,7 +3011,7 @@ virSetUIDGIDWithCaps(uid_t uid, gid_t gid, unsigned long long capBits,
* change the capabilities bounding set.
*/
- if (clearExistingCaps || (uid != -1 && uid != 0))
+ if (clearExistingCaps || (uid != (uid_t)-1 && uid != 0))
capng_clear(CAPNG_SELECT_BOTH);
for (ii = 0; ii <= CAP_LAST_CAP; ii++) {
--
1.8.1.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list