Re: [PATCH v4 3/3] security_dac: Favour ACLs over chown()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Mar 15, 2013 at 03:12:03PM +0100, Michal Privoznik wrote:
>  static int
> +virSecurityDACSetOwnership(const char *path, uid_t uid, gid_t gid)
> +{
> +    int refCount = 0;
> +    bool xattrSupported = true;
> +
> +    VIR_INFO("Setting DAC user and group on '%s' to '%ld:%ld'",
> +             path, (long) uid, (long) gid);
> +
> +    if (virSecurityDACGetXATTRRefcount(path, &refCount) < 0) {
> +        if (errno != ENOSYS && errno != ENOTSUP)
> +            return -1;

It is unsafe to check errno. You must use the virErrorPtr only,
and if you decide to ignore the error, you should also call
virResetLastError() to clear it.

> +        xattrSupported = false;
> +    }
> +
> +    if (refCount || virSecurityDACSetACL(path, uid) == 0) {
> +        if (xattrSupported &&
> +            virSecurityDACSetXATTRRefcount(path, refCount + 1) < 0) {
> +            /* Clear out oldACL XATTR */
> +            return -1;
> +        }
> +        return 0;
> +    }
> +
> +    /* Setting ACL failed. If the cause is libvirt was build without ACL
> +     * support, or filesystem does not support ACLs fall back to chown */
> +    if (errno != ENOSYS && errno != ENOTSUP)
> +        return -1;
> +
> +    VIR_DEBUG("Falling back to chown");
> +    if (xattrSupported && virSecurityDACRememberLabel(path) < 0)
> +        return -1;
> +
> +    if (virSecurityDACChown(path, uid, gid) < 0 ||
> +        (xattrSupported &&
> +         virSecurityDACSetXATTRRefcount(path, refCount + 1) < 0)) {
> +        /* XXX Clear our oldOwner XATTR */
> +        return -1;
> +    }
> +    return 0;
> +}

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list


[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]