[libvirt] [PATCH 0/2] fix nwfilter when /tmp is mounted noexec
Eric Blake
eblake at redhat.com
Wed Nov 9 17:46:46 UTC 2011
https://bugzilla.redhat.com/show_bug.cgi?id=752254 points out that
libvirt cannot support nwfilter on a system with /tmp mounted
noexec (which is a very common setup in security-conscious setups),
all because we were trying to directly invoke a temporary script
instead of invoking a shell to read the script.
I've split this patch into 2 parts, on the off-chance that patch
2 would run afoul of command line length limits (if the total
size of the generated nwfilter commands could possibly cause
E2BIG, then we have to go through a temporary file). But my
recollection is that modern Linux kernels support unlimited
command-line length (that is, ARG_MAX is not a concern on Linux),
and that nwfilter_ebiptables_driver only compiles on Linux, so
my preference would be to squash these into a single commit, if
others agree that we don't have to worry about length limits.
At any rate, I'm quite impressed at the number of lines of code
I was able to remove in order to fix a bug!
Eric Blake (2):
nwfilter: avoid failure with noexec /tmp
nwfilter: simplify execution of ebiptables scripts
src/nwfilter/nwfilter_ebiptables_driver.c | 134 ++--------------------------
1 files changed, 10 insertions(+), 124 deletions(-)
--
1.7.4.4
More information about the libvir-list
mailing list