[libvirt] [PATCH v3 1/2] security: also parse user/group names instead of just IDs for DAC labels
Eric Blake
eblake at redhat.com
Thu Oct 4 23:46:31 UTC 2012
On 10/02/2012 11:57 AM, Marcelo Cerri wrote:
> The DAC driver is missing parsing of group and user names for DAC labels
> and currently just parses uid and gid. This patch extends it to support
> names, so the following security label definition is now valid:
>
> <seclabel type='static' model='dac' relabel='yes'>
> <label>qemu:qemu</label>
> <imagelabel>qemu:qemu</imagelabel>
> </seclabel>
>
> When it tries to parse an owner or a group, it first tries to resolve it as
> a name, if it fails or it's an invalid user/group name then it tries to
> parse it as an UID or GID. A leading '+' can also be used for both owner and
> group to force it to be parsed as IDs, so the following example is also
> valid:
>
> <seclabel type='static' model='dac' relabel='yes'>
> <label>+101:+101</label>
> <imagelabel>+101:+101</imagelabel>
> </seclabel>
>
Yuck. With this patch, I'm seeing lots of ugly error messages in the log:
2012-10-04 22:59:52.584+0000: 9225: error : virGetUserID:2535 : Failed
to find user record for name '0': Success
I think the correct fix is to move this logic...
> + /* Parse owner */
> + if (*owner == '+') {
> + if (virStrToLong_ui(++owner, NULL, 10, &theuid) < 0) {
> + virReportError(VIR_ERR_INVALID_ARG,
> + _("Invalid uid \"%s\" in DAC label \"%s\""),
> + owner, label);
> + goto cleanup;
> + }
> + } else {
> + if (virGetUserID(owner, &theuid) < 0 &&
> + virStrToLong_ui(owner, NULL, 10, &theuid) < 0) {
> + virReportError(VIR_ERR_INVALID_ARG,
> + _("Invalid owner \"%s\" in DAC label \"%s\""),
> + owner, label);
> + goto cleanup;
> + }
> }
...out of security_dac.c and into src/util/util.c:virGetUserID(), so
that we are consistently parsing in this manner for ALL places where we
convert a string into a user id, and also so that virGetUserID will quit
logging such a bogus error message when it fails to find a given id
string that happens to be a valid number.
Likewise for virGetGroupID.
--
Eric Blake eblake at redhat.com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 617 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20121004/2bb62cf7/attachment-0001.sig>
More information about the libvir-list
mailing list