[libvirt] [PATCH v3 1/2] security: also parse user/group names instead of just IDs for DAC labels

Marcelo Cerri mhcerri at linux.vnet.ibm.com
Tue Oct 2 17:57:36 UTC 2012


The DAC driver is missing parsing of group and user names for DAC labels
and currently just parses uid and gid. This patch extends it to support
names, so the following security label definition is now valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>qemu:qemu</label>
      <imagelabel>qemu:qemu</imagelabel>
  </seclabel>

When it tries to parse an owner or a group, it first tries to resolve it as
a name, if it fails or it's an invalid user/group name then it tries to
parse it as an UID or GID. A leading '+' can also be used for both owner and
group to force it to be parsed as IDs, so the following example is also
valid:

  <seclabel type='static' model='dac' relabel='yes'>
      <label>+101:+101</label>
      <imagelabel>+101:+101</imagelabel>
  </seclabel>

This ensures that UID 101 and GUI 101 will be used instead of an user or
group named "101".
---
 src/security/security_dac.c | 92 ++++++++++++++++++++++++++++++++++-----------
 1 file changed, 70 insertions(+), 22 deletions(-)

diff --git a/src/security/security_dac.c b/src/security/security_dac.c
index 0fa66ce..bb2c6be 100644
--- a/src/security/security_dac.c
+++ b/src/security/security_dac.c
@@ -68,26 +68,79 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
 static
 int parseIds(const char *label, uid_t *uidPtr, gid_t *gidPtr)
 {
+    int rc = -1;
     unsigned int theuid;
     unsigned int thegid;
-    char *endptr = NULL;
+    char *tmp_label = NULL;
+    char *sep = NULL;
+    char *owner = NULL;
+    char *group = NULL;
 
-    if (label == NULL)
-        return -1;
+    tmp_label = strdup(label);
+    if (tmp_label == NULL) {
+        virReportOOMError();
+        goto cleanup;
+    }
+
+    /* Split label */
+    sep = strchr(tmp_label, ':');
+    if (sep == NULL) {
+        virReportError(VIR_ERR_INVALID_ARG,
+                       _("Missing separator ':' in DAC label \"%s\""),
+                       label);
+        goto cleanup;
+    }
+    *sep = '\0';
+    owner = tmp_label;
+    group = sep + 1;
 
-    if (virStrToLong_ui(label, &endptr, 10, &theuid) ||
-        endptr == NULL || *endptr != ':') {
-        return -1;
+    /* Parse owner */
+    if (*owner == '+') {
+        if (virStrToLong_ui(++owner, NULL, 10, &theuid) < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("Invalid uid \"%s\" in DAC label \"%s\""),
+                           owner, label);
+            goto cleanup;
+        }
+    } else {
+        if (virGetUserID(owner, &theuid) < 0 &&
+            virStrToLong_ui(owner, NULL, 10, &theuid) < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("Invalid owner \"%s\" in DAC label \"%s\""),
+                           owner, label);
+            goto cleanup;
+        }
     }
 
-    if (virStrToLong_ui(endptr + 1, NULL, 10, &thegid))
-        return -1;
+    /* Parse group */
+    if (*group == '+') {
+        if (virStrToLong_ui(++group, NULL, 10, &thegid) < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("Invalid gid \"%s\" in DAC label \"%s\""),
+                           group, label);
+            goto cleanup;
+        }
+    } else {
+        if (virGetGroupID(group, &thegid) < 0 &&
+            virStrToLong_ui(group, NULL, 10, &thegid) < 0) {
+            virReportError(VIR_ERR_INVALID_ARG,
+                           _("Invalid group \"%s\" in DAC label \"%s\""),
+                           group, label);
+            goto cleanup;
+        }
+    }
 
     if (uidPtr)
         *uidPtr = theuid;
     if (gidPtr)
         *gidPtr = thegid;
-    return 0;
+
+    rc = 0;
+
+cleanup:
+    VIR_FREE(tmp_label);
+
+    return rc;
 }
 
 /* returns 1 if label isn't found, 0 on success, -1 on error */
@@ -103,16 +156,14 @@ int virSecurityDACParseIds(virDomainDefPtr def, uid_t *uidPtr, gid_t *gidPtr)
 
     seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
     if (seclabel == NULL || seclabel->label == NULL) {
-        VIR_DEBUG("DAC seclabel for domain '%s' wasn't found", def->name);
+        virReportError(VIR_ERR_INVALID_ARG,
+                       _("DAC seclabel for domain '%s' wasn't found"),
+                       def->name);
         return 1;
     }
 
-    if (seclabel->label && parseIds(seclabel->label, &uid, &gid)) {
-       virReportError(VIR_ERR_INVALID_ARG,
-                       _("failed to parse DAC seclabel '%s' for domain '%s'"),
-                       seclabel->label, def->name);
+    if (parseIds(seclabel->label, &uid, &gid) < 0)
         return -1;
-    }
 
     if (uidPtr)
         *uidPtr = uid;
@@ -168,17 +219,14 @@ int virSecurityDACParseImageIds(virDomainDefPtr def,
 
     seclabel = virDomainDefGetSecurityLabelDef(def, SECURITY_DAC_NAME);
     if (seclabel == NULL || seclabel->imagelabel == NULL) {
-        VIR_DEBUG("DAC imagelabel for domain '%s' wasn't found", def->name);
+        virReportError(VIR_ERR_INVALID_ARG,
+                       _("DAC imagelabel for domain '%s' wasn't found"),
+                       def->name);
         return 1;
     }
 
-    if (seclabel->imagelabel
-        && parseIds(seclabel->imagelabel, &uid, &gid)) {
-       virReportError(VIR_ERR_INVALID_ARG,
-                       _("failed to parse DAC imagelabel '%s' for domain '%s'"),
-                       seclabel->imagelabel, def->name);
+    if (parseIds(seclabel->imagelabel, &uid, &gid) < 0)
         return -1;
-    }
 
     if (uidPtr)
         *uidPtr = uid;
-- 
1.7.12




More information about the libvir-list mailing list