[libvirt] [PATCH] security: also parse user/group names instead of just IDs for DAC labels

Thu Sep 20 12:53:52 UTC 2012

On 09/19/12 23:32, Marcelo Cerri wrote:
> The DAC driver is missing parsing of group and user names for DAC labels
> and currently just parses uid and gid. This patch extends it to support
> names, so the following security label definition is now valid:
>
>    <seclabel type='static' model='dac' relabel='yes'>
>        <label>qemu:qemu</label>
>        <imagelabel>qemu:qemu</imagelabel>
>    </seclabel>
> ---
>   src/security/security_dac.c | 49 ++++++++++++++++++++++++++++++++++++---------
>   1 file changed, 40 insertions(+), 9 deletions(-)
>
> diff --git a/src/security/security_dac.c b/src/security/security_dac.c
> index be65d6e..7e11e31 100644
> --- a/src/security/security_dac.c
> +++ b/src/security/security_dac.c
> @@ -66,28 +66,59 @@ void virSecurityDACSetDynamicOwnership(virSecurityManagerPtr mgr,
>   }
>
>   static
> +int parseId(const char *str, unsigned int *id)
> +{
> +    char *endptr = NULL;
> +
> +    if (str == NULL || id == NULL)
> +        return -1;
> +
> +    if (virStrToLong_ui(str, &endptr, 10, id) || endptr != NULL)

After successful parse "endptr" will point to the '\0' byte at the end 
of the string always thiggering this condition. Call virStrToLong_ui 
with NULL instead of endptr and the wrapper will do the expected thing.

> +        return -1;
> +
> +    return 0;
> +}
> +
> +static
>   int parseIds(const char *label, uid_t *uidPtr, gid_t *gidPtr)
>   {
> +    int rc = -1;
>       unsigned int theuid;
>       unsigned int thegid;
> -    char *endptr = NULL;
> +    char *sep = NULL;
> +    char *tmp_label = NULL;
>
>       if (label == NULL)
> -        return -1;
> +        goto done;
>
> -    if (virStrToLong_ui(label, &endptr, 10, &theuid) ||
> -        endptr == NULL || *endptr != ':') {
> -        return -1;
> -    }
> +    tmp_label = strdup(label);
> +    if (tmp_label == NULL)

You need to raise an OOM error with virReportOOMError() here even if 
it's masked by the upper layer. This error gets recorded to the logs and 
might help debugging.

I'm thinking if it's worth reporting other errors in this function as 
they get masked. They might be useful for debugging purposes even if 
they don't get propagated to the user.

> +        goto done;
>
> -    if (virStrToLong_ui(endptr + 1, NULL, 10, &thegid))
> -        return -1;
> +    sep = strchr(tmp_label, ':');
> +    if (sep == NULL)
> +        goto done;
> +    *sep = '\0';
> +
> +    if (virGetUserID(tmp_label, &theuid) < 0 &&
> +        parseId(tmp_label, &theuid) < 0)
> +        goto done;
> +
> +    if (virGetGroupID(sep + 1, &thegid) < 0 &&
> +        parseId(sep + 1, &thegid) < 0)
> +        goto done;
>
>       if (uidPtr)
>           *uidPtr = theuid;
>       if (gidPtr)
>           *gidPtr = thegid;
> -    return 0;
> +
> +    rc = 0;
> +
> +done:

I'd rename this label to "cleanup" for consistency with other libvirt code.

> +    VIR_FREE(tmp_label);
> +
> +    return rc;
>   }
>
>   /* returns 1 if label isn't found, 0 on success, -1 on error */
>

Peter