[libvirt] [PATCH] Disable nwfilterDefineXML for unprivileged libvirtd
Daniel P. Berrange
berrange at redhat.com
Tue Nov 12 12:07:21 UTC 2013
On Tue, Nov 12, 2013 at 12:41:52PM +0100, Ján Tomko wrote:
> Fail in a more friendly way than:
> error: cannot create config directory (null): Bad address
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1029266
> ---
> src/nwfilter/nwfilter_driver.c | 9 ++++++++-
> 1 file changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
> index 6602d73..c3ff4fe 100644
> --- a/src/nwfilter/nwfilter_driver.c
> +++ b/src/nwfilter/nwfilter_driver.c
> @@ -551,13 +551,20 @@ nwfilterDefineXML(virConnectPtr conn,
> const char *xml)
> {
> virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
> - virNWFilterDefPtr def;
> + virNWFilterDefPtr def = NULL;
> virNWFilterObjPtr nwfilter = NULL;
> virNWFilterPtr ret = NULL;
>
> nwfilterDriverLock(driver);
> virNWFilterCallbackDriversLock();
>
> + if (!driver->privileged) {
> + virReportError(VIR_ERR_OPERATION_UNSUPPORTED,
> + _("network filters are only available when libvirtd "
> + "runs as root"));
> + goto cleanup;
> + }
> +
> if (!(def = virNWFilterDefParseString(xml)))
> goto cleanup;
This is wrong. The nwfilter driver's global init method should abort
if not running privileged, and then its 'open' method should decline
any attempt to open it. The result should be that the callbacks are
never registered with the connection object.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list