[libvirt] [PATCH v2 4/4] conf: Don't allow multiple seclabels for same model
Ján Tomko
jtomko at redhat.com
Thu Jul 10 16:16:28 UTC 2014
On 07/10/2014 04:04 PM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1066894
>
> With current code it's possible to have for instance:
>
> virsh dumpxml mydomain | grep seclabel
> <seclabel type='dynamic' model='selinux' relabel='yes'/>
> <seclabel type='dynamic' model='selinux' relabel='yes'/>
> <seclabel type='dynamic' model='selinux' relabel='yes'/>
> <seclabel type='dynamic' model='selinux' relabel='yes'/>
> <seclabel type='dynamic' model='selinux' relabel='yes'/>
>
> what doesn't make any sense. We should reject the XML in the config
s/what/which/
> parsing phase.
>
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
> src/conf/domain_conf.c | 18 ++++++++--
> .../qemuxml2argv-seclabel-multiple.xml | 40 ++++++++++++++++++++++
> tests/qemuxml2argvtest.c | 1 +
> 3 files changed, 56 insertions(+), 3 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-multiple.xml
>
> @@ -4689,10 +4689,22 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
>
> /* Parse each "seclabel" tag */
> for (i = 0; i < n; i++) {
> + virSecurityLabelDefPtr seclabel;
> +
> ctxt->node = list[i];
> - def->seclabels[i] = virSecurityLabelDefParseXML(ctxt, flags);
> - if (def->seclabels[i] == NULL)
> + if (!(seclabel = virSecurityLabelDefParseXML(ctxt, flags)))
> goto error;
> +
> + for (j = 0; j < i; j++) {
> + if (STREQ_NULLABLE(seclabel->model, def->seclabels[j]->model)) {
> + virReportError(VIR_ERR_XML_DETAIL,
> + _("seclablel for model %s is already provided"),
> + seclabel->model);
virSecurityLabelDefFree(seclabel);
> + goto error;
> + }
> + }
> +
> + def->seclabels[i] = seclabel;
> }
> def->nseclabels = n;
> ctxt->node = saved_node;
ACK with the leak fixed.
Jan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140710/e13756bc/attachment-0001.sig>
More information about the libvir-list
mailing list