[libvirt] [PATCH v2 4/4] conf: Don't allow multiple seclabels for same model

Ján Tomko jtomko at redhat.com
Thu Jul 10 16:16:28 UTC 2014


On 07/10/2014 04:04 PM, Michal Privoznik wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1066894
> 
> With current code it's possible to have for instance:
> 
> virsh dumpxml mydomain | grep seclabel
>   <seclabel type='dynamic' model='selinux' relabel='yes'/>
>   <seclabel type='dynamic' model='selinux' relabel='yes'/>
>   <seclabel type='dynamic' model='selinux' relabel='yes'/>
>   <seclabel type='dynamic' model='selinux' relabel='yes'/>
>   <seclabel type='dynamic' model='selinux' relabel='yes'/>
> 
> what doesn't make any sense. We should reject the XML in the config

s/what/which/

> parsing phase.
> 
> Signed-off-by: Michal Privoznik <mprivozn at redhat.com>
> ---
>  src/conf/domain_conf.c                             | 18 ++++++++--
>  .../qemuxml2argv-seclabel-multiple.xml             | 40 ++++++++++++++++++++++
>  tests/qemuxml2argvtest.c                           |  1 +
>  3 files changed, 56 insertions(+), 3 deletions(-)
>  create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-multiple.xml
> 

> @@ -4689,10 +4689,22 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def,
>  
>      /* Parse each "seclabel" tag */
>      for (i = 0; i < n; i++) {
> +        virSecurityLabelDefPtr seclabel;
> +
>          ctxt->node = list[i];
> -        def->seclabels[i] = virSecurityLabelDefParseXML(ctxt, flags);
> -        if (def->seclabels[i] == NULL)
> +        if (!(seclabel = virSecurityLabelDefParseXML(ctxt, flags)))
>              goto error;
> +
> +        for (j = 0; j < i; j++) {
> +            if (STREQ_NULLABLE(seclabel->model, def->seclabels[j]->model)) {
> +                virReportError(VIR_ERR_XML_DETAIL,
> +                               _("seclablel for model %s is already provided"),
> +                               seclabel->model);

virSecurityLabelDefFree(seclabel);

> +                goto error;
> +            }
> +        }
> +
> +        def->seclabels[i] = seclabel;
>      }
>      def->nseclabels = n;
>      ctxt->node = saved_node;

ACK with the leak fixed.

Jan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140710/e13756bc/attachment-0001.sig>


More information about the libvir-list mailing list