[libvirt] [PATCH 2/5] virt-aa-helper: /etc/libvirt-sandbox/services isn't restricted
Martin Kletzander
mkletzan at redhat.com
Tue Nov 25 07:05:46 UTC 2014
On Mon, Nov 24, 2014 at 09:54:43PM +0100, Cédric Bosdonnat wrote:
>To get virt-sandbox-service working with AppArmor, virt-aa-helper
>needs not to choke on path in /etc/libvirt-sandbox/services.
>---
> src/security/virt-aa-helper.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
>diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>index 81f9f40..9c9e570 100644
>--- a/src/security/virt-aa-helper.c
>+++ b/src/security/virt-aa-helper.c
>@@ -608,8 +608,12 @@ valid_path(const char *path, const bool readonly)
>
> npaths = sizeof(restricted)/sizeof(*(restricted));
> if (array_starts_with(path, restricted, npaths) == 0 &&
>- array_starts_with(path, override, opaths) != 0)
>- return 1;
>+ array_starts_with(path, override, opaths) != 0) {
>+
>+ /* We want to have virt-sandbox services config allowed */
>+ if (!STRPREFIX(path, "/etc/libvirt-sandbox/services/"))
>+ return 1;
>+ }
>
Isn't this what override[] is there for? It'd be way easier to read
if it's just added there.
> npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
> if (!readonly) {
>--
>2.1.2
>
>--
>libvir-list mailing list
>libvir-list at redhat.com
>https://www.redhat.com/mailman/listinfo/libvir-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20141125/07bf1283/attachment-0001.sig>
More information about the libvir-list
mailing list