[libvirt] [PATCH] virt-aa-helper: Fix permissions for vhost-user socket files

Serge Hallyn serge.hallyn at ubuntu.com
Fri Jun 19 19:30:18 UTC 2015 

Quoting Michal Dubiel (md at semihalf.com):
> QEMU working in vhost-user mode communicates with the other end (i.e.
> some virtual router application) via unix domain sockets. This requires
> that permissions for the socket files are correctly written into
> /etc/apparmor.d/libvirt/libvirt-UUID.files.
> 
> Signed-off-by: Michal Dubiel <md at semihalf.com>
> ---
>  src/security/virt-aa-helper.c | 24 +++++++++++++-----------
>  1 file changed, 13 insertions(+), 11 deletions(-)
> 
> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
> index 35423b5..a097aa6 100644
> --- a/src/security/virt-aa-helper.c
> +++ b/src/security/virt-aa-helper.c
> @@ -592,19 +592,9 @@ valid_path(const char *path, const bool readonly)
>  
>      if (!virFileExists(path)) {
>          vah_warning(_("path does not exist, skipping file type checks"));
> -    } else {
> -        if (stat(path, &sb) == -1)
> +    } else if (stat(path, &sb) == -1)
>              return -1;

Hi,

Why keep this bit?  sb is not used later in the fn, and you
already know that access(2) didn't return ENOENT.

>  
> -        switch (sb.st_mode & S_IFMT) {
> -            case S_IFSOCK:
> -                return 1;
> -                break;
> -            default:
> -                break;
> -        }
> -    }
> -
>      opaths = sizeof(override)/sizeof(*(override));
>  
>      npaths = sizeof(restricted)/sizeof(*(restricted));
> @@ -1101,6 +1091,18 @@ get_files(vahControl * ctl)
>          }
>      }
>  
> +    for (i = 0; i < ctl->def->nnets; i++) {
> +        if (ctl->def->nets[i] &&
> +                ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
> +                ctl->def->nets[i]->data.vhostuser) {
> +            virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
> +
> +            if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
> +                       vhu->type) != 0)
> +                goto cleanup;
> +        }
> +    }
> +
>      if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>          for (i = 0; i < ctl->def->nnets; i++) {
>              virDomainNetDefPtr net = ctl->def->nets[i];
> -- 
> 1.9.1
> 
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list

More information about the libvir-list mailing list