[libvirt] [PATCH] virt-aa-helper: Fix permissions for vhost-user socket files
John Ferlan
jferlan at redhat.com
Fri Jun 19 19:55:36 UTC 2015
On 06/19/2015 03:30 PM, Serge Hallyn wrote:
> Quoting Michal Dubiel (md at semihalf.com):
>> QEMU working in vhost-user mode communicates with the other end (i.e.
>> some virtual router application) via unix domain sockets. This requires
>> that permissions for the socket files are correctly written into
>> /etc/apparmor.d/libvirt/libvirt-UUID.files.
>>
>> Signed-off-by: Michal Dubiel <md at semihalf.com>
>> ---
>> src/security/virt-aa-helper.c | 24 +++++++++++++-----------
>> 1 file changed, 13 insertions(+), 11 deletions(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 35423b5..a097aa6 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
>> @@ -592,19 +592,9 @@ valid_path(const char *path, const bool readonly)
>>
>> if (!virFileExists(path)) {
>> vah_warning(_("path does not exist, skipping file type checks"));
>> - } else {
>> - if (stat(path, &sb) == -1)
>> + } else if (stat(path, &sb) == -1)
>> return -1;
>
> Hi,
>
> Why keep this bit? sb is not used later in the fn, and you
> already know that access(2) didn't return ENOENT.
>
Besides by changing from :
} else {
if ((x) == -1))
return -1;
to
} else if ((x) == -1) {
return -1;
Everything else inside the else if after the return -1 becomes dead
John
>>
>> - switch (sb.st_mode & S_IFMT) {
>> - case S_IFSOCK:
>> - return 1;
>> - break;
>> - default:
>> - break;
>> - }
>> - }
>> -
>> opaths = sizeof(override)/sizeof(*(override));
>>
>> npaths = sizeof(restricted)/sizeof(*(restricted));
>> @@ -1101,6 +1091,18 @@ get_files(vahControl * ctl)
>> }
>> }
>>
>> + for (i = 0; i < ctl->def->nnets; i++) {
>> + if (ctl->def->nets[i] &&
>> + ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
>> + ctl->def->nets[i]->data.vhostuser) {
>> + virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
>> +
>> + if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
>> + vhu->type) != 0)
>> + goto cleanup;
>> + }
>> + }
>> +
>> if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
>> for (i = 0; i < ctl->def->nnets; i++) {
>> virDomainNetDefPtr net = ctl->def->nets[i];
>> --
>> 1.9.1
>>
>> --
>> libvir-list mailing list
>> libvir-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/libvir-list
>
> --
> libvir-list mailing list
> libvir-list at redhat.com
> https://www.redhat.com/mailman/listinfo/libvir-list
>
More information about the libvir-list
mailing list