[libvirt] [PATCH v4 08/12] driver.c: change URI validation to handle QEMU and vbox case
Daniel Henrique Barboza
danielhb413 at gmail.com
Thu Sep 26 14:56:43 UTC 2019
The existing QEMU and vbox URI path validation consider
that a privileged user can use both a "/system" and a
"/session" URI. This differs from all the other drivers
that forbids the root user to use "/session" URI.
Let's update virConnectValidateURIPath() to handle these
cases as exceptions, using the already existent 'entityName'
value to handle "QEMU" and "vbox" differently. This allows
us to use the validateURI function in these cases without
changing the existing behavior of other drivers.
Suggested-by: Cole Robinson <crobinso at redhat.com>
Signed-off-by: Daniel Henrique Barboza <danielhb413 at gmail.com>
---
src/driver.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/src/driver.c b/src/driver.c
index 6b75622689..ed2d943ddf 100644
--- a/src/driver.c
+++ b/src/driver.c
@@ -276,7 +276,19 @@ virConnectValidateURIPath(const char *uriPath,
bool privileged)
{
if (privileged) {
- if (STRNEQ(uriPath, "/system")) {
+ /* TODO: qemu and vbox drivers allow '/session'
+ * connections as root. This is not ideal, but changing
+ * these drivers to refuse privileged '/session'
+ * connections, like everyone else is already doing, can
+ * break existing applications. Until we decide what to do,
+ * for now we can handle them as exception in this validate
+ * function.
+ */
+ bool compatSessionRoot = (STREQ(entityName, "qemu") ||
+ STREQ(entityName, "vbox")) &&
+ STREQ(uriPath, "/session");
+
+ if (STRNEQ(uriPath, "/system") && !compatSessionRoot) {
virReportError(VIR_ERR_INTERNAL_ERROR,
_("unexpected %s URI path '%s', try "
"%s:///system"),
--
2.21.0
More information about the libvir-list
mailing list