NuKVM/libvirt
3
0
Fork 0
mirror of https://github.com/libvirt/libvirt.git synced 2025-02-25 18:55:26 -06:00
Code Issues Packages Projects Releases Wiki Activity

virt-aa-helper: Fix permissions for vhost-user socket files

Browse Source 
QEMU working in vhost-user mode communicates with the other end (i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.

Signed-off-by: Michal Dubiel <md@semihalf.com>
This commit is contained in:
Michal Dubiel 2015-07-01 10:15:29 +02:00 committed by Michal Privoznik
parent 20078964d9
commit a188c57d54
1 changed files with 13 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
src/security/virt-aa-helper.c
View File

@ -32,7 +32,6 @@
#include <unistd.h> #include <unistd.h>
#include <errno.h> #include <errno.h>
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h> #include <fcntl.h>
#include <getopt.h> #include <getopt.h>
#include <sys/utsname.h> #include <sys/utsname.h>
@ -542,7 +541,6 @@ array_starts_with(const char *str, const char * const *arr, const long size)
static int static int
valid_path(const char *path, const bool readonly) valid_path(const char *path, const bool readonly)
{ {
struct stat sb;
int npaths, opaths; int npaths, opaths;
const char * const restricted[] = { const char * const restricted[] = {
"/bin/", "/bin/",
@ -590,20 +588,8 @@ valid_path(const char *path, const bool readonly)
if (STRNEQLEN(path, "/", 1)) if (STRNEQLEN(path, "/", 1))
return 1; return 1;
if (!virFileExists(path)) { if (!virFileExists(path))
vah_warning(_("path does not exist, skipping file type checks")); vah_warning(_("path does not exist, skipping file type checks"));
} else {
if (stat(path, &sb) == -1)
return -1;
switch (sb.st_mode & S_IFMT) {
case S_IFSOCK:
return 1;
break;
default:
break;
}
}
opaths = sizeof(override)/sizeof(*(override)); opaths = sizeof(override)/sizeof(*(override));
@ -1101,6 +1087,18 @@ get_files(vahControl * ctl)
} }
} }
for (i = 0; i < ctl->def->nnets; i++) {
if (ctl->def->nets[i] &&
ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
ctl->def->nets[i]->data.vhostuser) {
virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
vhu->type) != 0)
goto cleanup;
}
}
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) { if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) { for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i]; virDomainNetDefPtr net = ctl->def->nets[i];