[libvirt] [PATCHv3] virt-aa-helper: Fix permissions for vhost-user socket files
QEMU working in vhost-user mode communicates with the other end (i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.
Signed-off-by: Michal Dubiel
---
Changes since v2:
- Removed curly braces from one line 'if' block (syntax-check claims)
src/security/virt-aa-helper.c | 28 +---
1 file changed, 13 insertions(+), 15 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 35423b5..13f8a6a 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -32,7 +32,6 @@
#include
#include
#include
-#include
#include
#include
#include
@@ -542,7 +541,6 @@ array_starts_with(const char *str, const char * const *arr,
const long size)
static int
valid_path(const char *path, const bool readonly)
{
-struct stat sb;
int npaths, opaths;
const char * const restricted[] = {
"/bin/",
@@ -590,20 +588,8 @@ valid_path(const char *path, const bool readonly)
if (STRNEQLEN(path, "/", 1))
return 1;
-if (!virFileExists(path)) {
+if (!virFileExists(path))
vah_warning(_("path does not exist, skipping file type checks"));
-} else {
-if (stat(path, &sb) == -1)
-return -1;
-
-switch (sb.st_mode & S_IFMT) {
-case S_IFSOCK:
-return 1;
-break;
-default:
-break;
-}
-}
opaths = sizeof(override)/sizeof(*(override));
@@ -1101,6 +1087,18 @@ get_files(vahControl * ctl)
}
}
+for (i = 0; i < ctl->def->nnets; i++) {
+if (ctl->def->nets[i] &&
+ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
+ctl->def->nets[i]->data.vhostuser) {
+virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
+
+if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
+ vhu->type) != 0)
+goto cleanup;
+}
+}
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
--
1.9.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCHv2] virt-aa-helper: Fix permissions for vhost-user socket files
QEMU working in vhost-user mode communicates with the other end (i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.
Signed-off-by: Michal Dubiel
---
Changes since v1:
- Removed unnecessary stat() call and dead 'else' block
src/security/virt-aa-helper.c | 25 -
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 35423b5..f39932e 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -32,7 +32,6 @@
#include
#include
#include
-#include
#include
#include
#include
@@ -542,7 +541,6 @@ array_starts_with(const char *str, const char * const *arr,
const long size)
static int
valid_path(const char *path, const bool readonly)
{
-struct stat sb;
int npaths, opaths;
const char * const restricted[] = {
"/bin/",
@@ -592,17 +590,6 @@ valid_path(const char *path, const bool readonly)
if (!virFileExists(path)) {
vah_warning(_("path does not exist, skipping file type checks"));
-} else {
-if (stat(path, &sb) == -1)
-return -1;
-
-switch (sb.st_mode & S_IFMT) {
-case S_IFSOCK:
-return 1;
-break;
-default:
-break;
-}
}
opaths = sizeof(override)/sizeof(*(override));
@@ -1101,6 +1088,18 @@ get_files(vahControl * ctl)
}
}
+for (i = 0; i < ctl->def->nnets; i++) {
+if (ctl->def->nets[i] &&
+ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
+ctl->def->nets[i]->data.vhostuser) {
+virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
+
+if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
+ vhu->type) != 0)
+goto cleanup;
+}
+}
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
--
1.9.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
[libvirt] [PATCH] virt-aa-helper: Fix permissions for vhost-user socket files
QEMU working in vhost-user mode communicates with the other end (i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.
Signed-off-by: Michal Dubiel
---
src/security/virt-aa-helper.c | 24 +---
1 file changed, 13 insertions(+), 11 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 35423b5..a097aa6 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -592,19 +592,9 @@ valid_path(const char *path, const bool readonly)
if (!virFileExists(path)) {
vah_warning(_("path does not exist, skipping file type checks"));
-} else {
-if (stat(path, &sb) == -1)
+} else if (stat(path, &sb) == -1)
return -1;
-switch (sb.st_mode & S_IFMT) {
-case S_IFSOCK:
-return 1;
-break;
-default:
-break;
-}
-}
-
opaths = sizeof(override)/sizeof(*(override));
npaths = sizeof(restricted)/sizeof(*(restricted));
@@ -1101,6 +1091,18 @@ get_files(vahControl * ctl)
}
}
+for (i = 0; i < ctl->def->nnets; i++) {
+if (ctl->def->nets[i] &&
+ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
+ctl->def->nets[i]->data.vhostuser) {
+virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
+
+if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
+ vhu->type) != 0)
+goto cleanup;
+}
+}
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
--
1.9.1
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
