[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH 2/4] AppArmor updates



On Thu, 12 Nov 2009, Jamie Strandboge wrote:

> 2_aa_require_absolute_path.patch:
> Require absolute path for dynamic added files. This is required by
> AppArmor and conveniently prevents adding tcp consoles to the profile.
> This fixes https://launchpad.net/bugs/460271.
> 

-- 
Jamie Strandboge             | http://www.canonical.com
diff -Naurp libvirt.orig/src/security/virt-aa-helper.c libvirt/src/security/virt-aa-helper.c
--- libvirt.orig/src/security/virt-aa-helper.c	2009-11-06 16:50:19.000000000 -0600
+++ libvirt/src/security/virt-aa-helper.c	2009-11-06 17:05:12.000000000 -0600
@@ -517,6 +517,10 @@ valid_path(const char *path, const bool 
     if (strchr(path, '"') != NULL)
         return 1;
 
+    /* Require an absolute path */
+    if (STRNEQLEN(path, "/", 1))
+        return 1;
+
     if (!virFileExists(path))
         vah_warning("path does not exist, skipping file type checks");
     else {
@@ -718,6 +722,16 @@ vah_add_file(virBufferPtr buf, const cha
     if (path == NULL)
         return rc;
 
+    /* Skip files without an absolute path. Not having one confuses the
+     * apparmor parser and this also ensures things like tcp consoles don't
+     * get added to the profile.
+     */
+    if (STRNEQLEN(path, "/", 1)) {
+        vah_warning(path);
+        vah_warning("  skipped non-absolute path");
+        return 0;
+    }
+
     if (virFileExists(path)) {
         if ((tmp = realpath(path, NULL)) == NULL) {
             vah_error(NULL, 0, path);

Attachment: signature.asc
Description: Digital signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]