[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] 7/10 AppArmor driver updates



On Mon, 2010-04-05 at 16:15 -0500, Jamie Strandboge wrote:

> 7_apparmor-fix-hostdev.patch: adjust virt-aa-helper to handle pci
> devices. Update valid_path() to have an override array to check against,
> and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to
> file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it.

-- 
Jamie Strandboge             | http://www.canonical.com
Author: Jamie Strandboge <jamie canonical com>
Description: adjust virt-aa-helper to handle pci devices. Update valid_path()
 to have an override array to check against, and add "/sys/devices/pci" to it.
 Then rename file_iterate_cb() to file_iterate_hostdev_cb() and create
 file_iterate_pci_cb() based on it.
Bug-Ubuntu: https://launchpad.net/bugs/545795

Index: libvirt-0.7.7/src/security/virt-aa-helper.c
===================================================================
--- libvirt-0.7.7.orig/src/security/virt-aa-helper.c	2010-04-05 12:45:39.000000000 -0500
+++ libvirt-0.7.7/src/security/virt-aa-helper.c	2010-04-05 12:45:39.000000000 -0500
@@ -490,7 +490,7 @@
 valid_path(const char *path, const bool readonly)
 {
     struct stat sb;
-    int npaths;
+    int npaths, opaths;
     const char * const restricted[] = {
         "/bin/",
         "/etc/",
@@ -516,6 +516,10 @@
         "/initrd",
         "/initrd.img"
     };
+    /* override the above with these */
+    const char * const override[] = {
+        "/sys/devices/pci"	/* for hostdev pci devices */
+    };
 
     if (path == NULL || strlen(path) > PATH_MAX - 1) {
         vah_error(NULL, 0, "bad pathname");
@@ -553,9 +557,12 @@
         }
     }
 
+    opaths = sizeof(override)/sizeof *(override);
+
     npaths = sizeof(restricted)/sizeof *(restricted);
-    if (array_starts_with(path, restricted, npaths) == 0)
-        return 1;
+    if (array_starts_with(path, restricted, npaths) == 0 &&
+        array_starts_with(path, override, opaths) != 0)
+            return 1;
 
     npaths = sizeof(restricted_rw)/sizeof *(restricted_rw);
     if (!readonly) {
@@ -779,8 +786,16 @@
 }
 
 static int
-file_iterate_cb(usbDevice *dev ATTRIBUTE_UNUSED,
-                const char *file, void *opaque)
+file_iterate_hostdev_cb(usbDevice *dev ATTRIBUTE_UNUSED,
+                        const char *file, void *opaque)
+{
+    virBufferPtr buf = opaque;
+    return vah_add_file(buf, file, "rw");
+}
+
+static int
+file_iterate_pci_cb(pciDevice *dev ATTRIBUTE_UNUSED,
+                        const char *file, void *opaque)
 {
     virBufferPtr buf = opaque;
     return vah_add_file(buf, file, "rw");
@@ -825,7 +840,7 @@
                 path = NULL;
 
                 if (ret < 0) {
-                    vah_warning("skipping backingStore check (open failed)");
+                    vah_warning("could not open path, skipping");
                     continue;
                 }
 
@@ -880,13 +895,13 @@
                 if (usb == NULL)
                     continue;
 
-                rc = usbDeviceFileIterate(usb, file_iterate_cb, &buf);
+                rc = usbDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf);
                 usbFreeDevice(usb);
                 if (rc != 0)
                     goto clean;
                 break;
             }
-/* TODO: update so files in /sys are readonly
+
             case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
                 pciDevice *pci = pciGetDevice(
                            dev->source.subsys.u.pci.domain,
@@ -897,12 +912,12 @@
                 if (pci == NULL)
                     continue;
 
-                rc = pciDeviceFileIterate(NULL, pci, file_iterate_cb, &buf);
+                rc = pciDeviceFileIterate(pci, file_iterate_pci_cb, &buf);
                 pciFreeDevice(pci);
 
                 break;
             }
-*/
+
             default:
                 rc = 0;
                 break;

Attachment: signature.asc
Description: This is a digitally signed message part


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]