[libvirt] [PATCH 2/2] virSecurityManagerGenLabel: Skip seclabels without model

Daniel P. Berrange berrange at redhat.com
Wed Jul 17 10:10:31 UTC 2013


On Mon, Jul 15, 2013 at 03:58:28PM +0200, Michal Privoznik wrote:
> While generating seclabels, we check the seclabel stack if required
> driver is in the stack. If not, an error is returned. However, it is
> possible for a seclabel to not have any model set (happens with LXC
> domains that have just <seclabel type='none'>). If that's the case,
> we should just skip the iteration instead of calling STREQ(NULL, ...)
> and SIGSEGV-ing subsequently.
> ---
>  src/security/security_manager.c | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/src/security/security_manager.c b/src/security/security_manager.c
> index 6946637..411a909 100644
> --- a/src/security/security_manager.c
> +++ b/src/security/security_manager.c
> @@ -436,6 +436,9 @@ int virSecurityManagerGenLabel(virSecurityManagerPtr mgr,
>  
>      virObjectLock(mgr);
>      for (i = 0; i < vm->nseclabels; i++) {
> +        if (!vm->seclabels[i]->model)
> +            continue;
> +
>          for (j = 0; sec_managers[j]; j++)
>              if (STREQ(vm->seclabels[i]->model, sec_managers[j]->drv->name))
>                  break;

ACK to this one too. Even though we can fix the LXC driver in your
first patch, adding this second patch is useful crash protection.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the libvir-list mailing list