shaba/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-04 21:47:16 +03:00
Code Releases Activity

AppArmor require absolute paths

Browse Source 
Fixes https://launchpad.net/bugs/460271

* src/security/virt-aa-helper.c: require absolute path for dynamic added
  files. This is required by AppArmor and conveniently prevents adding
  tcp consoles to the profile
This commit is contained in:
Jamie Strandboge 2009-11-13 15:22:20 +01:00 committed by Daniel Veillard
parent a8a560dd3a
commit dae7054b76
1 changed files with 14 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
src/security/virt-aa-helper.c
View File

@ -517,6 +517,10 @@ valid_path(const char *path, const bool readonly)
if (strchr(path, '"') != NULL) if (strchr(path, '"') != NULL)
return 1; return 1;
/* Require an absolute path */
if (STRNEQLEN(path, "/", 1))
return 1;
if (!virFileExists(path)) if (!virFileExists(path))
vah_warning("path does not exist, skipping file type checks"); vah_warning("path does not exist, skipping file type checks");
else { else {
@ -718,6 +722,16 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
if (path == NULL) if (path == NULL)
return rc; return rc;
/* Skip files without an absolute path. Not having one confuses the
* apparmor parser and this also ensures things like tcp consoles don't
* get added to the profile.
*/
if (STRNEQLEN(path, "/", 1)) {
vah_warning(path);
vah_warning(" skipped non-absolute path");
return 0;
}
if (virFileExists(path)) { if (virFileExists(path)) {
if ((tmp = realpath(path, NULL)) == NULL) { if ((tmp = realpath(path, NULL)) == NULL) {
vah_error(NULL, 0, path); vah_error(NULL, 0, path);