Adjust virt-aa-helper to handle pci devices

* src/security/virt-aa-helper.c: adjust virt-aa-helper to handle pci devices. Update valid_path() to have an override array to check against, and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it
2025-01-23 13:05:27 +00:00 · 2010-04-06 17:57:36 +02:00 · 2010-04-06 17:57:36 +02:00 · 1efb623674
commit 1efb623674
parent 2aca94bfd3
1 changed files with 25 additions and 10 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -490,7 +490,7 @@ static int
 valid_path(const char *path, const bool readonly)
 {
    struct stat sb;
-    int npaths;
+    int npaths, opaths;
    const char * const restricted[] = {
        "/bin/",
        "/etc/",
@ -516,6 +516,10 @@ valid_path(const char *path, const bool readonly)
        "/initrd",
        "/initrd.img"
    };
+    /* override the above with these */
+    const char * const override[] = {
+        "/sys/devices/pci"	/* for hostdev pci devices */
+    };

    if (path == NULL || strlen(path) > PATH_MAX - 1) {
        vah_error(NULL, 0, "bad pathname");
@ -553,9 +557,12 @@ valid_path(const char *path, const bool readonly)
        }
    }

+    opaths = sizeof(override)/sizeof *(override);
+
    npaths = sizeof(restricted)/sizeof *(restricted);
-    if (array_starts_with(path, restricted, npaths) == 0)
-        return 1;
+    if (array_starts_with(path, restricted, npaths) == 0 &&
+        array_starts_with(path, override, opaths) != 0)
+            return 1;

    npaths = sizeof(restricted_rw)/sizeof *(restricted_rw);
    if (!readonly) {
@ -779,8 +786,16 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
 }

 static int
-file_iterate_cb(usbDevice *dev ATTRIBUTE_UNUSED,
-                const char *file, void *opaque)
+file_iterate_hostdev_cb(usbDevice *dev ATTRIBUTE_UNUSED,
+                        const char *file, void *opaque)
+{
+    virBufferPtr buf = opaque;
+    return vah_add_file(buf, file, "rw");
+}
+
+static int
+file_iterate_pci_cb(pciDevice *dev ATTRIBUTE_UNUSED,
+                        const char *file, void *opaque)
 {
    virBufferPtr buf = opaque;
    return vah_add_file(buf, file, "rw");
@ -825,7 +840,7 @@ get_files(vahControl * ctl)
                path = NULL;

                if (ret < 0) {
-                    vah_warning("skipping backingStore check (open failed)");
+                    vah_warning("could not open path, skipping");
                    continue;
                }

@ -880,13 +895,13 @@ get_files(vahControl * ctl)
                if (usb == NULL)
                    continue;

-                rc = usbDeviceFileIterate(usb, file_iterate_cb, &buf);
+                rc = usbDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf);
                usbFreeDevice(usb);
                if (rc != 0)
                    goto clean;
                break;
            }
-/* TODO: update so files in /sys are readonly
+
            case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
                pciDevice *pci = pciGetDevice(
                           dev->source.subsys.u.pci.domain,
@ -897,12 +912,12 @@ get_files(vahControl * ctl)
                if (pci == NULL)
                    continue;

-                rc = pciDeviceFileIterate(NULL, pci, file_iterate_cb, &buf);
+                rc = pciDeviceFileIterate(pci, file_iterate_pci_cb, &buf);
                pciFreeDevice(pci);

                break;
            }
-*/
+
            default:
                rc = 0;
                break;