virt-aa-helper: Fix permissions for vhost-user socket files

QEMU working in vhost-user mode communicates with the other end (i.e. some virtual router application) via unix domain sockets. This requires that permissions for the socket files are correctly written into /etc/apparmor.d/libvirt/libvirt-UUID.files. Signed-off-by: Michal Dubiel <md@semihalf.com>
2025-01-11 07:17:44 +00:00 · 2015-07-01 10:15:29 +02:00 · 2015-07-01 10:15:29 +02:00 · a188c57d54
commit a188c57d54
parent 20078964d9
1 changed files with 13 additions and 15 deletions
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@ -32,7 +32,6 @@
 #include <unistd.h>
 #include <errno.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 #include <fcntl.h>
 #include <getopt.h>
 #include <sys/utsname.h>
@ -542,7 +541,6 @@ array_starts_with(const char *str, const char * const *arr, const long size)
 static int
 valid_path(const char *path, const bool readonly)
 {
-    struct stat sb;
    int npaths, opaths;
    const char * const restricted[] = {
        "/bin/",
@ -590,20 +588,8 @@ valid_path(const char *path, const bool readonly)
    if (STRNEQLEN(path, "/", 1))
        return 1;

-    if (!virFileExists(path)) {
+    if (!virFileExists(path))
        vah_warning(_("path does not exist, skipping file type checks"));
-    } else {
-        if (stat(path, &sb) == -1)
-            return -1;
-
-        switch (sb.st_mode & S_IFMT) {
-            case S_IFSOCK:
-                return 1;
-                break;
-            default:
-                break;
-        }
-    }

    opaths = sizeof(override)/sizeof(*(override));

@ -1101,6 +1087,18 @@ get_files(vahControl * ctl)
        }
    }

+    for (i = 0; i < ctl->def->nnets; i++) {
+        if (ctl->def->nets[i] &&
+                ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER &&
+                ctl->def->nets[i]->data.vhostuser) {
+            virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
+
+            if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
+                       vhu->type) != 0)
+                goto cleanup;
+        }
+    }
+
    if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
        for (i = 0; i < ctl->def->nnets; i++) {
            virDomainNetDefPtr net = ctl->def->nets[i];