External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-03-07 17:28:15 +00:00
Code

virt-aa-helper: better write denials handling

Browse Source 
Better fix replacing c726af2d: introducing an 'R' permission to
add read rule, but no explicit deny write rule.
This commit is contained in:
Cédric Bosdonnat 2016-01-18 11:22:32 +01:00
parent da86c6c226
commit cedd2ab282
1 changed files with 17 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/security/virt-aa-helper.c
View File

@ -728,12 +728,18 @@ get_definition(vahControl * ctl, const char *xmlStr)
return rc; return rc;
} }
/**
* The permissions allowed are apparmor valid permissions and 'R'. 'R' stands for
* read with no explicit deny rule.
*/
static int static int
vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive) vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursive)
{ {
char *tmp = NULL; char *tmp = NULL;
int rc = -1; int rc = -1;
bool readonly = true; bool readonly = true;
bool explicit_deny_rule = true;
char *sub = NULL;
if (path == NULL) if (path == NULL)
return rc; return rc;
@ -758,8 +764,16 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
return rc; return rc;
} }
if (strchr(perms, 'w') != NULL) if (strchr(perms, 'w') != NULL) {
readonly = false; readonly = false;
explicit_deny_rule = false;
}
if ((sub = strchr(perms, 'R')) != NULL) {
/* Don't write the invalid R permission, replace it with 'r' */
sub[0] = 'r';
explicit_deny_rule = false;
}
rc = valid_path(tmp, readonly); rc = valid_path(tmp, readonly);
if (rc != 0) { if (rc != 0) {
@ -774,7 +788,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
tmp[strlen(tmp) - 1] = '\0'; tmp[strlen(tmp) - 1] = '\0';
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms); virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms);
if (readonly) { if (explicit_deny_rule) {
virBufferAddLit(buf, " # don't audit writes to readonly files\n"); virBufferAddLit(buf, " # don't audit writes to readonly files\n");
virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : ""); virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
} }
@ -1084,7 +1098,7 @@ get_files(vahControl * ctl)
/* We don't need to add deny rw rules for readonly mounts, /* We don't need to add deny rw rules for readonly mounts,
* this can only lead to troubles when mounting / readonly. * this can only lead to troubles when mounting / readonly.
*/ */
if (vah_add_path(&buf, fs->src->path, "rw", true) != 0) if (vah_add_path(&buf, fs->src->path, fs->readonly ? "R" : "rw", true) != 0)
goto cleanup; goto cleanup;
} }
} }