virt-aa-helper: Simplify restriction logic

First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
This commit is contained in:
Guido Günther 2015-08-21 10:49:15 +02:00
parent 26c5fa3a9b
commit d25a5e087a

View File

@ -546,7 +546,9 @@ array_starts_with(const char *str, const char * const *arr, const long size)
static int
valid_path(const char *path, const bool readonly)
{
int npaths, opaths;
int npaths;
int nropaths;
const char * const restricted[] = {
"/bin/",
"/etc/",
@ -596,19 +598,24 @@ valid_path(const char *path, const bool readonly)
if (!virFileExists(path))
vah_warning(_("path does not exist, skipping file type checks"));
opaths = sizeof(override)/sizeof(*(override));
/* overrides are always allowed */
npaths = sizeof(override)/sizeof(*(override));
if (array_starts_with(path, override, npaths) == 0)
return 0;
npaths = sizeof(restricted)/sizeof(*(restricted));
if (array_starts_with(path, restricted, npaths) == 0 &&
array_starts_with(path, override, opaths) != 0)
return 1;
npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
if (!readonly) {
if (array_starts_with(path, restricted_rw, npaths) == 0)
return 1;
/* allow read only paths upfront */
if (readonly) {
nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
if (array_starts_with(path, restricted_rw, nropaths) == 0)
return 0;
}
/* disallow RW acess to all paths in restricted and restriced_rw */
npaths = sizeof(restricted)/sizeof(*(restricted));
if ((array_starts_with(path, restricted, npaths) == 0
|| array_starts_with(path, restricted_rw, nropaths) == 0))
return 1;
return 0;
}