[PATCH 2/2] security: Avoid calling virSecurityManagerCheckModel with NULL model

Wednesday, 2 December 2020

Attempting to create a domain with <seclabel type='none'/> results in

virsh --connect lxc:/// create distro_nosec.xml
error: Failed to create domain from distro_nosec.xml
error: unsupported configuration: Security driver model '(null)' is not available

With <seclabel type='none'/>, the model field of virSecurityLabelDef will
be NULL, causing virSecurityManagerCheckModel() to fail with the above
error. Avoid calling virSecurityManagerCheckModel() when they seclabel
type is VIR_DOMAIN_SECLABEL_NONE.

Signed-off-by: Jim Fehlig <jfehlig(a)suse.com&gt;
---

This could also be fixed by checking for a NULL secmodel in
virSecurityManagerCheckModel, but it seems more appropriate to check for
a valid seclabel type before checking the model.

 src/security/security_manager.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/security/security_manager.c b/src/security/security_manager.c
index be81ee5e44..789e24d273 100644
--- a/src/security/security_manager.c
+++ b/src/security/security_manager.c
@@ -781,6 +781,9 @@ virSecurityManagerCheckDomainLabel(virSecurityManagerPtr mgr,
     size_t i;
 
     for (i = 0; i < def->nseclabels; i++) {
+        if (def->seclabels[i]->type == VIR_DOMAIN_SECLABEL_NONE)
+            continue;
+
         if (virSecurityManagerCheckModel(mgr, def->seclabels[i]->model) < 0)
             return -1;
     }
-- 
2.29.2



    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[PATCH 2/2] security: Avoid calling virSecurityManagerCheckModel with NULL model