Re: [libvirt] [PATCH] Disable nwfilterDefineXML for unprivileged libvirtd
On Tue, Nov 12, 2013 at 12:41:52PM +0100, Ján Tomko wrote:
Fail in a more friendly way than:
error: cannot create config directory (null): Bad address
https://bugzilla.redhat.com/show_bug.cgi?id=1029266
---
src/nwfilter/nwfilter_driver.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c
index 6602d73..c3ff4fe 100644
--- a/src/nwfilter/nwfilter_driver.c
+++ b/src/nwfilter/nwfilter_driver.c
@@ -551,13 +551,20 @@ nwfilterDefineXML(virConnectPtr conn,
const char *xml)
{
virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
- virNWFilterDefPtr def;
+ virNWFilterDefPtr def = NULL;
virNWFilterObjPtr nwfilter = NULL;
virNWFilterPtr ret = NULL;
nwfilterDriverLock(driver);
virNWFilterCallbackDriversLock();
+ if (!driver->privileged) {
+ virReportError(VIR_ERR_OPERATION_UNSUPPORTED,
+ _("network filters are only available when libvirtd "
+ "runs as root"));
+ goto cleanup;
+ }
+
if (!(def = virNWFilterDefParseString(xml)))
goto cleanup;
This is wrong. The nwfilter driver's global init method should abort
if not running privileged, and then its 'open' method should decline
any attempt to open it. The result should be that the callbacks are
never registered with the connection object.
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|