On 22.06.2015 12:47, Michal Dubiel wrote:
QEMU working in vhost-user mode communicates with the other end
(i.e.
some virtual router application) via unix domain sockets. This requires
that permissions for the socket files are correctly written into
/etc/apparmor.d/libvirt/libvirt-UUID.files.
Signed-off-by: Michal Dubiel <md(a)semihalf.com>
---
Changes since v1:
- Removed unnecessary stat() call and dead 'else' block
src/security/virt-aa-helper.c | 25 ++++++++++++-------------
1 file changed, 12 insertions(+), 13 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 35423b5..f39932e 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -32,7 +32,6 @@
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
-#include <sys/stat.h>
#include <fcntl.h>
#include <getopt.h>
#include <sys/utsname.h>
@@ -542,7 +541,6 @@ array_starts_with(const char *str, const char * const *arr, const
long size)
static int
valid_path(const char *path, const bool readonly)
{
- struct stat sb;
int npaths, opaths;
const char * const restricted[] = {
"/bin/",
@@ -592,17 +590,6 @@ valid_path(const char *path, const bool readonly)
if (!virFileExists(path)) {
vah_warning(_("path does not exist, skipping file type checks"));
- } else {
- if (stat(path, &sb) == -1)
- return -1;
-
- switch (sb.st_mode & S_IFMT) {
- case S_IFSOCK:
- return 1;
- break;
- default:
- break;
- }
}
This leaves a one line body to the if(). Therefore 'syntax-check' is
sad. With that fixed I'm inclined to ACK the patch. But I'm not too
familiar with AppArmor, so unless somebody else gives another ACK, I'll
push this after the release.
opaths = sizeof(override)/sizeof(*(override));
@@ -1101,6 +1088,18 @@ get_files(vahControl * ctl)
}
}
+ for (i = 0; i < ctl->def->nnets; i++) {
+ if (ctl->def->nets[i] &&
+ ctl->def->nets[i]->type == VIR_DOMAIN_NET_TYPE_VHOSTUSER
&&
+ ctl->def->nets[i]->data.vhostuser) {
+ virDomainChrSourceDefPtr vhu = ctl->def->nets[i]->data.vhostuser;
+
+ if (vah_add_file_chardev(&buf, vhu->data.nix.path, "rw",
+ vhu->type) != 0)
+ goto cleanup;
+ }
+ }
+
if (ctl->def->virtType == VIR_DOMAIN_VIRT_KVM) {
for (i = 0; i < ctl->def->nnets; i++) {
virDomainNetDefPtr net = ctl->def->nets[i];
Michal