Re: [libvirt] [PATCH 1/1] security_util: verify xattrs only if ref is present

29 Aug 2019

On 8/28/19 12:21 PM, Nikolay Shirokovskiy wrote:
...
After 7cfb7aab573 commit starting a domain pullutes logs with
warnings like [1]. The reason is resource files do not
have timestamp before starting a domain and after destroying
domain the timestamp is cleared. Let's check the timestamp
only if attribute with refcounter is found.
[1] warning : virSecurityValidateTimestamp:198 : Invalid XATTR timestamp detected on \
     /some/path secdriver=dac
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com>
---
  src/security/security_util.c | 24 ++++++++++++++++--------
  1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/src/security/security_util.c b/src/security/security_util.c
index 31f41cedfd..f33fe9dd7b 100644
--- a/src/security/security_util.c
+++ b/src/security/security_util.c
@@ -269,13 +269,9 @@ virSecurityGetRememberedLabel(const char *name,
      VIR_AUTOFREE(char *) attr_name = NULL;
      VIR_AUTOFREE(char *) value = NULL;
      unsigned int refcount = 0;
-    int rc;
*label = NULL;
-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
-        return rc;
-
      if (!(ref_name = virSecurityGetRefCountAttrName(name)))
          return -1;
@@ -288,6 +284,14 @@ virSecurityGetRememberedLabel(const char *name,
                               ref_name,
                               path);
          return -1;
+    } else {
+        int rc;
+
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        if (rc == 1)
+            return -2;
      }
if (virStrToLong_ui(value, NULL, 10, &refcount) < 0) {
@@ -357,10 +361,6 @@ virSecuritySetRememberedLabel(const char *name,
      VIR_AUTOFREE(char *) attr_name = NULL;
      VIR_AUTOFREE(char *) value = NULL;
      unsigned int refcount = 0;
-    int rc;
-
-    if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
-        return rc;
if (!(ref_name = virSecurityGetRefCountAttrName(name)))
          return -1;
@@ -375,6 +375,14 @@ virSecuritySetRememberedLabel(const char *name,
                                   path);
              return -1;
          }
+    } else {
+        int rc;
+
This needs to be executed if and only if @value is non-NULL otherwise 
the warning is going to be printed. Also, I'm adding a small comment 
here to explain why this is done AFTER @value is read.
...
+        if ((rc = virSecurityValidateTimestamp(name, path)) < 0)
+            return rc;
+
+        if (rc == 1)
+            VIR_FREE(value);
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>

and pushed.

Thanks,
Michal

    