Re: [libvirt] [PATCH v2 4/4] conf: Don't allow multiple seclabels for same model

https://bugzilla.redhat.com/show_bug.cgi?id=1066894 With current code it's possible to have for instance: virsh dumpxml mydomain | grep seclabel <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> <seclabel type='dynamic' model='selinux' relabel='yes'/> what doesn't make any sense. We should reject the XML in the config

parsing phase. Signed-off-by: Michal Privoznik <mprivozn(a)redhat.com&gt; --- src/conf/domain_conf.c | 18 ++++++++-- .../qemuxml2argv-seclabel-multiple.xml | 40 ++++++++++++++++++++++ tests/qemuxml2argvtest.c | 1 + 3 files changed, 56 insertions(+), 3 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-seclabel-multiple.xml

@@ -4689,10 +4689,22 @@ virSecurityLabelDefsParseXML(virDomainDefPtr def, /* Parse each "seclabel" tag */ for (i = 0; i < n; i++) { + virSecurityLabelDefPtr seclabel; + ctxt->node = list[i]; - def->seclabels[i] = virSecurityLabelDefParseXML(ctxt, flags); - if (def->seclabels[i] == NULL) + if (!(seclabel = virSecurityLabelDefParseXML(ctxt, flags))) goto error; + + for (j = 0; j < i; j++) { + if (STREQ_NULLABLE(seclabel->model, def->seclabels[j]->model)) { + virReportError(VIR_ERR_XML_DETAIL, + _("seclablel for model %s is already provided"), + seclabel->model);

+ goto error; + } + } + + def->seclabels[i] = seclabel; } def->nseclabels = n; ctxt->node = saved_node;