[libvirt] [PATCH] Disable nwfilterDefineXML for unprivileged libvirtd

Fail in a more friendly way than: error: cannot create config directory (null): Bad address https://bugzilla.redhat.com/show_bug.cgi?id=1029266 --- src/nwfilter/nwfilter_driver.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 6602d73..c3ff4fe 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -551,13 +551,20 @@ nwfilterDefineXML(virConnectPtr conn, const char *xml) { virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData; - virNWFilterDefPtr def; + virNWFilterDefPtr def = NULL; virNWFilterObjPtr nwfilter = NULL; virNWFilterPtr ret = NULL; nwfilterDriverLock(driver); virNWFilterCallbackDriversLock(); + if (!driver->privileged) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("network filters are only available when libvirtd " + "runs as root")); + goto cleanup; + } + if (!(def = virNWFilterDefParseString(xml))) goto cleanup; -- 1.8.3.2

On Tue, Nov 12, 2013 at 12:41:52PM +0100, Ján Tomko wrote:
Fail in a more friendly way than: error: cannot create config directory (null): Bad address
https://bugzilla.redhat.com/show_bug.cgi?id=1029266 --- src/nwfilter/nwfilter_driver.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 6602d73..c3ff4fe 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -551,13 +551,20 @@ nwfilterDefineXML(virConnectPtr conn, const char *xml) { virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData; - virNWFilterDefPtr def; + virNWFilterDefPtr def = NULL; virNWFilterObjPtr nwfilter = NULL; virNWFilterPtr ret = NULL;
nwfilterDriverLock(driver); virNWFilterCallbackDriversLock();
+ if (!driver->privileged) { + virReportError(VIR_ERR_OPERATION_UNSUPPORTED, + _("network filters are only available when libvirtd " + "runs as root")); + goto cleanup; + } + if (!(def = virNWFilterDefParseString(xml))) goto cleanup;
This is wrong. The nwfilter driver's global init method should abort if not running privileged, and then its 'open' method should decline any attempt to open it. The result should be that the callbacks are never registered with the connection object. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (2)
-
Daniel P. Berrange
-
Ján Tomko