[libvirt] [PATCHv3] Disable nwfilter driver when running unprivileged
When opening a new connection to the driver, nwfilterOpen only succeeds if the driverState has been allocated. Move the privilege check in driver initialization before the state allocation to disable the driver. This changes the nwfilter-define error from: error: cannot create config directory (null): Bad address To: this function is not supported by the connection driver: virNWFilterDefineXML https://bugzilla.redhat.com/show_bug.cgi?id=1029266 --- v1: https://www.redhat.com/archives/libvir-list/2013-November/msg00368.html v2: https://www.redhat.com/archives/libvir-list/2013-November/msg00374.html forbid everything instead of just virNWFilterDefineXML v3: cut a pair of holes into my brown paper bag src/nwfilter/nwfilter_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 6602d73..d521adf 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -174,6 +174,9 @@ nwfilterStateInitialize(bool privileged, char *base = NULL; DBusConnection *sysbus = NULL; + if (!privileged) + return 0; + #if WITH_DBUS if (virDBusHasSystemBus() && !(sysbus = virDBusGetSystemBus())) @@ -190,9 +193,6 @@ nwfilterStateInitialize(bool privileged, driverState->watchingFirewallD = (sysbus != NULL); driverState->privileged = privileged; - if (!privileged) - return 0; - nwfilterDriverLock(driverState); if (virNWFilterIPAddrMapInit() < 0) -- 1.8.3.2
On Tue, Nov 12, 2013 at 01:52:10PM +0100, Ján Tomko wrote:
When opening a new connection to the driver, nwfilterOpen only succeeds if the driverState has been allocated.
Move the privilege check in driver initialization before the state allocation to disable the driver.
This changes the nwfilter-define error from: error: cannot create config directory (null): Bad address To: this function is not supported by the connection driver: virNWFilterDefineXML
https://bugzilla.redhat.com/show_bug.cgi?id=1029266 --- v1: https://www.redhat.com/archives/libvir-list/2013-November/msg00368.html v2: https://www.redhat.com/archives/libvir-list/2013-November/msg00374.html forbid everything instead of just virNWFilterDefineXML v3: cut a pair of holes into my brown paper bag
src/nwfilter/nwfilter_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/nwfilter/nwfilter_driver.c b/src/nwfilter/nwfilter_driver.c index 6602d73..d521adf 100644 --- a/src/nwfilter/nwfilter_driver.c +++ b/src/nwfilter/nwfilter_driver.c @@ -174,6 +174,9 @@ nwfilterStateInitialize(bool privileged, char *base = NULL; DBusConnection *sysbus = NULL;
+ if (!privileged) + return 0; + #if WITH_DBUS if (virDBusHasSystemBus() && !(sysbus = virDBusGetSystemBus())) @@ -190,9 +193,6 @@ nwfilterStateInitialize(bool privileged, driverState->watchingFirewallD = (sysbus != NULL); driverState->privileged = privileged;
- if (!privileged) - return 0; - nwfilterDriverLock(driverState);
if (virNWFilterIPAddrMapInit() < 0)
ACK Suitable for -maint branches too. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
On 11/12/2013 03:36 PM, Daniel P. Berrange wrote:
On Tue, Nov 12, 2013 at 01:52:10PM +0100, Ján Tomko wrote:
When opening a new connection to the driver, nwfilterOpen only succeeds if the driverState has been allocated.
Move the privilege check in driver initialization before the state allocation to disable the driver.
This changes the nwfilter-define error from: error: cannot create config directory (null): Bad address To: this function is not supported by the connection driver: virNWFilterDefineXML
https://bugzilla.redhat.com/show_bug.cgi?id=1029266 --- v1: https://www.redhat.com/archives/libvir-list/2013-November/msg00368.html v2: https://www.redhat.com/archives/libvir-list/2013-November/msg00374.html forbid everything instead of just virNWFilterDefineXML v3: cut a pair of holes into my brown paper bag
src/nwfilter/nwfilter_driver.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
ACK
Suitable for -maint branches too.
I've pushed it to master and v0.10.2, v1.0.5 and v1.1.0 ~ v1.1.3 -maint branches. Thank you for the reviews. Jan
participants (2)
-
Daniel P. Berrange -
Ján Tomko