libvirt/d25a5e08-virt-aa-helper-simplify-restriction-logic.patch

From d25a5e087ae10142d3d533ed193146736526b2ae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
Date: Fri, 21 Aug 2015 10:49:15 +0200
Subject: [PATCH 2/4] virt-aa-helper: Simplify restriction logic

First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
---
 src/security/virt-aa-helper.c | 29 ++++++++++++++++++-----------
 1 file changed, 18 insertions(+), 11 deletions(-)

Index: libvirt-1.2.18/src/security/virt-aa-helper.c
===================================================================
--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c
+++ libvirt-1.2.18/src/security/virt-aa-helper.c
@@ -546,7 +546,9 @@ array_starts_with(const char *str, const
 static int
 valid_path(const char *path, const bool readonly)
 {
-    int npaths, opaths;
+    int npaths;
+    int nropaths;
+
     const char * const restricted[] = {
         "/bin/",
         "/etc/",
@@ -596,18 +598,23 @@ valid_path(const char *path, const bool
     if (!virFileExists(path))
         vah_warning(_("path does not exist, skipping file type checks"));
 
-    opaths = sizeof(override)/sizeof(*(override));
+    /* overrides are always allowed */
+    npaths = sizeof(override)/sizeof(*(override));
+    if (array_starts_with(path, override, npaths) == 0)
+        return 0;
+
+    /* allow read only paths upfront */
+    if (readonly) {
+        nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
+        if (array_starts_with(path, restricted_rw, nropaths) == 0)
+            return 0;
+    }
 
+    /* disallow RW acess to all paths in restricted and restriced_rw */
     npaths = sizeof(restricted)/sizeof(*(restricted));
-    if (array_starts_with(path, restricted, npaths) == 0 &&
-        array_starts_with(path, override, opaths) != 0)
-            return 1;
-
-    npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
-    if (!readonly) {
-        if (array_starts_with(path, restricted_rw, npaths) == 0)
-            return 1;
-    }
+    if ((array_starts_with(path, restricted, npaths) == 0
+        || array_starts_with(path, restricted_rw, nropaths) == 0))
+        return 1;
 
     return 0;
 }
Accepting request 327805 from home:jfehlig:branches:Virtualization Add fixes from SLE12 SP1 to Factory libvirt package. - Replace local libxl patches with upstream variants Dropped: 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch Added: 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch 15120b8c-libxl-no-resume-on-suspend-fail.patch e80b84a7-libxl-acquire-job-on-migrate.patch bsc#936185 - Added another virt-aa-helper upstream patch 52970dec-virt-aa-helper-improve-valid-path.patch lp#1483071 - Added upstream patch to fix libvirt-tck memory balloon test failure on Xen 60acb38-revert-curmem-inactive-dom.patch - Fix generated apparmor profile to allow access to ovmf and nvram. 26c5fa3a-virt-aa-helper-missing-doc.patch 2f01cfdf-virt-aa-helper-allow-ovmf.patch 91fdcefa-virt-aa-helper-allow-nvram.patch d25a5e08-virt-aa-helper-simplify-restriction-logic.patch lp#1483071 OBS-URL: https://build.opensuse.org/request/show/327805 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=479 2015-08-28 20:30:35 +00:00			`From d25a5e087ae10142d3d533ed193146736526b2ae Mon Sep 17 00:00:00 2001`
			`From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>`
			`Date: Fri, 21 Aug 2015 10:49:15 +0200`
			`Subject: [PATCH 2/4] virt-aa-helper: Simplify restriction logic`

			`First check overrides, then read only files then restricted access`
			`itself.`

			`This allows us to mark files for read only access whose parents were`
			`already restricted for read write.`

			`Based on a proposal by Martin Kletzander`
			`---`
			`src/security/virt-aa-helper.c \| 29 ++++++++++++++++++-----------`
			`1 file changed, 18 insertions(+), 11 deletions(-)`

			`Index: libvirt-1.2.18/src/security/virt-aa-helper.c`
			`===================================================================`
			`--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c`
			`+++ libvirt-1.2.18/src/security/virt-aa-helper.c`
			`@@ -546,7 +546,9 @@ array_starts_with(const char *str, const`
			`static int`
			`valid_path(const char *path, const bool readonly)`
			`{`
			`- int npaths, opaths;`
			`+ int npaths;`
			`+ int nropaths;`
			`+`
			`const char * const restricted[] = {`
			`"/bin/",`
			`"/etc/",`
			`@@ -596,18 +598,23 @@ valid_path(const char *path, const bool`
			`if (!virFileExists(path))`
			`vah_warning(_("path does not exist, skipping file type checks"));`

			`- opaths = sizeof(override)/sizeof(*(override));`
			`+ /* overrides are always allowed */`
			`+ npaths = sizeof(override)/sizeof(*(override));`
			`+ if (array_starts_with(path, override, npaths) == 0)`
			`+ return 0;`
			`+`
			`+ /* allow read only paths upfront */`
			`+ if (readonly) {`
			`+ nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));`
			`+ if (array_starts_with(path, restricted_rw, nropaths) == 0)`
			`+ return 0;`
			`+ }`

			`+ /* disallow RW acess to all paths in restricted and restriced_rw */`
			`npaths = sizeof(restricted)/sizeof(*(restricted));`
			`- if (array_starts_with(path, restricted, npaths) == 0 &&`
			`- array_starts_with(path, override, opaths) != 0)`
			`- return 1;`
			`-`
			`- npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));`
			`- if (!readonly) {`
			`- if (array_starts_with(path, restricted_rw, npaths) == 0)`
			`- return 1;`
			`- }`
			`+ if ((array_starts_with(path, restricted, npaths) == 0`
			`+ \|\| array_starts_with(path, restricted_rw, nropaths) == 0))`
			`+ return 1;`

			`return 0;`
			`}`