8af0df1210
Add fixes from SLE12 SP1 to Factory libvirt package. - Replace local libxl patches with upstream variants Dropped: 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch Added: 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch 15120b8c-libxl-no-resume-on-suspend-fail.patch e80b84a7-libxl-acquire-job-on-migrate.patch bsc#936185 - Added another virt-aa-helper upstream patch 52970dec-virt-aa-helper-improve-valid-path.patch lp#1483071 - Added upstream patch to fix libvirt-tck memory balloon test failure on Xen 60acb38-revert-curmem-inactive-dom.patch - Fix generated apparmor profile to allow access to ovmf and nvram. 26c5fa3a-virt-aa-helper-missing-doc.patch 2f01cfdf-virt-aa-helper-allow-ovmf.patch 91fdcefa-virt-aa-helper-allow-nvram.patch d25a5e08-virt-aa-helper-simplify-restriction-logic.patch lp#1483071 OBS-URL: https://build.opensuse.org/request/show/327805 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=479
86 lines
4.3 KiB
Diff
86 lines
4.3 KiB
Diff
commit 52970dec5b4d0fd1a9baa593b46a33bd7eeaf6b8
|
|
Author: Michal Privoznik <mprivozn@redhat.com>
|
|
Date: Thu Aug 27 02:50:21 2015 +0200
|
|
|
|
virt-aa-helper: Improve valid_path
|
|
|
|
So, after some movement in virt-aa-helper, I've noticed the
|
|
virt-aa-helper-test failing. I've ran gdb (it took me a while to
|
|
realize how to do that) and this showed up immediately:
|
|
|
|
Program received signal SIGSEGV, Segmentation fault.
|
|
strlen () at ../sysdeps/x86_64/strlen.S:106
|
|
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
|
|
(gdb) bt
|
|
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
|
|
#1 0x0000555555561a13 in array_starts_with (str=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", arr=0x7fffffffd160, size=-1540438016) at security/virt-aa-helper.c:525
|
|
#2 0x0000555555561d49 in valid_path (path=0x5555557ce910 "/tmp/tmp.6nI2Fkv0KL/1.img", readonly=false) at security/virt-aa-helper.c:617
|
|
#3 0x0000555555562506 in vah_add_path (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw", recursive=false) at security/virt-aa-helper.c:823
|
|
#4 0x0000555555562693 in vah_add_file (buf=0x7fffffffd3e0, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", perms=0x555555581585 "rw") at security/virt-aa-helper.c:854
|
|
#5 0x0000555555562918 in add_file_path (disk=0x5555557d4440, path=0x5555557cb910 "/tmp/tmp.6nI2Fkv0KL/1.img", depth=0, opaque=0x7fffffffd3e0) at security/virt-aa-helper.c:931
|
|
#6 0x00007ffff78f18b1 in virDomainDiskDefForeachPath (disk=0x5555557d4440, ignoreOpenFailure=true, iter=0x5555555628a6 <add_file_path>, opaque=0x7fffffffd3e0) at conf/domain_conf.c:23286
|
|
#7 0x0000555555562b5f in get_files (ctl=0x7fffffffd670) at security/virt-aa-helper.c:982
|
|
#8 0x0000555555564100 in vahParseArgv (ctl=0x7fffffffd670, argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1277
|
|
#9 0x00005555555643d6 in main (argc=5, argv=0x7fffffffd7e8) at security/virt-aa-helper.c:1332
|
|
|
|
So I've taken look at valid_path() because it is obviously
|
|
calling array_starts_with() with malformed @size. And here's the
|
|
result: there are two variables to hold the size of three arrays
|
|
and their value is recalculated before each call of
|
|
array_starts_with(). What if we just use three variables,
|
|
initialize them and do not touch them afterwards?
|
|
|
|
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
|
Index: libvirt-1.2.18/src/security/virt-aa-helper.c
|
|
===================================================================
|
|
--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c
|
|
+++ libvirt-1.2.18/src/security/virt-aa-helper.c
|
|
@@ -546,9 +546,6 @@ array_starts_with(const char *str, const
|
|
static int
|
|
valid_path(const char *path, const bool readonly)
|
|
{
|
|
- int npaths;
|
|
- int nropaths;
|
|
-
|
|
const char * const restricted[] = {
|
|
"/bin/",
|
|
"/etc/",
|
|
@@ -581,6 +578,10 @@ valid_path(const char *path, const bool
|
|
"/etc/libvirt-sandbox/services/" /* for virt-sandbox service config */
|
|
};
|
|
|
|
+ const int nropaths = ARRAY_CARDINALITY(restricted);
|
|
+ const int nrwpaths = ARRAY_CARDINALITY(restricted_rw);
|
|
+ const int nopaths = ARRAY_CARDINALITY(override);
|
|
+
|
|
if (path == NULL) {
|
|
vah_error(NULL, 0, _("bad pathname"));
|
|
return -1;
|
|
@@ -600,21 +601,18 @@ valid_path(const char *path, const bool
|
|
vah_warning(_("path does not exist, skipping file type checks"));
|
|
|
|
/* overrides are always allowed */
|
|
- npaths = sizeof(override)/sizeof(*(override));
|
|
- if (array_starts_with(path, override, npaths) == 0)
|
|
+ if (array_starts_with(path, override, nopaths) == 0)
|
|
return 0;
|
|
|
|
/* allow read only paths upfront */
|
|
if (readonly) {
|
|
- nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
|
|
- if (array_starts_with(path, restricted_rw, nropaths) == 0)
|
|
+ if (array_starts_with(path, restricted_rw, nrwpaths) == 0)
|
|
return 0;
|
|
}
|
|
|
|
/* disallow RW acess to all paths in restricted and restriced_rw */
|
|
- npaths = sizeof(restricted)/sizeof(*(restricted));
|
|
- if ((array_starts_with(path, restricted, npaths) == 0
|
|
- || array_starts_with(path, restricted_rw, nropaths) == 0))
|
|
+ if ((array_starts_with(path, restricted, nropaths) == 0 ||
|
|
+ array_starts_with(path, restricted_rw, nrwpaths) == 0))
|
|
return 1;
|
|
|
|
return 0;
|