8af0df1210
Add fixes from SLE12 SP1 to Factory libvirt package. - Replace local libxl patches with upstream variants Dropped: 0003-libxl-fix-ref-counting-of-libxlMigrationDstArgs.patch 0004-libxl-don-t-attempt-to-resume-domain-when-suspend-fa.patch 0005-libxl-acquire-a-job-when-receiving-a-migrating-domai.patch Added: 44a54eb0-libxl-fix-refcnt-MigrationDstArgs.patch 15120b8c-libxl-no-resume-on-suspend-fail.patch e80b84a7-libxl-acquire-job-on-migrate.patch bsc#936185 - Added another virt-aa-helper upstream patch 52970dec-virt-aa-helper-improve-valid-path.patch lp#1483071 - Added upstream patch to fix libvirt-tck memory balloon test failure on Xen 60acb38-revert-curmem-inactive-dom.patch - Fix generated apparmor profile to allow access to ovmf and nvram. 26c5fa3a-virt-aa-helper-missing-doc.patch 2f01cfdf-virt-aa-helper-allow-ovmf.patch 91fdcefa-virt-aa-helper-allow-nvram.patch d25a5e08-virt-aa-helper-simplify-restriction-logic.patch lp#1483071 OBS-URL: https://build.opensuse.org/request/show/327805 OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=479
66 lines
2.3 KiB
Diff
66 lines
2.3 KiB
Diff
From d25a5e087ae10142d3d533ed193146736526b2ae Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Guido=20G=C3=BCnther?= <agx@sigxcpu.org>
|
|
Date: Fri, 21 Aug 2015 10:49:15 +0200
|
|
Subject: [PATCH 2/4] virt-aa-helper: Simplify restriction logic
|
|
|
|
First check overrides, then read only files then restricted access
|
|
itself.
|
|
|
|
This allows us to mark files for read only access whose parents were
|
|
already restricted for read write.
|
|
|
|
Based on a proposal by Martin Kletzander
|
|
---
|
|
src/security/virt-aa-helper.c | 29 ++++++++++++++++++-----------
|
|
1 file changed, 18 insertions(+), 11 deletions(-)
|
|
|
|
Index: libvirt-1.2.18/src/security/virt-aa-helper.c
|
|
===================================================================
|
|
--- libvirt-1.2.18.orig/src/security/virt-aa-helper.c
|
|
+++ libvirt-1.2.18/src/security/virt-aa-helper.c
|
|
@@ -546,7 +546,9 @@ array_starts_with(const char *str, const
|
|
static int
|
|
valid_path(const char *path, const bool readonly)
|
|
{
|
|
- int npaths, opaths;
|
|
+ int npaths;
|
|
+ int nropaths;
|
|
+
|
|
const char * const restricted[] = {
|
|
"/bin/",
|
|
"/etc/",
|
|
@@ -596,18 +598,23 @@ valid_path(const char *path, const bool
|
|
if (!virFileExists(path))
|
|
vah_warning(_("path does not exist, skipping file type checks"));
|
|
|
|
- opaths = sizeof(override)/sizeof(*(override));
|
|
+ /* overrides are always allowed */
|
|
+ npaths = sizeof(override)/sizeof(*(override));
|
|
+ if (array_starts_with(path, override, npaths) == 0)
|
|
+ return 0;
|
|
+
|
|
+ /* allow read only paths upfront */
|
|
+ if (readonly) {
|
|
+ nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
|
|
+ if (array_starts_with(path, restricted_rw, nropaths) == 0)
|
|
+ return 0;
|
|
+ }
|
|
|
|
+ /* disallow RW acess to all paths in restricted and restriced_rw */
|
|
npaths = sizeof(restricted)/sizeof(*(restricted));
|
|
- if (array_starts_with(path, restricted, npaths) == 0 &&
|
|
- array_starts_with(path, override, opaths) != 0)
|
|
- return 1;
|
|
-
|
|
- npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
|
|
- if (!readonly) {
|
|
- if (array_starts_with(path, restricted_rw, npaths) == 0)
|
|
- return 1;
|
|
- }
|
|
+ if ((array_starts_with(path, restricted, npaths) == 0
|
|
+ || array_starts_with(path, restricted_rw, nropaths) == 0))
|
|
+ return 1;
|
|
|
|
return 0;
|
|
}
|