提交 1efb6236 编写于 作者: J Jamie Strandboge 提交者: Daniel Veillard

Adjust virt-aa-helper to handle pci devices

* src/security/virt-aa-helper.c: adjust virt-aa-helper to handle pci
  devices. Update valid_path() to have an override array to check against,
  and add "/sys/devices/pci" to it. Then rename file_iterate_cb() to
  file_iterate_hostdev_cb() and create file_iterate_pci_cb() based on it
上级 2aca94bf
...@@ -490,7 +490,7 @@ static int ...@@ -490,7 +490,7 @@ static int
valid_path(const char *path, const bool readonly) valid_path(const char *path, const bool readonly)
{ {
struct stat sb; struct stat sb;
int npaths; int npaths, opaths;
const char * const restricted[] = { const char * const restricted[] = {
"/bin/", "/bin/",
"/etc/", "/etc/",
...@@ -516,6 +516,10 @@ valid_path(const char *path, const bool readonly) ...@@ -516,6 +516,10 @@ valid_path(const char *path, const bool readonly)
"/initrd", "/initrd",
"/initrd.img" "/initrd.img"
}; };
/* override the above with these */
const char * const override[] = {
"/sys/devices/pci" /* for hostdev pci devices */
};
if (path == NULL || strlen(path) > PATH_MAX - 1) { if (path == NULL || strlen(path) > PATH_MAX - 1) {
vah_error(NULL, 0, "bad pathname"); vah_error(NULL, 0, "bad pathname");
...@@ -553,9 +557,12 @@ valid_path(const char *path, const bool readonly) ...@@ -553,9 +557,12 @@ valid_path(const char *path, const bool readonly)
} }
} }
opaths = sizeof(override)/sizeof *(override);
npaths = sizeof(restricted)/sizeof *(restricted); npaths = sizeof(restricted)/sizeof *(restricted);
if (array_starts_with(path, restricted, npaths) == 0) if (array_starts_with(path, restricted, npaths) == 0 &&
return 1; array_starts_with(path, override, opaths) != 0)
return 1;
npaths = sizeof(restricted_rw)/sizeof *(restricted_rw); npaths = sizeof(restricted_rw)/sizeof *(restricted_rw);
if (!readonly) { if (!readonly) {
...@@ -779,8 +786,16 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms) ...@@ -779,8 +786,16 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
} }
static int static int
file_iterate_cb(usbDevice *dev ATTRIBUTE_UNUSED, file_iterate_hostdev_cb(usbDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque) const char *file, void *opaque)
{
virBufferPtr buf = opaque;
return vah_add_file(buf, file, "rw");
}
static int
file_iterate_pci_cb(pciDevice *dev ATTRIBUTE_UNUSED,
const char *file, void *opaque)
{ {
virBufferPtr buf = opaque; virBufferPtr buf = opaque;
return vah_add_file(buf, file, "rw"); return vah_add_file(buf, file, "rw");
...@@ -825,7 +840,7 @@ get_files(vahControl * ctl) ...@@ -825,7 +840,7 @@ get_files(vahControl * ctl)
path = NULL; path = NULL;
if (ret < 0) { if (ret < 0) {
vah_warning("skipping backingStore check (open failed)"); vah_warning("could not open path, skipping");
continue; continue;
} }
...@@ -880,13 +895,13 @@ get_files(vahControl * ctl) ...@@ -880,13 +895,13 @@ get_files(vahControl * ctl)
if (usb == NULL) if (usb == NULL)
continue; continue;
rc = usbDeviceFileIterate(usb, file_iterate_cb, &buf); rc = usbDeviceFileIterate(usb, file_iterate_hostdev_cb, &buf);
usbFreeDevice(usb); usbFreeDevice(usb);
if (rc != 0) if (rc != 0)
goto clean; goto clean;
break; break;
} }
/* TODO: update so files in /sys are readonly
case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: { case VIR_DOMAIN_HOSTDEV_SUBSYS_TYPE_PCI: {
pciDevice *pci = pciGetDevice( pciDevice *pci = pciGetDevice(
dev->source.subsys.u.pci.domain, dev->source.subsys.u.pci.domain,
...@@ -897,12 +912,12 @@ get_files(vahControl * ctl) ...@@ -897,12 +912,12 @@ get_files(vahControl * ctl)
if (pci == NULL) if (pci == NULL)
continue; continue;
rc = pciDeviceFileIterate(NULL, pci, file_iterate_cb, &buf); rc = pciDeviceFileIterate(pci, file_iterate_pci_cb, &buf);
pciFreeDevice(pci); pciFreeDevice(pci);
break; break;
} }
*/
default: default:
rc = 0; rc = 0;
break; break;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册