virt-aa-helper: Simplify restriction logic

First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander

(cherry picked from commit d25a5e08)

src/security/virt-aa-helper.c

@@ -546,7 +546,9 @@ array_starts_with(const char *str, const char * const *arr, const long size)
 static int
 valid_path(const char *path, const bool readonly)
 {
-    int npaths, opaths;
+    int npaths;
+    int nropaths;
+
     const char * const restricted[] = {
         "/bin/",
         "/etc/",
@@ -596,19 +598,24 @@ valid_path(const char *path, const bool readonly)
     if (!virFileExists(path))
         vah_warning(_("path does not exist, skipping file type checks"));
 
-    opaths = sizeof(override)/sizeof(*(override));
-
-    npaths = sizeof(restricted)/sizeof(*(restricted));
-    if (array_starts_with(path, restricted, npaths) == 0 &&
-        array_starts_with(path, override, opaths) != 0)
-            return 1;
+    /* overrides are always allowed */
+    npaths = sizeof(override)/sizeof(*(override));
+    if (array_starts_with(path, override, npaths) == 0)
+        return 0;
 
-    npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
-    if (!readonly) {
-        if (array_starts_with(path, restricted_rw, npaths) == 0)
-            return 1;
+    /* allow read only paths upfront */
+    if (readonly) {
+        nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
+        if (array_starts_with(path, restricted_rw, nropaths) == 0)
+            return 0;
     }
 
+    /* disallow RW acess to all paths in restricted and restriced_rw */
+    npaths = sizeof(restricted)/sizeof(*(restricted));
+    if ((array_starts_with(path, restricted, npaths) == 0
+        || array_starts_with(path, restricted_rw, nropaths) == 0))
+        return 1;
+
     return 0;
 }