提交 b3c1bcb9 编写于 作者: R Rufo Dogav 提交者: John Ferlan

Avoid segfault in virt-aa-helper when handling read-only filesystems

This patch fixes a segfault in virt-aa-helper caused by attempting to
modify a static string literal. It is triggered when a domain has a
<filesystem> with type='mount' configured read-only and libvirt is
using the AppArmor security driver for sVirt confinement. An "R" is
passed into the function and converted to 'r'.
上级 ed8ba91e
......@@ -740,6 +740,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
bool readonly = true;
bool explicit_deny_rule = true;
char *sub = NULL;
char *perms_new = NULL;
if (path == NULL)
return rc;
......@@ -764,12 +765,15 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
return rc;
}
if (strchr(perms, 'w') != NULL) {
if (VIR_STRDUP_QUIET(perms_new, perms) < 0)
goto clean;
if (strchr(perms_new, 'w') != NULL) {
readonly = false;
explicit_deny_rule = false;
}
if ((sub = strchr(perms, 'R')) != NULL) {
if ((sub = strchr(perms_new, 'R')) != NULL) {
/* Don't write the invalid R permission, replace it with 'r' */
sub[0] = 'r';
explicit_deny_rule = false;
......@@ -787,7 +791,8 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
if (tmp[strlen(tmp) - 1] == '/')
tmp[strlen(tmp) - 1] = '\0';
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "", perms);
virBufferAsprintf(buf, " \"%s%s\" %s,\n", tmp, recursive ? "/**" : "",
perms_new);
if (explicit_deny_rule) {
virBufferAddLit(buf, " # don't audit writes to readonly files\n");
virBufferAsprintf(buf, " deny \"%s%s\" w,\n", tmp, recursive ? "/**" : "");
......@@ -798,6 +803,7 @@ vah_add_path(virBufferPtr buf, const char *path, const char *perms, bool recursi
}
cleanup:
VIR_FREE(perms_new);
VIR_FREE(tmp);
return rc;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册