AppArmor require absolute paths

Fixes https://launchpad.net/bugs/460271 * src/security/virt-aa-helper.c: require absolute path for dynamic added files. This is required by AppArmor and conveniently prevents adding tcp consoles to the profile

AppArmor require absolute paths
Fixes https://launchpad.net/bugs/460271 * src/security/virt-aa-helper.c: require absolute path for dynamic added files. This is required by AppArmor and conveniently prevents adding tcp consoles to the profile
dae7054b · Jamie Strandboge · Daniel Veillard · a8a560dd · dae7054b
隐藏空白更改
内联并排

Showing with 14 addition and 0 deletion

src/security/virt-aa-helper.c src/security/virt-aa-helper.c +14 -0

未找到文件。
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -517,6 +517,10 @@ valid_path(const char *path, const bool readonly)
    if (strchr(path, '"') != NULL)
        return 1;

+    /* Require an absolute path */
+    if (STRNEQLEN(path, "/", 1))
+        return 1;
+
    if (!virFileExists(path))
        vah_warning("path does not exist, skipping file type checks");
    else {
@@ -718,6 +722,16 @@ vah_add_file(virBufferPtr buf, const char *path, const char *perms)
    if (path == NULL)
        return rc;

+    /* Skip files without an absolute path. Not having one confuses the
+     * apparmor parser and this also ensures things like tcp consoles don't
+     * get added to the profile.
+     */
+    if (STRNEQLEN(path, "/", 1)) {
+        vah_warning(path);
+        vah_warning("  skipped non-absolute path");
+        return 0;
+    }
+
    if (virFileExists(path)) {
        if ((tmp = realpath(path, NULL)) == NULL) {
            vah_error(NULL, 0, path);