From f69af572b3d5fece94c6eb0fefbb4ef2905dc313 Mon Sep 17 00:00:00 2001 From: Daniel Henrique Barboza Date: Thu, 26 Sep 2019 11:56:43 -0300 Subject: [PATCH] driver.c: change URI validation to handle QEMU and vbox case The existing QEMU and vbox URI path validation consider that a privileged user can use both a "/system" and a "/session" URI. This differs from all the other drivers that forbids the root user to use "/session" URI. Let's update virConnectValidateURIPath() to handle these cases as exceptions, using the already existent 'entityName' value to handle "QEMU" and "vbox" differently. This allows us to use the validateURI function in these cases without changing the existing behavior of other drivers. Reviewed-by: Cole Robinson Suggested-by: Cole Robinson Signed-off-by: Daniel Henrique Barboza --- src/driver.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/driver.c b/src/driver.c index 6b75622689..ed2d943ddf 100644 --- a/src/driver.c +++ b/src/driver.c @@ -276,7 +276,19 @@ virConnectValidateURIPath(const char *uriPath, bool privileged) { if (privileged) { - if (STRNEQ(uriPath, "/system")) { + /* TODO: qemu and vbox drivers allow '/session' + * connections as root. This is not ideal, but changing + * these drivers to refuse privileged '/session' + * connections, like everyone else is already doing, can + * break existing applications. Until we decide what to do, + * for now we can handle them as exception in this validate + * function. + */ + bool compatSessionRoot = (STREQ(entityName, "qemu") || + STREQ(entityName, "vbox")) && + STREQ(uriPath, "/session"); + + if (STRNEQ(uriPath, "/system") && !compatSessionRoot) { virReportError(VIR_ERR_INTERNAL_ERROR, _("unexpected %s URI path '%s', try " "%s:///system"), -- GitLab