From: Guido Günther <agx@sigxcpu.org>
Date: Fri, 21 Aug 2015 08:49:15 +0000 (+0200)
Subject: virt-aa-helper: Simplify restriction logic
X-Git-Tag: v1.2.19-rc1~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d25a5e087ae10142d3d533ed193146736526b2ae;p=thirdparty%2Flibvirt.git

virt-aa-helper: Simplify restriction logic

First check overrides, then read only files then restricted access
itself.

This allows us to mark files for read only access whose parents were
already restricted for read write.

Based on a proposal by Martin Kletzander
---

diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 178569ec6d..8e01bf6e66 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -546,7 +546,9 @@ array_starts_with(const char *str, const char * const *arr, const long size)
 static int
 valid_path(const char *path, const bool readonly)
 {
-    int npaths, opaths;
+    int npaths;
+    int nropaths;
+
     const char * const restricted[] = {
         "/bin/",
         "/etc/",
@@ -596,19 +598,24 @@ valid_path(const char *path, const bool readonly)
     if (!virFileExists(path))
         vah_warning(_("path does not exist, skipping file type checks"));
 
-    opaths = sizeof(override)/sizeof(*(override));
-
-    npaths = sizeof(restricted)/sizeof(*(restricted));
-    if (array_starts_with(path, restricted, npaths) == 0 &&
-        array_starts_with(path, override, opaths) != 0)
-            return 1;
+    /* overrides are always allowed */
+    npaths = sizeof(override)/sizeof(*(override));
+    if (array_starts_with(path, override, npaths) == 0)
+        return 0;
 
-    npaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
-    if (!readonly) {
-        if (array_starts_with(path, restricted_rw, npaths) == 0)
-            return 1;
+    /* allow read only paths upfront */
+    if (readonly) {
+        nropaths = sizeof(restricted_rw)/sizeof(*(restricted_rw));
+        if (array_starts_with(path, restricted_rw, nropaths) == 0)
+            return 0;
     }
 
+    /* disallow RW acess to all paths in restricted and restriced_rw */
+    npaths = sizeof(restricted)/sizeof(*(restricted));
+    if ((array_starts_with(path, restricted, npaths) == 0
+        || array_starts_with(path, restricted_rw, nropaths) == 0))
+        return 1;
+
     return 0;
 }