File CVE-2010-223x-0006.patch of Package libvirt
>From e2ebe4b785eccb930f36f400a22940fa9660a24b Mon Sep 17 00:00:00 2001
From: Daniel P. Berrange <berrange@redhat.com>
Date: Tue, 15 Jun 2010 16:40:47 +0100
Subject: [PATCH 06/10] Convert all disk backing store loops to shared helper API
Update the QEMU cgroups code, QEMU DAC security driver, SELinux
and AppArmour security drivers over to use the shared helper API
virDomainDiskDefForeachPath().
* src/security/security_selinux.c, src/security/virt-aa-helper.c:
Convert over to use virDomainDiskDefForeachPath()
---
src/security/security_selinux.c | 67 +++++++----------
src/security/virt-aa-helper.c | 71 ++++++++----------
4 files changed, 142 insertions(+), 204 deletions(-)
Index: libvirt-0.7.2/src/security/security_selinux.c
===================================================================
--- libvirt-0.7.2.orig/src/security/security_selinux.c
+++ libvirt-0.7.2/src/security/security_selinux.c
@@ -399,55 +399,42 @@ SELinuxRestoreSecurityImageLabel(virConn
}
static int
+SELinuxSetSecurityFileLabel(virDomainDiskDefPtr disk,
+ const char *path,
+ unsigned int depth,
+ void *opaque)
+{
+ const virSecurityLabelDefPtr secdef = opaque;
+
+ if (depth == 0) {
+ if (disk->shared) {
+ return SELinuxSetFilecon(NULL, path, default_image_context);
+ } else if (disk->readonly) {
+ return SELinuxSetFilecon(NULL, path, default_content_context);
+ } else if (secdef->imagelabel) {
+ return SELinuxSetFilecon(NULL, path, secdef->imagelabel);
+ } else {
+ return 0;
+ }
+ } else {
+ return SELinuxSetFilecon(NULL, path, default_content_context);
+ }
+}
+
+static int
SELinuxSetSecurityImageLabel(virConnectPtr conn,
virDomainObjPtr vm,
virDomainDiskDefPtr disk)
{
const virSecurityLabelDefPtr secdef = &vm->def->seclabel;
- const char *path;
-
- if (!disk->src)
- return 0;
-
- path = disk->src;
- do {
- virStorageFileMetadata meta;
- int ret;
-
- memset(&meta, 0, sizeof(meta));
-
- ret = virStorageFileGetMetadata(conn,
- path,
- VIR_STORAGE_FILE_AUTO,
- &meta);
-
- if (path != disk->src)
- VIR_FREE(path);
- path = NULL;
-
- if (ret < 0)
- return -1;
-
- if (meta.backingStore != NULL &&
- SELinuxSetFilecon(conn, meta.backingStore,
- default_content_context) < 0) {
- VIR_FREE(meta.backingStore);
- return -1;
- }
-
- path = meta.backingStore;
- } while (path != NULL);
-
- if (disk->shared) {
- return SELinuxSetFilecon(conn, disk->src, default_image_context);
- } else if (disk->readonly) {
- return SELinuxSetFilecon(conn, disk->src, default_content_context);
- } else if (secdef->imagelabel) {
- return SELinuxSetFilecon(conn, disk->src, secdef->imagelabel);
- }
- return 0;
+ return virDomainDiskDefForeachPath(conn,
+ disk,
+ true,
+ false,
+ SELinuxSetSecurityFileLabel,
+ secdef);
}
Index: libvirt-0.7.2/src/security/virt-aa-helper.c
===================================================================
--- libvirt-0.7.2.orig/src/security/virt-aa-helper.c
+++ libvirt-0.7.2/src/security/virt-aa-helper.c
@@ -661,6 +661,28 @@ file_iterate_cb(virConnectPtr conn ATTRI
}
static int
+add_file_path(virDomainDiskDefPtr disk,
+ const char *path,
+ unsigned int depth,
+ void *opaque)
+{
+ virBufferPtr buf = opaque;
+ int ret;
+
+ if (depth == 0) {
+ if (disk->readonly)
+ ret = vah_add_file(buf, path, "r");
+ else
+ ret = vah_add_file(buf, path, "rw");
+ } else {
+ ret = vah_add_file(buf, path, "r");
+ }
+
+ return ret;
+}
+
+
+static int
get_files(vahControl * ctl)
{
virBuffer buf = VIR_BUFFER_INITIALIZER;
@@ -681,18 +703,16 @@ get_files(vahControl * ctl)
goto clean;
}
- for (i = 0; i < ctl->def->ndisks; i++)
- if (ctl->def->disks[i] && ctl->def->disks[i]->src) {
- int ret;
-
- if (ctl->def->disks[i]->readonly)
- ret = vah_add_file(&buf, ctl->def->disks[i]->src, "r");
- else
- ret = vah_add_file(&buf, ctl->def->disks[i]->src, "rw");
-
- if (ret != 0)
- goto clean;
- }
+ for (i = 0; i < ctl->def->ndisks; i++) {
+ int ret = virDomainDiskDefForeachPath(NULL,
+ ctl->def->disks[i],
+ true,
+ false,
+ add_file_path,
+ &buf);
+ if (ret != 0)
+ goto clean;
+ }
for (i = 0; i < ctl->def->nserials; i++)
if (ctl->def->serials[i] && ctl->def->serials[i]->data.file.path)
