Re: [libvirt] [PATCHv2 2/2] security_dac: compute supplemental groups before fork

Eric Blake Thu, 18 Jul 2013 06:20:10 -0700

On 07/18/2013 06:46 AM, Michal Privoznik wrote:
> On 18.07.2013 01:08, Eric Blake wrote:
>> Commit 75c1256 states that virGetGroupList must not be called
>> between fork and exec, then commit ee777e99 promptly violated
>> that for lxc's use of virSecurityManagerSetProcessLabel.  Hoist
>> the supplemental group detection to the time that the security
>> manager is created.  Qemu is safe, as it uses
>> virSecurityManagerSetChildProcessLabel which in turn uses
>> virCommand to determine supplemental groups.
>>


>> -    if ((ret = virSecurityDACParseIds(def, uidPtr, gidPtr)) <= 0)
>> +    if ((ret = virSecurityDACParseIds(def, uidPtr, gidPtr)) <= 0) {
>> +        if (groups)
>> +            *groups = NULL;
>> +        if (ngroups)
>> +            ngroups = 0;
> 
> I believe you wanted *ngroups = 0; in here.
> 

Indeed.  I blame C for treating 0 and NULL interchangeably.

> 
> ACK series, but see the issue I'm raising in 2/2.

Thanks; I'll push after fixing that typo.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

--
libvir-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [libvirt] [PATCHv2 2/2] security_dac: compute supplemental groups before fork

Reply via email to