|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [Xen-devel] [PATCH v2 05/10] libxl: Do root checks once in libxl__domain_get_device_model_uid
George Dunlap writes ("[PATCH v2 05/10] libxl: Do root checks once in
libxl__domain_get_device_model_uid"):
> At the moment, we check for equivalence to literal "root" before
> deciding whether to add the `runas` command-line option to QEMU. This
> is unsatisfactory for several reasons.
...
> v2:
> - Refactor to use `out` rather than multiple labels
> - Only check for root once
> - Use 'out' rather than direct returns for errors (only use direct returns
> for early `succeed-without-setting-runas` paths)
> - Use `rc` rather than `ret` to more closely align with CODING_STYLE
> - Fill out comments about the cases we're handling
> - Return ERROR_DEVICE_EXISTS rather than ERROR_FAIL if there's another
> username that maps to our calculated uid
> - Report an error if the specified device_model_user doesn't exist
Thanks. This is all much better now. I still have a few style nits,
and one comment on your reuse of a libxl error code, but AFAICT the
algorithm is right.
> + if (!user_base) {
> + LOGD(ERROR, guest_domid, "Couldn't find device_model_user %s",
> + user);
> + rc = ERROR_INVAL;
> + } else
> + intended_uid = user_base->pw_uid;
>
> + goto out;
1. Would you mind adding the missing { } ?
| ... To avoid confusion, either all
| the blocks in an if...else chain have braces, or none of them do.
2. Can you please set rc in the other path ? I think this is supposed
to be a success path. Relying on the previous value of rc seems very
action at a distance. (Later: yes, I see this this is a success path.
See my comments about the rules implied by your `out:' block.)
TBH I would prefer two goto outs rather than one, like this:
> + if (!user_base) {
> + LOGD(ERROR, guest_domid, "Couldn't find device_model_user %s",
> + user);
> + rc = ERROR_INVAL;
+ goto out;
+ } else {
> + intended_uid = user_base->pw_uid;
+ rc = 0;
+ goto out;
+ }
> + }
which seems easier to read since it is not necessary to untangle the
whole if, and look at the context, to see the correctness of the
individual bits.
Or you could treat the !user_base as an error block and write this:
> + if (!user_base) {
> + LOGD(ERROR, guest_domid, "Couldn't find device_model_user %s",
> + user);
> + rc = ERROR_INVAL;
+ goto out;
+ }
+ intended_uid = user_base->pw_uid;
+ rc = 0;
+ goto out;
> + }
> + /*
> + * If dm_restrict isn't set, and we don't have a specified user, don't
> + * bother setting a `-runas` parameter.
> + */
> if (!libxl_defbool_val(b_info->dm_restrict)) {
> LOGD(DEBUG, guest_domid,
> "dm_restrict disabled, starting QEMU as root");
> return 0;
> }
Why `return 0' here but `goto out' earlier ? IMO all the success
returns should be the same.
> + rc = userlookup_helper_getpwuid(gc, intended_uid,
> &user_clash_pwbuf, &user_clash);
> - if (ret < 0)
> - return ret;
> + if (rc < 0)
> + goto out;
In my last mail I suggested this should be `ret < 0' but of course now
it should be `if (rc)' ...
> if (user_clash) {
> LOGD(ERROR, guest_domid,
> "wanted to use uid %ld (%s + %d) but that is user %s !",
> (long)intended_uid, LIBXL_QEMU_USER_RANGE_BASE,
> guest_domid, user_clash->pw_name);
> - return ERROR_FAIL;
> + rc = ERROR_DEVICE_EXISTS;
> + goto out;
I appreciate your desire to specify particular error value, but I am
far from convinced that ERROR_DEVICE_EXISTS is appropriate. It would
lead someone to ask which device was in the way.
We generally use EINVAL for bad configurations. If you prefer, feel
free to introduce a new error code. 32-bit signed integers are pretty
cheap.
> + if (rc < 0)
> + goto out;
> if (user_base) {
> LOGD(WARN, guest_domid, "Could not find user %s, falling back to %s",
> LIBXL_QEMU_USER_RANGE_BASE, LIBXL_QEMU_USER_SHARED);
> - goto end_search;
> + intended_uid = user_base->pw_uid;
> + goto out;
Here we have this pattern again with a `goto out' without a preceding
assignment to `rc'. AFAICT the rules implied by your out block are:
* Every goto out must be preceded by an assignment to rc.
IMO there is no reason this should not immediately precede
the goto out.
* Additionally, if rc is 0 then the goto out must also be preceded
relatively recently by an assignment to intended_uid.
> +out:
> + if (!rc) {
> + if (intended_uid == 0) {
> + LOGD(ERROR, guest_domid, "intended_uid is 0 (root)!");
> + return ERROR_INVAL;
> + }
> +
> + state->dm_runas = user;
> + }
> +
> + return rc;
TBH I dislike the early return in the `goto out' block. If a resource
deallocation were to be introduced, that `return ERROR_INVAL' would
become a memory leak.
I think this means lifting state->dm_runas into else, or writing this:
> +out:
> + if (!rc) {
> + if (intended_uid == 0) {
> + LOGD(ERROR, guest_domid, "intended_uid is 0 (root)!");
+ rc = ERROR_INVAL;
> + }
+ }
+ if (!rc) {
> + state->dm_runas = user;
> + }
> +
> + return rc;
Thanks,
Ian.
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxxx
https://lists.xenproject.org/mailman/listinfo/xen-devel
|
 |
Lists.xenproject.org is hosted with RackSpace, monitoring our |