Bug 889255
| Summary: | Monitor command acl_remove messes up the ACL | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Markus Armbruster <armbru> |
| Component: | qemu-kvm | Assignee: | Markus Armbruster <armbru> |
| Status: | CLOSED ERRATA | QA Contact: | Virtualization Bugs <virt-bugs> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | acathrow, areis, armbru, bsarathy, chayang, juzhang, lnovich, mazhang, michen, mkenneth, sluo, sradvan, virt-maint |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | qemu-kvm-0.12.1.2-2.390.el6 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 06:27:12 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Markus Armbruster
2012-12-20 15:48:58 UTC
libvirt doesn't use acl_remove as far as I can tell. Fixed upstream in commit c23c15d acl: Fix acl_remove not to mess up the ACL Reproduced this issue with qemu-kvm-0.12.1.2-2.375.el6.x86_64, 2.6.32-383.el6.x86_64. Same steps as reproducer in Comment #0. acl_show reported incorrect position. Steps: 1. add three rules by: (qemu) acl_add vnc.username aaa allow acl: added rule at position 1 (qemu) acl_add vnc.username bbb allow acl: added rule at position 2 (qemu) acl_add vnc.username ccc allow acl: added rule at position 3 (qemu) acl_show vnc.username policy: deny 1: allow aaa 2: allow bbb 3: allow ccc 2. remove two rules by: (qemu) acl_remove vnc.username ccc acl: removed rule at position 3 (qemu) acl_remove vnc.username bbb acl: removed rule at position 2 (qemu) acl_show vnc.username policy: deny 1: allow aaa 3. add another two rules: (qemu) acl_add vnc.username ddd allow 2 acl: added rule at position 1 (qemu) acl_show vnc.username policy: deny 1: allow aaa (qemu) acl_add vnc.username eee allow acl: added rule at position 4 (qemu) acl_show vnc.username policy: deny 1: allow aaa 2: allow eee Providing with qa_ack+ based on above. CLI: /usr/libexec/qemu-kvm -M rhel6.5.0 -cpu Nehalem -enable-kvm -m 4096 -smp 4,sockets=2,cores=2,threads=1 -name test -rtc base=utc -nodefaults -drive file=/home/images/rhel6.4.qcow2,if=none,id=drive-virtio-disk0,format=qcow2,cache=none,werror=stop,rerror=stop,aio=native -device virtio-blk-pci,scsi=off,bus=pci.0,addr=0x5,drive=drive-virtio-disk0,id=virtio-disk0,bootindex=1 -net none -k en-us -vga cirrus -vnc :1,acl,sasl -monitor stdio -S Hi Markus, I have a question about acl_add. From the output of help acl_add below: (qemu) help acl_add acl_add aclname match allow|deny [index] -- add a match rule to the access control list If 'index' above means the position, I ran: '(qemu) acl_add vnc.username ddd allow 2 ', shouldn't it report position 1? I didn't remove any rule, this was a new qemu-kvm instance. (qemu) acl_show vnc.username policy: deny (qemu) acl_add vnc.username ddd allow 2 acl: added rule at position 1 (qemu) acl_show vnc.username policy: deny 1: allow ddd Three cases for index: 1. index <= 0: error 2. 0 < index < length of list: insert before the i-th element of the list (counting from 1) 3. index >= length of list: append to list Your acl_add is case 3. It tells you the position actually used: added rule at position 1. Looks fine to me. However, there's another bug: inserting before the last element of the list is broken! That's because index == length is case 3 instead of 2. Bug 970516. (In reply to Markus Armbruster from comment #8) > Three cases for index: > > 1. index <= 0: error > 2. 0 < index < length of list: insert before the i-th element of the list > (counting from 1) > 3. index >= length of list: append to list > > Your acl_add is case 3. It tells you the position actually used: added rule > at position 1. Looks fine to me. > > However, there's another bug: inserting before the last element of the list > is broken! That's because index == length is case 3 instead of 2. Bug > 970516. Thanks very much for your inputs, they are helpful for QE to add such tests. Reproduce this bug on qemu-kvm-0.12.1.2-2.376.el6.x86_64. [root@localhost qemu-kvm-376]# rpm -qa |grep qemu gpxe-roms-qemu-0.9.7-6.10.el6.noarch qemu-kvm-tools-0.12.1.2-2.376.el6.x86_64 qemu-kvm-0.12.1.2-2.376.el6.x86_64 qemu-kvm-debuginfo-0.12.1.2-2.376.el6.x86_64 qemu-img-0.12.1.2-2.376.el6.x86_64 Steps to Reproduce: 1. Start qemu-kvm in a way that creates an ACL: $ /usr/libexec/qemu-kvm -nodefaults -S -vnc :0,acl,sasl -monitor stdio 2. Add a few entries in the monitor: (qemu) acl_add vnc.username eins allow (qemu) acl_add vnc.username zwei allow (qemu) acl_add vnc.username drei allow (qemu) acl_add vnc.username vier allow (qemu) acl_show vnc.username 3. Delete a few: (qemu) acl_remove vnc.username vier (qemu) acl_remove vnc.username drei (qemu) acl_show vnc.username 4. Add some more: acl_add vnc.username lost allow 3 acl_show vnc.username acl_add vnc.username wrongpos allow acl_show vnc.username Actual results: [root@localhost ~]# /usr/libexec/qemu-kvm -nodefaults -S -vnc :0,acl,sasl -monitor stdio QEMU 0.12.1 monitor - type 'help' for more information (qemu) acl_add vnc.username eins allow acl: added rule at position 1 (qemu) acl_add vnc.username zwei allow acl: added rule at position 2 (qemu) acl_add vnc.username drei allow acl: added rule at position 3 (qemu) acl_add vnc.username vier allow acl: added rule at position 4 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei 3: allow drei 4: allow vier (qemu) acl_remove vnc.username vier acl: removed rule at position 4 (qemu) acl_remove vnc.username drei acl: removed rule at position 3 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei (qemu) acl_add vnc.username lost allow 3 acl: added rule at position 2 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei (qemu) acl_add vnc.username wrongpos allow acl: added rule at position 5 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei 3: allow wrongpos Expected results: Step 4's acl_add both add a rule and report the correct position. Verify this bug on qemu-kvm-0.12.1.2-2.400.el6.x86_64 [root@localhost ~]# rpm -qa |grep qemu gpxe-roms-qemu-0.9.7-6.10.el6.noarch qemu-kvm-tools-0.12.1.2-2.400.el6.x86_64 qemu-kvm-0.12.1.2-2.400.el6.x86_64 qemu-kvm-debuginfo-0.12.1.2-2.400.el6.x86_64 qemu-img-0.12.1.2-2.400.el6.x86_64 Steps: 1. Start qemu-kvm in a way that creates an ACL: $ /usr/libexec/qemu-kvm -nodefaults -S -vnc :0,acl,sasl -monitor stdio 2. Add a few entries in the monitor: (qemu) acl_add vnc.username eins allow (qemu) acl_add vnc.username zwei allow (qemu) acl_add vnc.username drei allow (qemu) acl_add vnc.username vier allow (qemu) acl_show vnc.username 3. Delete a few: (qemu) acl_remove vnc.username vier (qemu) acl_remove vnc.username drei (qemu) acl_show vnc.username 4. Add some more: acl_add vnc.username lost allow 3 acl_show vnc.username acl_add vnc.username wrongpos allow acl_show vnc.username Actual results: [root@localhost ~]# /usr/libexec/qemu-kvm -nodefaults -S -vnc :0,acl,sasl -monitor stdio QEMU 0.12.1 monitor - type 'help' for more information (qemu) acl_add vnc.username eins allow acl: added rule at position 1 (qemu) acl_add vnc.username zwei allow acl: added rule at position 2 (qemu) acl_add vnc.username drei allow acl: added rule at position 3 (qemu) acl_add vnc.username vier allow acl: added rule at position 4 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei 3: allow drei 4: allow vier (qemu) acl_remove vnc.username vier acl: removed rule at position 4 (qemu) acl_remove vnc.username drei acl: removed rule at position 3 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei (qemu) acl_add vnc.username lost allow 3 acl: added rule at position 3 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei 3: allow lost (qemu) acl_add vnc.username wrongpos allow acl: added rule at position 4 (qemu) acl_show vnc.username policy: deny 1: allow eins 2: allow zwei 3: allow lost 4: allow wrongpos Step 4 acl_add both add a rule and report the correct position. So this bug has been fixed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-1553.html |