mnl/VM-Operator
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 4 Wiki Activity Actions

Be more restrictive with file permissions.

Browse source
This commit is contained in:
Michael Lipp 2023-06-19 11:59:54 +02:00
parent 488e6fafdc
commit d60f37e0fe
1 changed files with 20 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

24
org.jdrupes.vmoperator.runner.qemu/src/org/jdrupes/vmoperator/runner/qemu/Configuration.java
View file

@ -23,9 +23,11 @@ import java.math.BigInteger;
import java.nio.charset.StandardCharsets; import java.nio.charset.StandardCharsets;
import java.nio.file.Files; import java.nio.file.Files;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.attribute.PosixFilePermission;
import java.util.HashMap; import java.util.HashMap;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Set;
import java.util.UUID; import java.util.UUID;
import java.util.logging.Level; import java.util.logging.Level;
import java.util.logging.Logger; import java.util.logging.Logger;
@ -322,15 +324,29 @@ class Configuration implements Dto {
@SuppressWarnings("PMD.AvoidDeeplyNestedIfStmts") @SuppressWarnings("PMD.AvoidDeeplyNestedIfStmts")
private boolean checkRuntimeDir() { private boolean checkRuntimeDir() {
// Runtime directory (sockets) // Runtime directory (sockets etc.)
if (runtimeDir == null) { if (runtimeDir == null) {
var appDir = FsdUtils.runtimeDir(Runner.APP_NAME);
if (!Files.exists(appDir) && appDir.toFile().mkdirs()) {
try {
// When appDir is derived from XDG_RUNTIME_DIR
// the latter should already have these permissions,
// but let's be on the safe side.
Files.setPosixFilePermissions(appDir,
Set.of(PosixFilePermission.OWNER_READ,
PosixFilePermission.OWNER_WRITE,
PosixFilePermission.OWNER_EXECUTE));
} catch (IOException e) {
logger.warning(() -> String.format(
"Cannot set permissions rwx------ on \"%s\".",
runtimeDir));
}
}
runtimeDir = FsdUtils.runtimeDir(Runner.APP_NAME).resolve(vm.name); runtimeDir = FsdUtils.runtimeDir(Runner.APP_NAME).resolve(vm.name);
runtimeDir.toFile().mkdir();
swtpmSocket = runtimeDir.resolve("swtpm-sock"); swtpmSocket = runtimeDir.resolve("swtpm-sock");
monitorSocket = runtimeDir.resolve("monitor.sock"); monitorSocket = runtimeDir.resolve("monitor.sock");
} }
if (!Files.exists(runtimeDir)) {
runtimeDir.toFile().mkdirs();
}
if (!Files.isDirectory(runtimeDir) || !Files.isWritable(runtimeDir)) { if (!Files.isDirectory(runtimeDir) || !Files.isWritable(runtimeDir)) {
logger.severe(() -> String.format( logger.severe(() -> String.format(
"Configured runtime directory \"%s\"" "Configured runtime directory \"%s\""