2008-11-04 23:33:57 +00:00
|
|
|
/*
|
|
|
|
* domain_event.h: domain event queue processing helpers
|
|
|
|
*
|
event: filter global events by domain:getattr ACL [CVE-2014-0028]
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-08 20:34:48 +00:00
|
|
|
* Copyright (C) 2012-2014 Red Hat, Inc.
|
2008-11-04 23:33:57 +00:00
|
|
|
* Copyright (C) 2008 VirtualIron
|
2013-11-26 14:10:15 +00:00
|
|
|
* Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
|
2008-11-04 23:33:57 +00:00
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
2012-09-20 22:30:55 +00:00
|
|
|
* License along with this library. If not, see
|
2012-07-21 10:06:23 +00:00
|
|
|
* <http://www.gnu.org/licenses/>.
|
2008-11-04 23:33:57 +00:00
|
|
|
*
|
|
|
|
* Author: Ben Guthro
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "internal.h"
|
|
|
|
|
|
|
|
#ifndef __DOMAIN_EVENT_H__
|
2010-03-09 18:22:22 +00:00
|
|
|
# define __DOMAIN_EVENT_H__
|
2008-11-04 23:33:57 +00:00
|
|
|
|
2013-11-26 14:10:15 +00:00
|
|
|
# include "object_event.h"
|
2010-03-09 18:22:22 +00:00
|
|
|
# include "domain_conf.h"
|
2008-12-04 21:09:20 +00:00
|
|
|
|
2013-11-22 14:55:12 +00:00
|
|
|
|
2013-12-11 10:38:03 +00:00
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventLifecycleNew(int id,
|
|
|
|
const char *name,
|
|
|
|
const unsigned char *uuid,
|
|
|
|
int type,
|
|
|
|
int detail);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventLifecycleNewFromDom(virDomainPtr dom,
|
|
|
|
int type,
|
|
|
|
int detail);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventLifecycleNewFromObj(virDomainObjPtr obj,
|
|
|
|
int type,
|
|
|
|
int detail);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventLifecycleNewFromDef(virDomainDefPtr def,
|
|
|
|
int type,
|
|
|
|
int detail);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventRebootNew(int id,
|
|
|
|
const char *name,
|
|
|
|
const unsigned char *uuid);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventRebootNewFromDom(virDomainPtr dom);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventRebootNewFromObj(virDomainObjPtr obj);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventRTCChangeNewFromDom(virDomainPtr dom,
|
|
|
|
long long offset);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventRTCChangeNewFromObj(virDomainObjPtr obj,
|
|
|
|
long long offset);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventWatchdogNewFromDom(virDomainPtr dom,
|
|
|
|
int action);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventWatchdogNewFromObj(virDomainObjPtr obj,
|
|
|
|
int action);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventIOErrorNewFromDom(virDomainPtr dom,
|
|
|
|
const char *srcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int action);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventIOErrorNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *srcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int action);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventIOErrorReasonNewFromDom(virDomainPtr dom,
|
|
|
|
const char *srcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int action,
|
|
|
|
const char *reason);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventIOErrorReasonNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *srcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int action,
|
|
|
|
const char *reason);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventGraphicsNewFromDom(virDomainPtr dom,
|
|
|
|
int phase,
|
|
|
|
virDomainEventGraphicsAddressPtr local,
|
|
|
|
virDomainEventGraphicsAddressPtr remote,
|
|
|
|
const char *authScheme,
|
|
|
|
virDomainEventGraphicsSubjectPtr subject);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventGraphicsNewFromObj(virDomainObjPtr obj,
|
|
|
|
int phase,
|
|
|
|
virDomainEventGraphicsAddressPtr local,
|
|
|
|
virDomainEventGraphicsAddressPtr remote,
|
|
|
|
const char *authScheme,
|
|
|
|
virDomainEventGraphicsSubjectPtr subject);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventControlErrorNewFromDom(virDomainPtr dom);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventControlErrorNewFromObj(virDomainObjPtr obj);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventBlockJobNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *path,
|
|
|
|
int type,
|
|
|
|
int status);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventBlockJobNewFromDom(virDomainPtr dom,
|
|
|
|
const char *path,
|
|
|
|
int type,
|
|
|
|
int status);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventDiskChangeNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *oldSrcPath,
|
|
|
|
const char *newSrcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int reason);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventDiskChangeNewFromDom(virDomainPtr dom,
|
|
|
|
const char *oldSrcPath,
|
|
|
|
const char *newSrcPath,
|
|
|
|
const char *devAlias,
|
|
|
|
int reason);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventTrayChangeNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *devAlias,
|
|
|
|
int reason);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventTrayChangeNewFromDom(virDomainPtr dom,
|
|
|
|
const char *devAlias,
|
|
|
|
int reason);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventPMWakeupNewFromObj(virDomainObjPtr obj);
|
|
|
|
virObjectEventPtr
|
2014-01-29 00:41:34 +00:00
|
|
|
virDomainEventPMWakeupNewFromDom(virDomainPtr dom, int reason);
|
2013-12-11 10:38:03 +00:00
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventPMSuspendNewFromObj(virDomainObjPtr obj);
|
|
|
|
virObjectEventPtr
|
2014-01-29 00:41:34 +00:00
|
|
|
virDomainEventPMSuspendNewFromDom(virDomainPtr dom, int reason);
|
2013-12-11 10:38:03 +00:00
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventBalloonChangeNewFromDom(virDomainPtr dom,
|
|
|
|
unsigned long long actual);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventBalloonChangeNewFromObj(virDomainObjPtr obj,
|
|
|
|
unsigned long long actual);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventPMSuspendDiskNewFromObj(virDomainObjPtr obj);
|
|
|
|
virObjectEventPtr
|
2014-01-29 00:41:34 +00:00
|
|
|
virDomainEventPMSuspendDiskNewFromDom(virDomainPtr dom, int reason);
|
2013-12-11 10:38:03 +00:00
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventDeviceRemovedNewFromObj(virDomainObjPtr obj,
|
|
|
|
const char *devAlias);
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainEventDeviceRemovedNewFromDom(virDomainPtr dom,
|
|
|
|
const char *devAlias);
|
|
|
|
|
|
|
|
int
|
|
|
|
virDomainEventStateRegister(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virConnectDomainEventCallback callback,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb)
|
event: move event filtering to daemon (regression fix)
https://bugzilla.redhat.com/show_bug.cgi?id=1058839
Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
need to check the ACL rules to filter which events to send. But
it overlooked one thing: the event dispatch queue is running in
the main loop thread, and therefore does not normally have a
current virIdentityPtr. But filter checks can be based on current
identity, so when libvirtd.conf contains access_drivers=["polkit"],
we ended up rejecting access for EVERY event due to failure to
look up the current identity, even if it should have been allowed.
Furthermore, even for events that are triggered by API calls, it
is important to remember that the point of events is that they can
be copied across multiple connections, which may have separate
identities and permissions. So even if events were dispatched
from a context where we have an identity, we must change to the
correct identity of the connection that will be receiving the
event, rather than basing a decision on the context that triggered
the event, when deciding whether to filter an event to a
particular connection.
If there were an easy way to get from virConnectPtr to the
appropriate virIdentityPtr, then object_event.c could adjust the
identity prior to checking whether to dispatch an event. But
setting up that back-reference is a bit invasive. Instead, it
is easier to delay the filtering check until lower down the
stack, at the point where we have direct access to the RPC
client object that owns an identity. As such, this patch ends
up reverting a large portion of the framework of commit f9f56340.
We also have to teach 'make check' to special-case the fact that
the event registration filtering is done at the point of dispatch,
rather than the point of registration. Note that even though we
don't actually use virConnectDomainEventRegisterCheckACL (because
the RegisterAny variant is sufficient), we still generate the
function for the purposes of documenting that the filtering
takes place.
Also note that I did not entirely delete the notion of a filter
from object_event.c; I still plan on using that for my upcoming
patch series for qemu monitor events in libvirt-qemu.so. In
other words, while this patch changes ACL filtering to live in
remote.c and therefore we have no current client of the filtering
in object_event.c, the notion of filtering in object_event.c is
still useful down the road.
* src/check-aclrules.pl: Exempt event registration from having to
pass checkACL filter down call stack.
* daemon/remote.c (remoteRelayDomainEventCheckACL)
(remoteRelayNetworkEventCheckACL): New functions.
(remoteRelay*Event*): Use new functions.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Drop unused parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/domain_event.c (virDomainEventFilter): Delete unused
function.
* src/conf/network_event.c (virNetworkEventFilter): Likewise.
* src/libxl/libxl_driver.c: Adjust caller.
* src/lxc/lxc_driver.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/remote/remote_driver.c: Likewise.
* src/test/test_driver.c: Likewise.
* src/uml/uml_driver.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_driver.c: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-28 21:50:02 +00:00
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
|
2013-12-11 10:38:03 +00:00
|
|
|
int
|
|
|
|
virDomainEventStateRegisterID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virDomainPtr dom,
|
|
|
|
int eventID,
|
|
|
|
virConnectDomainEventGenericCallback cb,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb,
|
|
|
|
int *callbackID)
|
event: move event filtering to daemon (regression fix)
https://bugzilla.redhat.com/show_bug.cgi?id=1058839
Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
need to check the ACL rules to filter which events to send. But
it overlooked one thing: the event dispatch queue is running in
the main loop thread, and therefore does not normally have a
current virIdentityPtr. But filter checks can be based on current
identity, so when libvirtd.conf contains access_drivers=["polkit"],
we ended up rejecting access for EVERY event due to failure to
look up the current identity, even if it should have been allowed.
Furthermore, even for events that are triggered by API calls, it
is important to remember that the point of events is that they can
be copied across multiple connections, which may have separate
identities and permissions. So even if events were dispatched
from a context where we have an identity, we must change to the
correct identity of the connection that will be receiving the
event, rather than basing a decision on the context that triggered
the event, when deciding whether to filter an event to a
particular connection.
If there were an easy way to get from virConnectPtr to the
appropriate virIdentityPtr, then object_event.c could adjust the
identity prior to checking whether to dispatch an event. But
setting up that back-reference is a bit invasive. Instead, it
is easier to delay the filtering check until lower down the
stack, at the point where we have direct access to the RPC
client object that owns an identity. As such, this patch ends
up reverting a large portion of the framework of commit f9f56340.
We also have to teach 'make check' to special-case the fact that
the event registration filtering is done at the point of dispatch,
rather than the point of registration. Note that even though we
don't actually use virConnectDomainEventRegisterCheckACL (because
the RegisterAny variant is sufficient), we still generate the
function for the purposes of documenting that the filtering
takes place.
Also note that I did not entirely delete the notion of a filter
from object_event.c; I still plan on using that for my upcoming
patch series for qemu monitor events in libvirt-qemu.so. In
other words, while this patch changes ACL filtering to live in
remote.c and therefore we have no current client of the filtering
in object_event.c, the notion of filtering in object_event.c is
still useful down the road.
* src/check-aclrules.pl: Exempt event registration from having to
pass checkACL filter down call stack.
* daemon/remote.c (remoteRelayDomainEventCheckACL)
(remoteRelayNetworkEventCheckACL): New functions.
(remoteRelay*Event*): Use new functions.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Drop unused parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/domain_event.c (virDomainEventFilter): Delete unused
function.
* src/conf/network_event.c (virNetworkEventFilter): Likewise.
* src/libxl/libxl_driver.c: Adjust caller.
* src/lxc/lxc_driver.c: Likewise.
* src/network/bridge_driver.c: Likewise.
* src/qemu/qemu_driver.c: Likewise.
* src/remote/remote_driver.c: Likewise.
* src/test/test_driver.c: Likewise.
* src/uml/uml_driver.c: Likewise.
* src/vbox/vbox_tmpl.c: Likewise.
* src/xen/xen_driver.c: Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
2014-01-28 21:50:02 +00:00
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5);
|
2011-01-05 22:51:45 +00:00
|
|
|
int
|
2014-01-08 04:00:54 +00:00
|
|
|
virDomainEventStateRegisterClient(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virDomainPtr dom,
|
|
|
|
int eventID,
|
|
|
|
virConnectDomainEventGenericCallback cb,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb,
|
|
|
|
bool legacy,
|
|
|
|
int *callbackID,
|
|
|
|
bool remoteID)
|
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5)
|
|
|
|
ATTRIBUTE_NONNULL(9);
|
|
|
|
|
|
|
|
int
|
|
|
|
virDomainEventStateCallbackID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virConnectDomainEventCallback callback,
|
|
|
|
int *remoteID)
|
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3)
|
|
|
|
ATTRIBUTE_NONNULL(4);
|
|
|
|
|
|
|
|
int
|
2011-01-05 22:51:45 +00:00
|
|
|
virDomainEventStateDeregister(virConnectPtr conn,
|
2013-11-21 10:43:10 +00:00
|
|
|
virObjectEventStatePtr state,
|
2011-01-05 22:51:45 +00:00
|
|
|
virConnectDomainEventCallback callback)
|
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
|
2013-11-26 14:10:15 +00:00
|
|
|
|
2013-12-31 13:33:42 +00:00
|
|
|
int
|
|
|
|
virDomainQemuMonitorEventStateRegisterID(virConnectPtr conn,
|
|
|
|
virObjectEventStatePtr state,
|
|
|
|
virDomainPtr dom,
|
|
|
|
const char *event,
|
|
|
|
virConnectDomainQemuMonitorEventCallback cb,
|
|
|
|
void *opaque,
|
|
|
|
virFreeCallback freecb,
|
|
|
|
unsigned int flags,
|
|
|
|
int *callbackID)
|
|
|
|
ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5)
|
|
|
|
ATTRIBUTE_NONNULL(9);
|
|
|
|
|
|
|
|
virObjectEventPtr
|
|
|
|
virDomainQemuMonitorEventNew(int id,
|
|
|
|
const char *name,
|
|
|
|
const unsigned char *uuid,
|
|
|
|
const char *event,
|
|
|
|
long long seconds,
|
|
|
|
unsigned int micros,
|
|
|
|
const char *details)
|
|
|
|
ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3) ATTRIBUTE_NONNULL(4);
|
|
|
|
|
2008-11-04 23:33:57 +00:00
|
|
|
#endif
|