From 03a600368ea6aeed9bd6d7879597e2bf8533ebc9 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Mon, 29 Apr 2013 10:56:03 +0100 Subject: [PATCH] Don't allow renaming of domains by the backdoor Several APIs allow for custom XML to be passed in. This is checked for ABI stability, which will ensure the UUID is not being changed. There isn't validation that the name did not change though. This could allow renaming of guests via the backdoor, which in turn could allow for bypassing access control restrictions based on names. Signed-off-by: Daniel P. Berrange --- src/conf/domain_conf.c | 11 +++++++++++ src/qemu/qemu_migration.c | 6 ------ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c index 59badf8699..e90d5854f9 100644 --- a/src/conf/domain_conf.c +++ b/src/conf/domain_conf.c @@ -12558,6 +12558,17 @@ virDomainDefCheckABIStability(virDomainDefPtr src, return false; } + /* Not strictly ABI related, but we want to make sure domains + * don't get silently re-named through the backdoor when passing + * custom XML into various APIs, since this would create havoc + */ + if (STRNEQ(src->name, dst->name)) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, + _("Target domain name '%s' does not match source '%s'"), + dst->name, src->name); + return false; + } + if (src->mem.max_balloon != dst->mem.max_balloon) { virReportError(VIR_ERR_CONFIG_UNSUPPORTED, _("Target domain max memory %lld does not match source %lld"), diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c index 8ed94731b4..db7c4f8580 100644 --- a/src/qemu/qemu_migration.c +++ b/src/qemu/qemu_migration.c @@ -1940,12 +1940,6 @@ char *qemuMigrationBegin(virQEMUDriverPtr driver, VIR_DOMAIN_XML_INACTIVE))) goto cleanup; - if (STRNEQ(def->name, vm->def->name)) { - virReportError(VIR_ERR_INVALID_ARG, "%s", - _("target domain name doesn't match source name")); - goto cleanup; - } - if (!virDomainDefCheckABIStability(vm->def, def)) goto cleanup;