Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)

The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.

Also make virConnectDomainXMLFromNative API require a full
read-write connection and 'connect:write' permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c)
This commit is contained in:
Daniel P. Berrange 2013-10-03 16:37:57 +01:00
parent 2503a07480
commit 1adbe4faa9
2 changed files with 6 additions and 2 deletions

View File

@ -4611,6 +4611,10 @@ char *virConnectDomainXMLFromNative(virConnectPtr conn,
virDispatchError(NULL);
return NULL;
}
if (conn->flags & VIR_CONNECT_RO) {
virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
goto error;
}
virCheckNonNullArgGoto(nativeFormat, error);
virCheckNonNullArgGoto(nativeConfig, error);

View File

@ -3826,13 +3826,13 @@ enum remote_procedure {
/**
* @generate: both
* @acl: connect:read
* @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
/**
* @generate: both
* @acl: connect:read
* @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,