External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 19:32:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

qemu: Move pid file of pr-helper to stateDir

Browse Source 
Libvirt will put the pid file of pr-helper to per-domain directory.
However, the ownership of the per-domain directory is the user to run
the QEMU process and the user has the write permission of the directory.
If VM escape occurs, the attacker can
1. write arbitrary content to the pid file (if running QEMU using root),
   then the attacker can kill any process by writing appropriate pid to
   the pid file;
2. spoof the pid file (if running QEMU using a regular user), then the
   pr-helper process will never be cleared even if the VM is destroyed.

So, move the pid file of pr-helper from per-domain directory to
stateDir.

Signed-off-by: Peng Liang <liangpeng10@huawei.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
This commit is contained in:
Peng Liang 2021-10-18 17:20:11 +08:00 committed by Michal Privoznik
parent 8eb08e0fc5
commit 74e1ebee7f
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/qemu/qemu_process.c
View File

@ -2856,7 +2856,7 @@ qemuProcessResctrlCreate(virQEMUDriver *driver,
static char *
qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm)
qemuProcessBuildPRHelperPidfilePathOld(virDomainObj *vm)
{
qemuDomainObjPrivate *priv = vm->privateData;
const char *prdAlias = qemuDomainGetManagedPRAlias();
@ -2865,6 +2865,18 @@ qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm)
}
static char *
qemuProcessBuildPRHelperPidfilePath(virDomainObj *vm)
{
qemuDomainObjPrivate *priv = vm->privateData;
g_autofree char *domname = virDomainDefGetShortName(vm->def);
g_autofree char *prdName = g_strdup_printf("%s-%s", domname, qemuDomainGetManagedPRAlias());
g_autoptr(virQEMUDriverConfig) cfg = virQEMUDriverGetConfig(priv->driver);
return virPidFileBuildPath(cfg->stateDir, prdName);
}
void
qemuProcessKillManagedPRDaemon(virDomainObj *vm)
{
@ -2877,6 +2889,14 @@ qemuProcessKillManagedPRDaemon(virDomainObj *vm)
return;
}
if (!virFileExists(pidfile)) {
g_free(pidfile);
if (!(pidfile = qemuProcessBuildPRHelperPidfilePathOld(vm))) {
VIR_WARN("Unable to construct pr-helper pidfile path");
return;
}
}
virErrorPreserveLast(&orig_err);
if (virPidFileForceCleanupPath(pidfile) < 0) {
VIR_WARN("Unable to kill pr-helper process");