Fix perms for virConnectDomainXML{To,From}Native (CVE-2013-4401)

The virConnectDomainXMLToNative API should require 'connect:write' not 'connect:read', since it will trigger execution of the QEMU binaries listed in the XML. Also make virConnectDomainXMLFromNative API require a full read-write connection and 'connect:write' permission. Although the current impl doesn't trigger execution of QEMU, we should not rely on that impl detail from an API permissioning POV. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c)
2025-01-24 13:35:17 +00:00 · 2013-10-03 16:37:57 +01:00 · 2013-10-03 16:37:57 +01:00 · 90171893ce
commit 90171893ce
parent 0eb43777db
2 changed files with 6 additions and 2 deletions
--- a/src/libvirt.c
+++ b/src/libvirt.c
@ -4606,6 +4606,10 @@ char *virConnectDomainXMLFromNative(virConnectPtr conn,
        virDispatchError(NULL);
        return NULL;
    }
    if (conn->flags & VIR_CONNECT_RO) {
        virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
        goto error;
    }
    virCheckNonNullArgGoto(nativeFormat, error);
    virCheckNonNullArgGoto(nativeConfig, error);
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@ -3812,13 +3812,13 @@ enum remote_procedure {
    /**
     * @generate: both
-     * @acl: connect:read
+     * @acl: connect:write
     */
    REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
    /**
     * @generate: both
-     * @acl: connect:read
+     * @acl: connect:write
     */
    REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,