mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-22 13:45:38 +00:00
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commitaed6a032ce
) Signed-off-by: Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit12a51f372
which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: Ján Tomko <jtomko@redhat.com>
This commit is contained in:
parent
84d35ef500
commit
980109c41c
@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
|
|||||||
* previously by virDomainSave() or virDomainSaveFlags().
|
* previously by virDomainSave() or virDomainSaveFlags().
|
||||||
*
|
*
|
||||||
* No security-sensitive data will be included unless @flags contains
|
* No security-sensitive data will be included unless @flags contains
|
||||||
* VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
|
* VIR_DOMAIN_XML_SECURE.
|
||||||
* connections. For this API, @flags should not contain either
|
|
||||||
* VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
|
|
||||||
*
|
*
|
||||||
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
|
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
|
||||||
* error. The caller must free() the returned value.
|
* error. The caller must free() the returned value.
|
||||||
@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
|
|||||||
|
|
||||||
virCheckConnectReturn(conn, NULL);
|
virCheckConnectReturn(conn, NULL);
|
||||||
virCheckNonNullArgGoto(file, error);
|
virCheckNonNullArgGoto(file, error);
|
||||||
|
virCheckReadOnlyGoto(conn->flags, error);
|
||||||
if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
|
|
||||||
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
|
||||||
_("virDomainSaveImageGetXMLDesc with secure flag"));
|
|
||||||
goto error;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (conn->driver->domainSaveImageGetXMLDesc) {
|
if (conn->driver->domainSaveImageGetXMLDesc) {
|
||||||
char *ret;
|
char *ret;
|
||||||
|
@ -6882,7 +6882,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
|
|||||||
if (fd < 0)
|
if (fd < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
|
if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
|
|
||||||
ret = qemuDomainDefFormatXML(driver, def, flags);
|
ret = qemuDomainDefFormatXML(driver, def, flags);
|
||||||
|
@ -4889,8 +4889,7 @@ enum remote_procedure {
|
|||||||
/**
|
/**
|
||||||
* @generate: both
|
* @generate: both
|
||||||
* @priority: high
|
* @priority: high
|
||||||
* @acl: domain:read
|
* @acl: domain:write
|
||||||
* @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
|
|
||||||
*/
|
*/
|
||||||
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
|
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user