External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-08 20:51:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

libxl: Reject VM config referencing nwfilters

Browse Source 
The Xen libxl driver does not support nwfilter. Introduce a
deviceValidateCallback function with a check for nwfilters, returning
VIR_ERR_CONFIG_UNSUPPORTED if any are found. Also fail to start any
existing VMs referencing nwfilters.

Drivers generally ignore unrecognized XML configuration, but ignoring
a user's request to filter VM network traffic can be viewed as a
security issue.

Signed-off-by: Jim Fehlig <jfehlig@suse.com>
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
Jim Fehlig 2024-09-06 16:08:05 -06:00
parent 068771068d
commit d721b6840f
1 changed files with 22 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
src/libxl/libxl_domain.c
View File

@ -356,12 +356,30 @@ libxlDomainDefValidate(const virDomainDef *def,
return 0; return 0;
} }
static int
libxlDomainDeviceDefValidate(const virDomainDeviceDef *dev,
const virDomainDef *def,
void *opaque G_GNUC_UNUSED,
void *parseOpaque G_GNUC_UNUSED)
{
if (dev->type == VIR_DOMAIN_DEVICE_NET && dev->data.net->filter) {
virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
_("filterref is not supported in %1$s"),
virDomainVirtTypeToString(def->virtType));
return -1;
}
return 0;
}
virDomainDefParserConfig libxlDomainDefParserConfig = { virDomainDefParserConfig libxlDomainDefParserConfig = {
.macPrefix = { 0x00, 0x16, 0x3e }, .macPrefix = { 0x00, 0x16, 0x3e },
.netPrefix = LIBXL_GENERATED_PREFIX_XEN, .netPrefix = LIBXL_GENERATED_PREFIX_XEN,
.devicesPostParseCallback = libxlDomainDeviceDefPostParse, .devicesPostParseCallback = libxlDomainDeviceDefPostParse,
.domainPostParseCallback = libxlDomainDefPostParse, .domainPostParseCallback = libxlDomainDefPostParse,
.domainValidateCallback = libxlDomainDefValidate, .domainValidateCallback = libxlDomainDefValidate,
.deviceValidateCallback = libxlDomainDeviceDefValidate,
.features = VIR_DOMAIN_DEF_FEATURE_USER_ALIAS | .features = VIR_DOMAIN_DEF_FEATURE_USER_ALIAS |
VIR_DOMAIN_DEF_FEATURE_FW_AUTOSELECT | VIR_DOMAIN_DEF_FEATURE_FW_AUTOSELECT |
@ -1460,6 +1478,10 @@ libxlDomainStartNew(libxlDriverPrivate *driver,
managed_save_path); managed_save_path);
vm->hasManagedSave = false; vm->hasManagedSave = false;
} else {
/* Validate configuration if starting a new VM */
if (virDomainDefValidate(vm->def, 0, driver->xmlopt, NULL) < 0)
goto cleanup;
} }
ret = libxlDomainStart(driver, vm, start_paused, restore_fd, restore_ver); ret = libxlDomainStart(driver, vm, start_paused, restore_fd, restore_ver);