mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-02-14 23:51:29 +00:00
14828a59ea
The libvirt file system storage driver determines what file to act on by concatenating the pool location with the volume name. If a user is able to pick names like "../../../etc/passwd", then they can escape the bounds of the pool. For that matter, virStoragePoolListVolumes() doesn't descend into subdirectories, so a user really shouldn't use a name with a slash. Normally, only privileged users can coerce libvirt into creating or opening existing files using the virStorageVol APIs; and such users already have full privilege to create any domain XML (so it is not an escalation of privilege). But in the case of fine-grained ACLs, it is feasible that a user can be granted storage_vol:create but not domain:write, and it violates assumptions if such a user can abuse libvirt to access files outside of the storage pool. Therefore, prevent all use of volume names that contain "/", whether or not such a name is actually attempting to escape the pool. This changes things from: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 Vol ../../../../../../etc/haha created $ rm /etc/haha to: $ virsh vol-create-as default ../../../../../../etc/haha --capacity 128 error: Failed to create vol ../../../../../../etc/haha error: Requested operation is not valid: volume name '../../../../../../etc/haha' cannot contain '/' Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 034e47c338b13a95cf02106a3af912c1c5f818d7) Conflicts: src/storage/storage_backend_fs.c - trivial copyright date collision
libvirt library code README
===========================
The directory provides the bulk of the libvirt codebase. Everything
except for the libvirtd daemon and client tools. The build uses a
large number of libtool convenience libraries - one for each child
directory, and then links them together for the final libvirt.so,
although some bits get linked directly to libvirtd daemon instead.
The files directly in this directory are supporting the public API
entry points & data structures.
There are two core shared modules to be aware of:
* util/ - a collection of shared APIs that can be used by any
code. This directory is always in the include path
for all things built
* conf/ - APIs for parsing / manipulating all the official XML
files used by the public API. This directory is only
in the include path for driver implementation modules
* vmx/ - VMware VMX config handling (used by esx/ and vmware/)
Then there are the hypervisor implementations:
* esx/ - VMware ESX and GSX support using vSphere API over SOAP
* hyperv/ - Microsoft Hyper-V support using WinRM
* lxc/ - Linux Native Containers
* openvz/ - OpenVZ containers using cli tools
* phyp/ - IBM Power Hypervisor using CLI tools over SSH
* qemu/ - QEMU / KVM using qemu CLI/monitor
* remote/ - Generic libvirt native RPC client
* test/ - A "mock" driver for testing
* uml/ - User Mode Linux
* vbox/ - Virtual Box using native API
* vmware/ - VMware Workstation and Player using the vmrun tool
* xen/ - Xen using hypercalls, XenD SEXPR & XenStore
* xenapi/ - Xen using libxenserver
Finally some secondary drivers that are shared for several HVs.
Currently these are used by LXC, OpenVZ, QEMU, UML and Xen drivers.
The ESX, Hyper-V, Power Hypervisor, Remote, Test & VirtualBox drivers all
implement the secondary drivers directly
* cpu/ - CPU feature management
* interface/ - Host network interface management
* network/ - Virtual NAT networking
* nwfilter/ - Network traffic filtering rules
* node_device/ - Host device enumeration
* secret/ - Secret management
* security/ - Mandatory access control drivers
* storage/ - Storage management drivers
Since both the hypervisor and secondary drivers can be built as
dlopen()able modules, it is *FORBIDDEN* to have build dependencies
between these directories. Drivers are only allowed to depend on
the public API, and the internal APIs in the util/ and conf/
directories