External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-01-07 05:25:25 +00:00
Code Issues Packages Projects Releases Wiki Activity
Libvirt provides a portable, long term stable C API for managing the virtualization technologies provided by many operating systems. It includes support for QEMU, KVM, Xen, LXC, bhyve, Virtuozzo, VMware vCenter and ESX, VMware Desktop, Hyper-V, VirtualBox and the POWER Hypervisor.
14,672 Commits 67 Branches 629 Tags 868 MiB
C 94.8%
Python 2%
Meson 0.9%
Shell 0.8%
Dockerfile 0.6%
Other 0.8%
51afa9a255
Go to file
Eric Blake 51afa9a255 event: filter global events by domain:getattr ACL [CVE-2014-0028] 
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends.  We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.

Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration.  But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access.  The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global.  Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.

Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.

* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
(cherry picked from commit f9f5634053)

Conflicts:
	src/conf/object_event.c - not backporting event refactoring
	src/conf/object_event_private.h - likewise
	src/conf/network_event.c - not backporting network events
	src/conf/network_event.h - likewise
	src/network/bridge_driver.c - likewise
	src/access/viraccessperm.h - likewise
	src/remote/remote_protocol.x - likewise
	src/conf/domain_event.c - includes code that upstream has in object_event
	src/conf/domain_event.h - context
	src/libxl/libxl_driver.c - context
	src/lxc/lxc_driver.c - context
	src/remote/remote_driver.c - context, not backporting network events
	src/test/test_driver.c - context, not backporting network events
	src/uml/uml_driver.c - context
	src/xen/xen_driver.c - context
2014-01-15 14:50:00 -07:00
.gnulib@4a5ee89c8a maint: update to latest gnulib 2013-09-24 06:53:07 -06:00
build-aux Add API for calling systemd-machined's DBus API 2013-07-22 13:09:58 +01:00
daemon Remove all direct use of getenv 2013-10-29 16:13:03 +00:00
docs LXC: Fix handling of RAM filesystem size units 2013-10-15 12:58:52 +02:00
examples Don't link virt-login-shell against libvirt.so (CVE-2013-4400) 2013-10-21 14:19:05 +01:00
gnulib Don't link virt-login-shell against libvirt.so (CVE-2013-4400) 2013-10-21 14:19:05 +01:00
include libvirt: add new public API virConnectGetCPUModelNames 2013-09-23 15:41:50 -06:00
m4 maint: update to latest gnulib 2013-09-24 06:53:07 -06:00
po Prep for release 1.1.3.2 2013-12-14 14:26:46 -05:00
python Return right error code for baselineCPU 2013-12-14 13:39:42 -05:00
src event: filter global events by domain:getattr ACL [CVE-2014-0028] 2014-01-15 14:50:00 -07:00
tests qemu: don't use deprecated -no-kvm-pit-reinjection 2013-11-13 10:33:44 +01:00
tools libvirt-guests: Run only after libvirtd 2013-11-20 09:03:52 -05:00
.ctags maint: Make ctags work out of the box 2013-07-18 08:47:21 +02:00
.dir-locals.el build: avoid tabs that failed syntax-check 2012-09-06 09:43:46 -06:00
.gitignore Fix flaw in detecting log format 2013-10-29 16:10:22 +00:00
.gitmodules
.mailmap Autogenerate AUTHORS 2012-10-19 12:44:56 -04:00
AUTHORS.in Add John Ferlan to the committers list 2013-02-05 10:59:32 -05:00
autobuild.sh build: make autobuild require rpm build deps 2013-09-16 09:35:05 -06:00
autogen.sh autogen.sh: Correctly detect .git as a file 2013-08-29 13:19:45 +02:00
bootstrap maint: update to latest gnulib 2013-09-24 06:53:07 -06:00
bootstrap.conf Add helpers for getting env vars in a setuid environment 2013-10-21 14:18:47 +01:00
cfg.mk Block all use of getenv with syntax-check 2013-10-29 16:14:00 +00:00
ChangeLog-old docs, comments: minor typo fixes 2013-09-10 17:06:41 -06:00
config-post.h build: fix build of virt-login-shell on systems with older gnutls 2013-10-23 09:02:38 +01:00
configure.ac Prep for release 1.1.3.2 2013-12-14 14:26:46 -05:00
COPYING maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
COPYING.LESSER maint: follow recommended practice for using LGPL 2013-05-20 14:15:21 -06:00
HACKING docs: mention VIR_TEST_RANGE 2013-08-12 20:44:41 -06:00
libvirt.pc.in Add missing 'libvirt_lxc_api' variable in pkg-config file 2013-09-04 14:52:40 +01:00
libvirt.spec.in Prep for release 1.1.3.2 2013-12-14 14:26:46 -05:00
Makefile.am Don't link virt-login-shell against libvirt.so (CVE-2013-4400) 2013-10-21 14:19:05 +01:00
Makefile.nonreentrant maint: use LGPL correctly 2013-05-20 14:03:48 -06:00
mingw-libvirt.spec.in build: add configure option to disable gnulib tests 2013-08-12 10:02:38 -06:00
README
README-hacking maint: relax git minimum version 2010-02-24 14:29:27 -05:00
run.in run: license as LGPL 2013-02-23 14:03:19 -07:00
TODO Update todo list file to point at bugzilla/website 2010-10-13 16:45:26 +01:00

README 

         LibVirt : simple API for virtualization

  Libvirt is a C toolkit to interact with the virtualization capabilities
of recent versions of Linux (and other OSes). It is free software
available under the GNU Lesser General Public License. Virtualization of
the Linux Operating System means the ability to run multiple instances of
Operating Systems concurrently on a single hardware system where the basic
resources are driven by a Linux instance. The library aim at providing
long term stable C API initially for the Xen paravirtualization but
should be able to integrate other virtualization mechanisms if needed.

Daniel Veillard <veillard@redhat.com>