mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-09-24 00:20:53 +00:00
7f2d27d1e3
I noticed that we allow virDomainGetVcpusFlags even for read-only connections, but that with a flag, it can require guest agent interaction. It is feasible that a malicious guest could intentionally abuse the replies it sends over the guest agent connection to possibly trigger a bug in libvirt's JSON parser, or withhold an answer so as to prevent the use of the agent in a later command such as a shutdown request. Although we don't know of any such exploits now (and therefore don't mind posting this patch publicly without trying to get a CVE assigned), it is better to err on the side of caution and explicitly require full access to any domain where the API requires guest interaction to operate correctly. I audited all commands that are marked as conditionally using a guest agent. Note that at least virDomainFSTrim is documented as needing a guest agent, but that such use is unconditional depending on the hypervisor (so the existing domain:fs_trim ACL should be sufficient there, rather than also requirng domain:write). But when designing future APIs, such as the plans for obtaining a domain's IP addresses, we should copy the approach of this patch in making interaction with the guest be specified via a flag, and use that flag to also require stricter access checks. * src/libvirt.c (virDomainGetVcpusFlags): Forbid guest interaction on read-only connection. (virDomainShutdownFlags, virDomainReboot): Improve docs on agent interaction. * src/remote/remote_protocol.x (REMOTE_PROC_DOMAIN_SNAPSHOT_CREATE_XML) (REMOTE_PROC_DOMAIN_SET_VCPUS_FLAGS) (REMOTE_PROC_DOMAIN_GET_VCPUS_FLAGS, REMOTE_PROC_DOMAIN_REBOOT) (REMOTE_PROC_DOMAIN_SHUTDOWN_FLAGS): Require domain:write for any conditional use of a guest agent. * src/xen/xen_driver.c: Fix clients. * src/libxl/libxl_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/lxc/lxc_driver.c: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com> |
||
|---|---|---|
| .. | ||
| libvirtd_qemu.aug | ||
| MIGRATION.txt | ||
| qemu_agent.c | ||
| qemu_agent.h | ||
| qemu_bridge_filter.c | ||
| qemu_bridge_filter.h | ||
| qemu_capabilities.c | ||
| qemu_capabilities.h | ||
| qemu_cgroup.c | ||
| qemu_cgroup.h | ||
| qemu_command.c | ||
| qemu_command.h | ||
| qemu_conf.c | ||
| qemu_conf.h | ||
| qemu_domain.c | ||
| qemu_domain.h | ||
| qemu_driver.c | ||
| qemu_driver.h | ||
| qemu_hostdev.c | ||
| qemu_hostdev.h | ||
| qemu_hotplug.c | ||
| qemu_hotplug.h | ||
| qemu_hotplugpriv.h | ||
| qemu_migration.c | ||
| qemu_migration.h | ||
| qemu_monitor_json.c | ||
| qemu_monitor_json.h | ||
| qemu_monitor_text.c | ||
| qemu_monitor_text.h | ||
| qemu_monitor.c | ||
| qemu_monitor.h | ||
| qemu_process.c | ||
| qemu_process.h | ||
| qemu_processpriv.h | ||
| qemu.conf | ||
| test_libvirtd_qemu.aug.in | ||
| THREADS.txt | ||