mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-26 06:25:19 +00:00
b19f326964
https://bugzilla.redhat.com/show_bug.cgi?id=1058839 Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed. Furthermore, even for events that are triggered by API calls, it is important to remember that the point of events is that they can be copied across multiple connections, which may have separate identities and permissions. So even if events were dispatched from a context where we have an identity, we must change to the correct identity of the connection that will be receiving the event, rather than basing a decision on the context that triggered the event, when deciding whether to filter an event to a particular connection. If there were an easy way to get from virConnectPtr to the appropriate virIdentityPtr, then object_event.c could adjust the identity prior to checking whether to dispatch an event. But setting up that back-reference is a bit invasive. Instead, it is easier to delay the filtering check until lower down the stack, at the point where we have direct access to the RPC client object that owns an identity. As such, this patch ends up reverting a large portion of the framework of commit f9f56340. We also have to teach 'make check' to special-case the fact that the event registration filtering is done at the point of dispatch, rather than the point of registration. Note that even though we don't actually use virConnectDomainEventRegisterCheckACL (because the RegisterAny variant is sufficient), we still generate the function for the purposes of documenting that the filtering takes place. Also note that I did not entirely delete the notion of a filter from object_event.c; I still plan on using that for my upcoming patch series for qemu monitor events in libvirt-qemu.so. In other words, while this patch changes ACL filtering to live in remote.c and therefore we have no current client of the filtering in object_event.c, the notion of filtering in object_event.c is still useful down the road. * src/check-aclrules.pl: Exempt event registration from having to pass checkACL filter down call stack. * daemon/remote.c (remoteRelayDomainEventCheckACL) (remoteRelayNetworkEventCheckACL): New functions. (remoteRelay*Event*): Use new functions. * src/conf/domain_event.h (virDomainEventStateRegister) (virDomainEventStateRegisterID): Drop unused parameter. * src/conf/network_event.h (virNetworkEventStateRegisterID): Likewise. * src/conf/domain_event.c (virDomainEventFilter): Delete unused function. * src/conf/network_event.c (virNetworkEventFilter): Likewise. * src/libxl/libxl_driver.c: Adjust caller. * src/lxc/lxc_driver.c: Likewise. * src/network/bridge_driver.c: Likewise. * src/qemu/qemu_driver.c: Likewise. * src/remote/remote_driver.c: Likewise. * src/test/test_driver.c: Likewise. * src/uml/uml_driver.c: Likewise. * src/vbox/vbox_tmpl.c: Likewise. * src/xen/xen_driver.c: Likewise. Signed-off-by: Eric Blake <eblake@redhat.com> (cherry picked from commit 11f20e43f1388d5f8f8c0bfac8c9cda6160a106b) Conflicts: daemon/remote.c - not backporting network events src/conf/network_event.c - likewise src/conf/network_event.h - likewise src/network/bridge_driver.c - likewise src/conf/domain_event.c - revert back to pre-CVE state src/conf/domain_event.h - likewise src/libxl/libxl_driver.c - likewise src/lxc/lxc_driver.c - likewise src/remote/remote_driver.c - likewise src/test/test_driver.c - likewise src/uml/uml_driver.c - likewise src/xen/xen_driver.c - likewise
Licensing
Note that much of the vbox in this directory is LGPLv2-only. Thus, it
cannot be linked into any software that also wants to use GPLv3+ code.
This readme file is:
Copyright (C) 2009, 2013 Red Hat, Inc.
Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved. This file is offered as-is,
without warranty of any kind.
Explanation about the how multi-version support
for VirtualBox libvirt driver is implemented.
Since VirtualBox adds multiple new features for each release, it is but
natural that the C API which VirtualBox exposes is volatile across
versions and thus needs a good mechanism to handle multiple versions
during runtime. The solution was something like this:
Firstly the file structure is as below:
vbox_CAPI_v2_2.h
vbox_XPCOMCGlue.h
vbox_XPCOMCGlue.c
These files are C API/glue code files directly taken from the
VirtualBox OSE source and is needed for C API to work as expected.
vbox_driver.h
vbox_driver.c
These files have the main logic for registering the virtualbox driver
with libvirt.
vbox_V2_2.c
The file which has version dependent changes and includes the template
file for given below for all of its functionality.
vbox_tmpl.c
The file where all the real driver implementation code exists.
Now there would be a vbox_V*.c file (for eg: vbox_V2_2.c for V2.2) for
each major virtualbox version which would do some preprocessor magic
and include the template file (vbox_tmpl.c) in it for the functionality
it offers.