render / rpms / libvirt

Forked from rpms/libvirt 10 months ago
Clone
f3a72a
From 9062f89d17d1ab5d6c5c3efae8c6056149ef0a28 Mon Sep 17 00:00:00 2001
f3a72a
Message-Id: <9062f89d17d1ab5d6c5c3efae8c6056149ef0a28@dist-git>
f3a72a
From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= <berrange@redhat.com>
f3a72a
Date: Wed, 15 May 2019 21:40:57 +0100
f3a72a
Subject: [PATCH] locking: restrict sockets to mode 0600
f3a72a
MIME-Version: 1.0
f3a72a
Content-Type: text/plain; charset=UTF-8
f3a72a
Content-Transfer-Encoding: 8bit
f3a72a
f3a72a
The virtlockd daemon's only intended client is the libvirtd daemon. As
f3a72a
such it should never allow clients from other user accounts to connect.
f3a72a
The code already enforces this and drops clients from other UIDs, but
f3a72a
we can get earlier (and thus stronger) protection against DoS by setting
f3a72a
the socket permissions to 0600
f3a72a
f3a72a
Fixes CVE-2019-10132
f3a72a
f3a72a
Reviewed-by: Ján Tomko <jtomko@redhat.com>
f3a72a
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
f3a72a
(cherry picked from a private commit)
f3a72a
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
f3a72a
Message-Id: <20190515204058.28077-3-berrange@redhat.com>
f3a72a
---
f3a72a
 src/locking/virtlockd-admin.socket.in | 1 +
f3a72a
 src/locking/virtlockd.socket.in       | 1 +
f3a72a
 2 files changed, 2 insertions(+)
f3a72a
f3a72a
diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
f3a72a
index 2a7500f3d0..f674c492f7 100644
f3a72a
--- a/src/locking/virtlockd-admin.socket.in
f3a72a
+++ b/src/locking/virtlockd-admin.socket.in
f3a72a
@@ -5,6 +5,7 @@ Before=libvirtd.service
f3a72a
 [Socket]
f3a72a
 ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
f3a72a
 Service=virtlockd.service
f3a72a
+SocketMode=0600
f3a72a
 
f3a72a
 [Install]
f3a72a
 WantedBy=sockets.target
f3a72a
diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
f3a72a
index 45e0f20235..d701b27516 100644
f3a72a
--- a/src/locking/virtlockd.socket.in
f3a72a
+++ b/src/locking/virtlockd.socket.in
f3a72a
@@ -4,6 +4,7 @@ Before=libvirtd.service
f3a72a
 
f3a72a
 [Socket]
f3a72a
 ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
f3a72a
+SocketMode=0600
f3a72a
 
f3a72a
 [Install]
f3a72a
 WantedBy=sockets.target
f3a72a
-- 
f3a72a
2.21.0
f3a72a