|
|
0a7476 |
From 2e532b74b3100a06e0f1ba21f657883fe5aafcc5 Mon Sep 17 00:00:00 2001
|
|
|
0a7476 |
Message-Id: <2e532b74b3100a06e0f1ba21f657883fe5aafcc5@dist-git>
|
|
|
e53605 |
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
|
|
|
e53605 |
Date: Tue, 18 Jun 2019 13:29:59 +0200
|
|
|
e53605 |
Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
|
|
|
e53605 |
connections
|
|
|
e53605 |
MIME-Version: 1.0
|
|
|
e53605 |
Content-Type: text/plain; charset=UTF-8
|
|
|
e53605 |
Content-Transfer-Encoding: 8bit
|
|
|
e53605 |
|
|
|
e53605 |
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
|
|
|
e53605 |
which can point to any path on the system. This file will then be
|
|
|
e53605 |
read and parsed by libvirtd running with root privileges.
|
|
|
e53605 |
|
|
|
e53605 |
Forbid it on read-only connections.
|
|
|
e53605 |
|
|
|
e53605 |
Fixes: CVE-2019-10161
|
|
|
e53605 |
Reported-by: Matthias Gerstner <mgerstner@suse.de>
|
|
|
e53605 |
Signed-off-by: Ján Tomko <jtomko@redhat.com>
|
|
|
e53605 |
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
|
e53605 |
Signed-off-by: Ján Tomko <jtomko@redhat.com>
|
|
|
e53605 |
|
|
|
e53605 |
Conflicts:
|
|
|
e53605 |
src/libvirt-domain.c
|
|
|
e53605 |
src/remote/remote_protocol.x
|
|
|
e53605 |
|
|
|
e53605 |
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
|
|
|
e53605 |
alias for VIR_DOMAIN_XML_SECURE is not backported.
|
|
|
e53605 |
Just skip the commit since we now disallow the whole API on read-only
|
|
|
e53605 |
connections, regardless of the flag.
|
|
|
e53605 |
Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>
|
|
|
e53605 |
|
|
|
e53605 |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
e53605 |
---
|
|
|
e53605 |
src/libvirt-domain.c | 11 ++---------
|
|
|
e53605 |
src/qemu/qemu_driver.c | 2 +-
|
|
|
e53605 |
src/remote/remote_protocol.x | 3 +--
|
|
|
e53605 |
3 files changed, 4 insertions(+), 12 deletions(-)
|
|
|
e53605 |
|
|
|
e53605 |
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
|
|
|
0a7476 |
index 568023176b..697326ae9a 100644
|
|
|
e53605 |
--- a/src/libvirt-domain.c
|
|
|
e53605 |
+++ b/src/libvirt-domain.c
|
|
|
e53605 |
@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
|
|
|
e53605 |
* previously by virDomainSave() or virDomainSaveFlags().
|
|
|
e53605 |
*
|
|
|
e53605 |
* No security-sensitive data will be included unless @flags contains
|
|
|
e53605 |
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
|
|
|
e53605 |
- * connections. For this API, @flags should not contain either
|
|
|
e53605 |
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
|
|
|
e53605 |
+ * VIR_DOMAIN_XML_SECURE.
|
|
|
e53605 |
*
|
|
|
e53605 |
* Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
|
|
|
e53605 |
* error. The caller must free() the returned value.
|
|
|
e53605 |
@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
|
|
|
e53605 |
|
|
|
e53605 |
virCheckConnectReturn(conn, NULL);
|
|
|
e53605 |
virCheckNonNullArgGoto(file, error);
|
|
|
e53605 |
-
|
|
|
e53605 |
- if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
|
|
|
e53605 |
- virReportError(VIR_ERR_OPERATION_DENIED, "%s",
|
|
|
e53605 |
- _("virDomainSaveImageGetXMLDesc with secure flag"));
|
|
|
e53605 |
- goto error;
|
|
|
e53605 |
- }
|
|
|
e53605 |
+ virCheckReadOnlyGoto(conn->flags, error);
|
|
|
e53605 |
|
|
|
e53605 |
if (conn->driver->domainSaveImageGetXMLDesc) {
|
|
|
e53605 |
char *ret;
|
|
|
e53605 |
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
|
|
|
0a7476 |
index 704ba24215..25818f5d8c 100644
|
|
|
e53605 |
--- a/src/qemu/qemu_driver.c
|
|
|
e53605 |
+++ b/src/qemu/qemu_driver.c
|
|
|
e53605 |
@@ -6784,7 +6784,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
|
|
|
e53605 |
if (fd < 0)
|
|
|
e53605 |
goto cleanup;
|
|
|
e53605 |
|
|
|
e53605 |
- if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
|
|
|
e53605 |
+ if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
|
|
|
e53605 |
goto cleanup;
|
|
|
e53605 |
|
|
|
e53605 |
ret = qemuDomainDefFormatXML(driver, def, flags);
|
|
|
e53605 |
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
|
|
|
e53605 |
index 28c8febabd..52b92334fa 100644
|
|
|
e53605 |
--- a/src/remote/remote_protocol.x
|
|
|
e53605 |
+++ b/src/remote/remote_protocol.x
|
|
|
e53605 |
@@ -5226,8 +5226,7 @@ enum remote_procedure {
|
|
|
e53605 |
/**
|
|
|
e53605 |
* @generate: both
|
|
|
e53605 |
* @priority: high
|
|
|
e53605 |
- * @acl: domain:read
|
|
|
e53605 |
- * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
|
|
|
e53605 |
+ * @acl: domain:write
|
|
|
e53605 |
*/
|
|
|
e53605 |
REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
|
|
|
e53605 |
|
|
|
e53605 |
--
|
|
|
e53605 |
2.22.0
|
|
|
e53605 |
|