Blame SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch

0a7476
From 2e532b74b3100a06e0f1ba21f657883fe5aafcc5 Mon Sep 17 00:00:00 2001
0a7476
Message-Id: <2e532b74b3100a06e0f1ba21f657883fe5aafcc5@dist-git>
e53605
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
e53605
Date: Tue, 18 Jun 2019 13:29:59 +0200
e53605
Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
e53605
 connections
e53605
MIME-Version: 1.0
e53605
Content-Type: text/plain; charset=UTF-8
e53605
Content-Transfer-Encoding: 8bit
e53605
e53605
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
e53605
which can point to any path on the system. This file will then be
e53605
read and parsed by libvirtd running with root privileges.
e53605
e53605
Forbid it on read-only connections.
e53605
e53605
Fixes: CVE-2019-10161
e53605
Reported-by: Matthias Gerstner <mgerstner@suse.de>
e53605
Signed-off-by: Ján Tomko <jtomko@redhat.com>
e53605
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
e53605
Signed-off-by: Ján Tomko <jtomko@redhat.com>
e53605
e53605
Conflicts:
e53605
  src/libvirt-domain.c
e53605
  src/remote/remote_protocol.x
e53605
e53605
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
e53605
alias for VIR_DOMAIN_XML_SECURE is not backported.
e53605
Just skip the commit since we now disallow the whole API on read-only
e53605
connections, regardless of the flag.
e53605
Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>
e53605
e53605
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
e53605
---
e53605
 src/libvirt-domain.c         | 11 ++---------
e53605
 src/qemu/qemu_driver.c       |  2 +-
e53605
 src/remote/remote_protocol.x |  3 +--
e53605
 3 files changed, 4 insertions(+), 12 deletions(-)
e53605
e53605
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
0a7476
index 568023176b..697326ae9a 100644
e53605
--- a/src/libvirt-domain.c
e53605
+++ b/src/libvirt-domain.c
e53605
@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
e53605
  * previously by virDomainSave() or virDomainSaveFlags().
e53605
  *
e53605
  * No security-sensitive data will be included unless @flags contains
e53605
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
e53605
- * connections.  For this API, @flags should not contain either
e53605
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
e53605
+ * VIR_DOMAIN_XML_SECURE.
e53605
  *
e53605
  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
e53605
  * error.  The caller must free() the returned value.
e53605
@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
e53605
 
e53605
     virCheckConnectReturn(conn, NULL);
e53605
     virCheckNonNullArgGoto(file, error);
e53605
-
e53605
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
e53605
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
e53605
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
e53605
-        goto error;
e53605
-    }
e53605
+    virCheckReadOnlyGoto(conn->flags, error);
e53605
 
e53605
     if (conn->driver->domainSaveImageGetXMLDesc) {
e53605
         char *ret;
e53605
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
0a7476
index 704ba24215..25818f5d8c 100644
e53605
--- a/src/qemu/qemu_driver.c
e53605
+++ b/src/qemu/qemu_driver.c
e53605
@@ -6784,7 +6784,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
e53605
     if (fd < 0)
e53605
         goto cleanup;
e53605
 
e53605
-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
e53605
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
e53605
         goto cleanup;
e53605
 
e53605
     ret = qemuDomainDefFormatXML(driver, def, flags);
e53605
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
e53605
index 28c8febabd..52b92334fa 100644
e53605
--- a/src/remote/remote_protocol.x
e53605
+++ b/src/remote/remote_protocol.x
e53605
@@ -5226,8 +5226,7 @@ enum remote_procedure {
e53605
     /**
e53605
      * @generate: both
e53605
      * @priority: high
e53605
-     * @acl: domain:read
e53605
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
e53605
+     * @acl: domain:write
e53605
      */
e53605
     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
e53605
 
e53605
-- 
e53605
2.22.0
e53605