Blame SOURCES/libvirt-api-disallow-virDomainSaveImageGetXMLDesc-on-read-only-connections.patch

c480ed
From 8533d820c378ae31176922703b7368f586a59bc0 Mon Sep 17 00:00:00 2001
c480ed
Message-Id: <8533d820c378ae31176922703b7368f586a59bc0@dist-git>
978831
From: =?UTF-8?q?J=C3=A1n=20Tomko?= <jtomko@redhat.com>
978831
Date: Tue, 18 Jun 2019 13:29:59 +0200
978831
Subject: [PATCH] api: disallow virDomainSaveImageGetXMLDesc on read-only
978831
 connections
978831
MIME-Version: 1.0
978831
Content-Type: text/plain; charset=UTF-8
978831
Content-Transfer-Encoding: 8bit
978831
978831
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
978831
which can point to any path on the system. This file will then be
978831
read and parsed by libvirtd running with root privileges.
978831
978831
Forbid it on read-only connections.
978831
978831
Fixes: CVE-2019-10161
978831
Reported-by: Matthias Gerstner <mgerstner@suse.de>
978831
Signed-off-by: Ján Tomko <jtomko@redhat.com>
978831
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
978831
Signed-off-by: Ján Tomko <jtomko@redhat.com>
978831
978831
Conflicts:
978831
  src/libvirt-domain.c
978831
  src/remote/remote_protocol.x
978831
978831
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
978831
alias for VIR_DOMAIN_XML_SECURE is not backported.
978831
Just skip the commit since we now disallow the whole API on read-only
978831
connections, regardless of the flag.
978831
Message-Id: <4c14d609cd7b548459b9ef2f59728fa5c5e38268.1560857354.git.jtomko@redhat.com>
978831
978831
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
978831
---
978831
 src/libvirt-domain.c         | 11 ++---------
978831
 src/qemu/qemu_driver.c       |  2 +-
978831
 src/remote/remote_protocol.x |  3 +--
978831
 3 files changed, 4 insertions(+), 12 deletions(-)
978831
978831
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c
978831
index ad0ded9ee3..0ba85b9360 100644
978831
--- a/src/libvirt-domain.c
978831
+++ b/src/libvirt-domain.c
978831
@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
978831
  * previously by virDomainSave() or virDomainSaveFlags().
978831
  *
978831
  * No security-sensitive data will be included unless @flags contains
978831
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
978831
- * connections.  For this API, @flags should not contain either
978831
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
978831
+ * VIR_DOMAIN_XML_SECURE.
978831
  *
978831
  * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
978831
  * error.  The caller must free() the returned value.
978831
@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,
978831
 
978831
     virCheckConnectReturn(conn, NULL);
978831
     virCheckNonNullArgGoto(file, error);
978831
-
978831
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
978831
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
978831
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
978831
-        goto error;
978831
-    }
978831
+    virCheckReadOnlyGoto(conn->flags, error);
978831
 
978831
     if (conn->driver->domainSaveImageGetXMLDesc) {
978831
         char *ret;
978831
diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c
978831
index 88c08f88ee..2da87992fd 100644
978831
--- a/src/qemu/qemu_driver.c
978831
+++ b/src/qemu/qemu_driver.c
978831
@@ -6786,7 +6786,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
978831
     if (fd < 0)
978831
         goto cleanup;
978831
 
978831
-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
978831
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
978831
         goto cleanup;
978831
 
978831
     ret = qemuDomainDefFormatXML(driver, def, flags);
978831
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
978831
index 28c8febabd..52b92334fa 100644
978831
--- a/src/remote/remote_protocol.x
978831
+++ b/src/remote/remote_protocol.x
978831
@@ -5226,8 +5226,7 @@ enum remote_procedure {
978831
     /**
978831
      * @generate: both
978831
      * @priority: high
978831
-     * @acl: domain:read
978831
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
978831
+     * @acl: domain:write
978831
      */
978831
     REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
978831
 
978831
-- 
978831
2.22.0
978831