diff options
| author | Ján Tomko <jtomko@redhat.com> | 2019-06-14 08:47:42 +0200 |
|---|---|---|
| committer | Ján Tomko <jtomko@redhat.com> | 2019-06-24 09:53:52 +0200 |
| commit | 3572564893d1710beb1862797fe32cc2e9cb1e38 (patch) | |
| tree | 65538c255c6aee758210cba2ab160059cec72729 | |
| parent | f8d8a7a182c0854fa50d3976077b3a3d8de8980f (diff) | |
| download | libvirt-3572564893d1710beb1862797fe32cc2e9cb1e38.tar.gz | |
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter,
which can point to any path on the system. This file will then be
read and parsed by libvirtd running with root privileges.
Forbid it on read-only connections.
Fixes: CVE-2019-10161
Reported-by: Matthias Gerstner <mgerstner@suse.de>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit aed6a032cead4386472afb24b16196579e239580)
Signed-off-by: Ján Tomko <jtomko@redhat.com>
Conflicts:
src/libvirt-domain.c
src/remote/remote_protocol.x
Upstream commit 12a51f372 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE
alias for VIR_DOMAIN_XML_SECURE is not backported.
Just skip the commit since we now disallow the whole API on read-only
connections, regardless of the flag.
Signed-off-by: Ján Tomko <jtomko@redhat.com>
| -rw-r--r-- | src/libvirt-domain.c | 11 | ||||
| -rw-r--r-- | src/qemu/qemu_driver.c | 2 | ||||
| -rw-r--r-- | src/remote/remote_protocol.x | 3 |
3 files changed, 4 insertions, 12 deletions
diff --git a/src/libvirt-domain.c b/src/libvirt-domain.c index 73d602edca..53299c1f64 100644 --- a/src/libvirt-domain.c +++ b/src/libvirt-domain.c @@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml, * previously by virDomainSave() or virDomainSaveFlags(). * * No security-sensitive data will be included unless @flags contains - * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only - * connections. For this API, @flags should not contain either - * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU. + * VIR_DOMAIN_XML_SECURE. * * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of * error. The caller must free() the returned value. @@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file, virCheckConnectReturn(conn, NULL); virCheckNonNullArgGoto(file, error); - - if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) { - virReportError(VIR_ERR_OPERATION_DENIED, "%s", - _("virDomainSaveImageGetXMLDesc with secure flag")); - goto error; - } + virCheckReadOnlyGoto(conn->flags, error); if (conn->driver->domainSaveImageGetXMLDesc) { char *ret; diff --git a/src/qemu/qemu_driver.c b/src/qemu/qemu_driver.c index 7d9e17e72c..1cfe42e634 100644 --- a/src/qemu/qemu_driver.c +++ b/src/qemu/qemu_driver.c @@ -7030,7 +7030,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path, if (fd < 0) goto cleanup; - if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0) + if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0) goto cleanup; ret = qemuDomainDefFormatXML(driver, def, flags); diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x index 7630b2ed15..d0f1972462 100644 --- a/src/remote/remote_protocol.x +++ b/src/remote/remote_protocol.x @@ -5236,8 +5236,7 @@ enum remote_procedure { /** * @generate: both * @priority: high - * @acl: domain:read - * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE + * @acl: domain:write */ REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235, |