• E
    event: filter global events by domain:getattr ACL [CVE-2014-0028] · f9f56340
    Eric Blake 提交于
    Ever since ACL filtering was added in commit 76397360 (v1.1.1), a
    user could still use event registration to obtain access to a
    domain that they could not normally access via virDomainLookup*
    or virConnectListAllDomains and friends.  We already have the
    framework in the RPC generator for creating the filter, and
    previous cleanup patches got us to the point that we can now
    wire the filter through the entire object event stack.
    
    Furthermore, whether or not domain:getattr is honored, use of
    global events is a form of obtaining a list of networks, which
    is covered by connect:search_domains added in a93cd08f (v1.1.0).
    Ideally, we'd have a way to enforce connect:search_domains when
    doing global registrations while omitting that check on a
    per-domain registration.  But this patch just unconditionally
    requires connect:search_domains, even when no list could be
    obtained, based on the following observations:
    1. Administrators are unlikely to grant domain:getattr for one
    or all domains while still denying connect:search_domains - a
    user that is able to manage domains will want to be able to
    manage them efficiently, but efficient management includes being
    able to list the domains they can access.  The idea of denying
    connect:search_domains while still granting access to individual
    domains is therefore not adding any real security, but just
    serves as a layer of obscurity to annoy the end user.
    2. In the current implementation, domain events are filtered
    on the client; the server has no idea if a domain filter was
    requested, and must therefore assume that all domain event
    requests are global.  Even if we fix the RPC protocol to
    allow for server-side filtering for newer client/server combos,
    making the connect:serach_domains ACL check conditional on
    whether the domain argument was NULL won't benefit older clients.
    Therefore, we choose to document that connect:search_domains
    is a pre-requisite to any domain event management.
    
    Network events need the same treatment, with the obvious
    change of using connect:search_networks and network:getattr.
    
    * src/access/viraccessperm.h
    (VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
    (VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
    effect of the permission.
    * src/conf/domain_event.h (virDomainEventStateRegister)
    (virDomainEventStateRegisterID): Add new parameter.
    * src/conf/network_event.h (virNetworkEventStateRegisterID):
    Likewise.
    * src/conf/object_event_private.h (virObjectEventStateRegisterID):
    Likewise.
    * src/conf/object_event.c (_virObjectEventCallback): Track a filter.
    (virObjectEventDispatchMatchCallback): Use filter.
    (virObjectEventCallbackListAddID): Register filter.
    * src/conf/domain_event.c (virDomainEventFilter): New function.
    (virDomainEventStateRegister, virDomainEventStateRegisterID):
    Adjust callers.
    * src/conf/network_event.c (virNetworkEventFilter): New function.
    (virNetworkEventStateRegisterID): Adjust caller.
    * src/remote/remote_protocol.x
    (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
    (REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
    (REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
    filter, and require connect:search_domains instead of weaker
    connect:read.
    * src/test/test_driver.c (testConnectDomainEventRegister)
    (testConnectDomainEventRegisterAny)
    (testConnectNetworkEventRegisterAny): Update callers.
    * src/remote/remote_driver.c (remoteConnectDomainEventRegister)
    (remoteConnectDomainEventRegisterAny): Likewise.
    * src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
    (xenUnifiedConnectDomainEventRegisterAny): Likewise.
    * src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
    * src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
    (libxlConnectDomainEventRegisterAny): Likewise.
    * src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
    (qemuConnectDomainEventRegisterAny): Likewise.
    * src/uml/uml_driver.c (umlConnectDomainEventRegister)
    (umlConnectDomainEventRegisterAny): Likewise.
    * src/network/bridge_driver.c
    (networkConnectNetworkEventRegisterAny): Likewise.
    * src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
    (lxcConnectDomainEventRegisterAny): Likewise.
    Signed-off-by: NEric Blake <eblake@redhat.com>
    f9f56340
viraccessperm.h 16.7 KB