api: disallow virDomainSaveImageGetXMLDesc on read-only connections

The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: N Matthias Gerstner <mgerstner@suse.de> Signed-off-by: N Ján Tomko <jtomko@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit aed6a032) Signed-off-by: N Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit 12a51f37 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: N Ján Tomko <jtomko@redhat.com>

api: disallow virDomainSaveImageGetXMLDesc on read-only connections
The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: N Matthias Gerstner <mgerstner@suse.de> Signed-off-by: N Ján Tomko <jtomko@redhat.com> Reviewed-by: N Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit aed6a032) Signed-off-by: N Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit 12a51f37 which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: N Ján Tomko <jtomko@redhat.com>
97829dcb · Ján Tomko · 70b7b691 · 97829dcb · 97829dcb · 97829dcb
隐藏空白更改
内联并排

Showing with 4 addition and 12 deletion

src/libvirt-domain.c src/libvirt-domain.c +2 -9

src/qemu/qemu_driver.c src/qemu/qemu_driver.c +1 -1

src/remote/remote_protocol.x src/remote/remote_protocol.x +1 -2

未找到文件。
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
 * previously by virDomainSave() or virDomainSaveFlags().
 *
 * No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
- * connections.  For this API, @flags should not contain either
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ * VIR_DOMAIN_XML_SECURE.
 *
 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
 * error.  The caller must free() the returned value.
@@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(file, error);
-
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
-        goto error;
-    }
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainSaveImageGetXMLDesc) {
        char *ret;

--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6757,7 +6757,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
    if (fd < 0)
        goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
        goto cleanup;

    ret = qemuDomainDefFormatXML(driver, def, flags);

--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5009,8 +5009,7 @@ enum remote_procedure {
    /**
     * @generate: both
     * @priority: high
-     * @acl: domain:read
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,