[libvirt] [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags
Peter Krempa
pkrempa at redhat.com
Tue Jul 16 14:37:00 UTC 2013
Don't allow guest agent interaction by read-only connections as the
agent may be mailicious.
---
src/libvirt.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/libvirt.c b/src/libvirt.c
index 0cdac0d..f064f32 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -9891,6 +9891,12 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags)
return -1;
}
+ if (flags & VIR_DOMAIN_VCPU_GUEST &&
+ domain->conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
+
/* At most one of these two flags should be set. */
if ((flags & VIR_DOMAIN_AFFECT_LIVE) &&
(flags & VIR_DOMAIN_AFFECT_CONFIG)) {
--
1.8.3.2
More information about the libvir-list
mailing list