[libvirt] [PATCH] event: move event filtering to daemon (regression fix)
Daniel P. Berrange
berrange at redhat.com
Wed Feb 5 13:56:58 UTC 2014
On Tue, Jan 28, 2014 at 03:48:19PM -0700, Eric Blake wrote:
> Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
> need to check the ACL rules to filter which events to send. But
> it overlooked one thing: the event dispatch queue is running in
> the main loop thread, and therefore does not normally have a
> current virIdentityPtr. But filter checks can be based on current
> identity, so when libvirtd.conf contains access_drivers=["polkit"],
> we ended up rejecting access for EVERY event due to failure to
> look up the current identity, even if it should have been allowed.
>
> Furthermore, even for events that are triggered by API calls, it
> is important to remember that the point of events is that they can
> be copied across multiple connections, which may have separate
> identities and permissions. So even if events were dispatched
> from a context where we have an identity, we must change to the
> correct identity of the connection that will be receiving the
> event, rather than basing a decision on the context that triggered
> the event, when deciding whether to filter an event to a
> particular connection.
>
> If there were an easy way to get from virConnectPtr to the
> appropriate virIdentityPtr, then object_event.c could adjust the
> identity prior to checking whether to dispatch an event. But
> setting up that back-reference is a bit invasive. Instead, it
> is easier to delay the filtering check until lower down the
> stack, at the point where we have direct access to the RPC
> client object that owns an identity. As such, this patch ends
> up reverting a large portion of the framework of commit f9f56340.
> We also have to teach 'make check' to special-case the fact that
> the event registration filtering is done at the point of dispatch,
> rather than the point of registration. Note that even though we
> don't actually use virConnectDomainEventRegisterCheckACL (because
> the RegisterAny variant is sufficient), we still generate the
> function for the purposes of documenting that the filtering
> takes place.
>
> Also note that I did not entirely delete the notion of a filter
> from object_event.c; I still plan on using that for my upcoming
> patch series for qemu monitor events in libvirt-qemu.so. In
> other words, while this patch changes ACL filtering to live in
> remote.c and therefore we have no current client of the filtering
> in object_event.c, the notion of filtering in object_event.c is
> still useful down the road.
>
> * src/check-aclrules.pl: Exempt event registration from having to
> pass checkACL filter down call stack.
> * daemon/remote.c (remoteRelayDomainEventCheckACL)
> (remoteRelayNetworkEventCheckACL): New functions.
> (remoteRelay*Event*): Use new functions.
> * src/conf/domain_event.h (virDomainEventStateRegister)
> (virDomainEventStateRegisterID): Drop unused parameter.
> * src/conf/network_event.h (virNetworkEventStateRegisterID):
> Likewise.
> * src/conf/domain_event.c (virDomainEventFilter): Delete unused
> function.
> * src/conf/network_event.c (virNetworkEventFilter): Likewise.
> * src/libxl/libxl_driver.c: Adjust caller.
> * src/lxc/lxc_driver.c: Likewise.
> * src/network/bridge_driver.c: Likewise.
> * src/qemu/qemu_driver.c: Likewise.
> * src/remote/remote_driver.c: Likewise.
> * src/test/test_driver.c: Likewise.
> * src/uml/uml_driver.c: Likewise.
> * src/vbox/vbox_tmpl.c: Likewise.
> * src/xen/xen_driver.c: Likewise.
>
> Signed-off-by: Eric Blake <eblake at redhat.com>
> ---
> daemon/remote.c | 257 ++++++++++++++++++++++++++++----------------
> src/check-aclrules.pl | 7 +-
> src/conf/domain_event.c | 35 +-----
> src/conf/domain_event.h | 8 +-
> src/conf/network_event.c | 31 +-----
> src/conf/network_event.h | 6 +-
> src/libxl/libxl_driver.c | 2 -
> src/lxc/lxc_driver.c | 2 -
> src/network/bridge_driver.c | 1 -
> src/qemu/qemu_driver.c | 2 -
> src/remote/remote_driver.c | 4 +-
> src/test/test_driver.c | 6 +-
> src/uml/uml_driver.c | 2 -
> src/vbox/vbox_tmpl.c | 4 +-
> src/xen/xen_driver.c | 2 -
> 15 files changed, 188 insertions(+), 181 deletions(-)
ACK
Daniel
--
|: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org -o- http://virt-manager.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
More information about the libvir-list
mailing list