[libvirt] [PATCH] api: require write permission for guest agent interaction

[Eric Blake]

On 01/22/2014 03:52 AM, Daniel P. Berrange wrote:
> On Tue, Jan 21, 2014 at 10:47:07AM -0700, Eric Blake wrote:
>> I noticed that we allow virDomainGetVcpusFlags even for read-only
>> connections, but that with a flag, it can require guest agent
>> interaction.  It is feasible that a malicious guest could
>> intentionally abuse the replies it sends over the guest agent
>> connection to possibly trigger a bug in libvirt's JSON parser,
>> or withhold an answer so as to prevent the use of the agent
>> in a later command such as a shutdown request.  Although we
>> don't know of any such exploits now (and therefore don't mind
>> posting this patch publicly without trying to get a CVE assigned),
>> it is better to err on the side of caution and explicitly require
>> full access to any domain where the API requires guest interaction
>> to operate correctly.
>>
>> I audited all commands that are marked as conditionally using a
>> guest agent.  Note that at least virDomainFSTrim is documented
>> as needing a guest agent, but that such use is unconditional
>> depending on the hypervisor (so the existing domain:fs_trim ACL
>> should be sufficient there, rather than also requirng domain:write).
>> But when designing future APIs, such as the plans for obtaining
>> a domain's IP addresses, we should copy the approach of this patch
>> in making interaction with the guest be specified via a flag, and
>> use that flag to also require stricter access checks.
>>

> 
> ACK

Thanks; pushed.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 604 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20140122/0b04cabd/attachment-0001.sig>