[libvirt] [PATCH 0/8] Don't hold both monitor and agent jobs at the same time
Eric Blake
eblake at redhat.com
Thu Dec 5 22:25:09 UTC 2019
On 12/5/19 10:08 AM, Jonathon Jongsma wrote:
> We have to assume that the guest agent may be malicious, so we don't want to
> allow any agent queries to block any other libvirt API. By holding a monitor
> job and an agent job while we're querying the agent, any other threads will be
> blocked from using the monitor while the agent is unresponsive. Because libvirt
> waits forever for an agent response, this makes us vulnerable to a denial of
> service from a malicious (or simply buggy) guest agent.
>
> This series of patches attempts to remove any cases where we were holding both
> jobs at the same time, removes a convenience function which allows us to grab
> both jobs at once, and updates documentation regarding this issue.
>
Are any of these worth CVEs? Are any of the APIs usable on a read-only
connection? (My quick glance says no, it looks like they all require
read-write). What about ACLs?
> Jonathon Jongsma (8):
> qemu: don't take agent and monitor job for shutdown
For example, virDomainShutdownFlags requires @acl
domain:write:VIR_DOMAIN_SHUTDOWN_GUEST_AGENT (that is, if you request
guest agent shutdown, you have to have the equivalent of domain:write
ACL privilege which is effectively root permissions, precisely because
the guest agent is untrusted). While a DoS is bad, you already have
enough permissions to shoot yourself in the foot in other ways, so it is
not a privilege escalation and thus not a CVE.
> qemu: don't hold a monitor and agent job for reboot
> qemu: don't hold both jobs for suspend
> qemu: don't hold monitor and agent job when setting time
> qemu: don't hold monitor job for fsinfo
> qemu: don't hold monitor job for GetGuestInfo()
But virDomainGetFSIinfo only requires @acl: domain:fs_freeze. Is it
possible for a user to have domain:fs_freeze permission but not
domain:write permission? If so, we have a CVE because of the DoS, at
least when ACLs are in effect.
> qemu: remove use of qemuDomainObjBeginJobWithAgent()
> qemu: remove qemuDomainObjBegin/EndJobWithAgent()
>
> src/qemu/THREADS.txt | 58 +-----
> src/qemu/qemu_domain.c | 56 +-----
> src/qemu/qemu_domain.h | 7 -
> src/qemu/qemu_driver.c | 405 +++++++++++++++++++++++++----------------
> 4 files changed, 258 insertions(+), 268 deletions(-)
>
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization: qemu.org | libvirt.org
More information about the libvir-list
mailing list