[libvirt] [PATCH 9/9] remote: pass identity across to newly opened daemons

Fri Sep 13 15:40:29 UTC 2019

On 9/13/19 5:23 PM, Daniel P. Berrangé wrote:
> On Fri, Sep 13, 2019 at 05:13:09PM +0200, Michal Privoznik wrote:
>> On 9/5/19 1:56 PM, Daniel P. Berrangé wrote:
>>> When opening a connection to a second driver inside the daemon, we must
>>> ensure the identity of the current user is passed across. This allows
>>> the second daemon to perform access control checks against the real end
>>> users, instead of against the libvirt daemon that's proxying across the
>>> API calls.
>>>
>>> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
>>> ---
>>>    src/libvirt_remote.syms             |   1 +
>>>    src/remote/remote_daemon_dispatch.c | 112 +++++++++++++++++++++++++---
>>>    src/remote/remote_driver.c          |   1 +
>>>    src/remote/remote_protocol.x        |  16 +++-
>>>    src/remote_protocol-structs         |   8 ++
>>>    src/rpc/virnetserverclient.c        |  12 +++
>>>    src/rpc/virnetserverclient.h        |   2 +
>>>    7 files changed, 139 insertions(+), 13 deletions(-)
>>>
>>
>>
>>>    /* Define the program number, protocol version and procedure numbers here. */
>>> @@ -6603,5 +6611,11 @@ enum remote_procedure {
>>>         * @generate: none
>>>         * @acl: domain:write
>>>         */
>>> -    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418
>>> +    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418,
>>> +
>>> +    /**
>>> +     * @generate: client
>>> +     * @acl: connect:write
>>> +     */
>>> +    REMOTE_PROC_CONNECT_SET_IDENTITY = 419
>>
>> IIUC, the only thing that stops a malicious user from switching identity is
>> that they have write access on the opened connection?
> 
> We consider 'write' access as equivalent to root shell access, but perhaps
> there is none the less value in having an explicit permission bit for this
> operation.
> 

Agreed, you can post it in as a follow up patch.

>> Because on one hand we want secondary daemons to accept identity switches
>> from the proxy daemon, but at the same time we don't want users to do that.
> 
> In an out of the box config with no ACLs defined in polkit, this will
> correctly operate. the proxy will get approved by default since it is
> runnig root & thus polkit grants access regardless. Everything else
> is denied by default.
> 
> If polkit is not enabled, then the user can invoke this RPC, but of
> course without polkit your privileges are again eqiuv to root.

Right, this is exactly what I though. Alright,

Reviewed-by: Michal Privoznik <mprivozn at redhat.com> to the whole patchset.

Michal