[PATCH v2] virt-aa-helper: disallow graphics socket read permissions
Simon Arlott
libvirt at octiron.net
Sat Jan 2 14:19:43 UTC 2021
On 01/09/2020 11:11, Christian Ehrhardt wrote:
> On Thu, May 28, 2020 at 12:45 PM Simon Arlott <libvirt at octiron.net> wrote:
>>
>> The VM does not need read permission for its own sockets to create,
>> bind(), listen(), accept() connections or to recv(), send(), etc. on
>> those connections.
>>
>> This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
>> (virt-aa-helper: disallow VNC socket read permissions),
>> but then b6465e1aa49397367a9cd0f27110b9c2280a7385
>> (graphics: introduce new listen type 'socket')
>> and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
>> (acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it.
>>
>> Unless the read permission is omitted, VMs can connect to each other's
>> VNC/graphics sockets.
>
> As only the defined path from the XML is allowed that would only apply
> if one specified the same path in each VM definition right?
> That would be borderline to "intentionally configured that way".
Where is it documented that it is unsafe to configure multiple VMs to
use the same directory for VNC files?
The application of AppArmor restrictions to directories instead of files
is an implementation detail that is not mentioned in the configuration
documentation. It is therefore not "intentionally configured that way"
if no users are made aware of potential security problems.
>> Signed-off-by: Simon Arlott <libvirt at octiron.net>
>> ---
>> Updated version that changes the test case too.
>>
>> src/security/virt-aa-helper.c | 2 +-
>> tests/virt-aa-helper-test | 2 +-
>> 2 files changed, 2 insertions(+), 2 deletions(-)
>>
>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
>> index 6e6dd1b1db..fddbdafc41 100644
>> --- a/src/security/virt-aa-helper.c
>> +++ b/src/security/virt-aa-helper.c
> [...]
>
>> <graphics type='vnc' socket='/var/lib/libvirt/qemu/myself.vnc'><listen type='address' address='0.0.0.0'/></graphics>
>
> Isn't that option above converted to "-vnc unix:path"?
> Hmm, no as ./tests/qemuxml2argvdata/graphics-vnc-remove-generated-socket.args
> shows it is actually removed later.
>
> But the attribute that virt-aa-helper parses in the lines you touched
> is used for good cases as well, cases like these:
> ./tests/qemuxml2argvdata/graphics-vnc-socket-new-cmdline.args
> ./tests/qemuxml2argvdata/graphics-vnc-socket.args
>
> In which case qemu would need to write to it as it is meant to [1]:
> "... Rather than using listen/port, QEMU supports a socket attribute
> for listening on a unix domain socket path Since 0.8.8 . ..."
I'm not trying to remove write permission. I'm trying to remove read
permission.
I sent an updated version 3 of the patch in September that includes a
comment explaining this. This appears to be the main problem with socket
permissions; everyone assumes that write permission should always imply
read permission because that is how files are normally handled.
--
Simon Arlott
More information about the libvir-list
mailing list