api: disallow virConnectGetDomainCapabilities on read-only connections

This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit 8afa68bac0) Signed-off-by: Ján Tomko <jtomko@redhat.com>
api: disallow virDomainSaveImageGetXMLDesc on read-only connections
2025-09-09 17:44:57 +03:00 · 2019-06-24 10:18:16 +02:00 · 2019-06-24 10:18:16 +02:00 · 2016-10-04 11:59:11 +02:00 · 2016-10-04 08:37:49 +02:00 · 2016-08-17 08:26:20 -04:00
7 changed files with 23 additions and 23 deletions
--- a/libvirt.spec.in
+++ b/libvirt.spec.in
@@ -618,6 +618,9 @@ Requires: gzip
 Requires: bzip2
 Requires: lzop
 Requires: xz
+    %if 0%{?fedora} >= 24
+Requires: systemd-container
+    %endif

 %description daemon-driver-qemu
 The qemu driver plugin for the libvirtd daemon, providing
@@ -633,6 +636,9 @@ Group: Development/Libraries
 Requires: libvirt-daemon = %{version}-%{release}
 # There really is a hard cross-driver dependency here
 Requires: libvirt-daemon-driver-network = %{version}-%{release}
+    %if 0%{?fedora} >= 24
+Requires: systemd-container
+    %endif

 %description daemon-driver-lxc
 The LXC driver plugin for the libvirtd daemon, providing
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1077,9 +1077,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
 * previously by virDomainSave() or virDomainSaveFlags().
 *
 * No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
- * connections.  For this API, @flags should not contain either
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ * VIR_DOMAIN_XML_SECURE.
 *
 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
 * error.  The caller must free() the returned value.
@@ -1095,12 +1093,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(file, error);
-
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
-        goto error;
-    }
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainSaveImageGetXMLDesc) {
        char *ret;
@@ -11316,6 +11309,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
    virResetLastError();

    virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectGetDomainCapabilities) {
        char *ret;
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -1233,7 +1233,7 @@ qemuBuildDriveStr(virDomainDiskDefPtr disk,
        virBufferAddLit(&opt, ",");

        if (secinfo && secinfo->type == VIR_DOMAIN_SECRET_INFO_TYPE_AES) {
-            virBufferAsprintf(&opt, "password-secret=%s,",
+            virBufferAsprintf(&opt, "file.password-secret=%s,",
                              secinfo->s.aes.alias);
        }

@@ -2924,6 +2924,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,
    int ret = -1;
    virJSONValuePtr props = NULL;
    bool nodeSpecified = virDomainNumatuneNodeSpecified(def->numa, guestNode);
+    bool needHugepage = !!pagesize;

    *backendProps = NULL;
    *backendType = NULL;
@@ -2946,10 +2947,10 @@ qemuBuildMemoryBackendStr(unsigned long long size,
        mode = VIR_DOMAIN_NUMATUNE_MEM_STRICT;

    if (pagesize == 0) {
+        bool thisHugepage = false;
+
        /* Find the huge page size we want to use */
        for (i = 0; i < def->mem.nhugepages; i++) {
-            bool thisHugepage = false;
-
            hugepage = &def->mem.hugepages[i];

            if (!hugepage->nodemask) {
@@ -2971,6 +2972,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,

            if (thisHugepage) {
                /* Hooray, we've found the page size */
+                needHugepage = true;
                break;
            }
        }
@@ -3077,7 +3079,7 @@ qemuBuildMemoryBackendStr(unsigned long long size,
    }

    /* If none of the following is requested... */
-    if (!pagesize && !userNodeset && !memAccess && !nodeSpecified && !force) {
+    if (!needHugepage && !userNodeset && !memAccess && !nodeSpecified && !force) {
        /* report back that using the new backend is not necessary
         * to achieve the desired configuration */
        ret = 1;
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6633,7 +6633,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
    if (fd < 0)
        goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
        goto cleanup;

    ret = qemuDomainDefFormatXML(driver, def, flags);
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -4984,8 +4984,7 @@ enum remote_procedure {
    /**
     * @generate: both
     * @priority: high
-     * @acl: domain:read
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,

--- a/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-disk-drive-network-rbd-auth-AES.args
@@ -26,6 +26,7 @@ data=9eao5F8qtkGt+seB1HYivWIxbtwUu6MQtg1zpj/oDtUsPr1q8wBYM91uEHCn6j/1,\
 keyid=masterKey0,iv=AAECAwQFBgcICQoLDA0ODw==,format=base64 \
 -drive 'file=rbd:pool/image:id=myname:auth_supported=cephx\;none:\
 mon_host=mon1.example.org\:6321\;mon2.example.org\:6322\;mon3.example.org\:6322,\
-password-secret=virtio-disk0-secret0,format=raw,if=none,id=drive-virtio-disk0' \
+file.password-secret=virtio-disk0-secret0,format=raw,if=none,\
+id=drive-virtio-disk0' \
 -device virtio-blk-pci,bus=pci.0,addr=0x3,drive=drive-virtio-disk0,\
 id=virtio-disk0
--- a/tests/qemuxml2argvdata/qemuxml2argv-hugepages-pages2.args
+++ b/tests/qemuxml2argvdata/qemuxml2argv-hugepages-pages2.args
@@ -10,12 +10,10 @@ QEMU_AUDIO_DRV=none \
 -M pc \
 -m 1024 \
 -smp 2 \
-object memory-backend-file,id=ram-node0,prealloc=yes,\
-mem-path=/dev/hugepages2M/libvirt/qemu,size=268435456 \
-numa node,nodeid=0,cpus=0,memdev=ram-node0 \
-object memory-backend-file,id=ram-node1,prealloc=yes,\
-mem-path=/dev/hugepages2M/libvirt/qemu,size=805306368 \
-numa node,nodeid=1,cpus=1,memdev=ram-node1 \
+-mem-prealloc \
+-mem-path /dev/hugepages2M/libvirt/qemu \
+-numa node,nodeid=0,cpus=0,mem=256 \
+-numa node,nodeid=1,cpus=1,mem=768 \
 -uuid ef1bdff4-27f3-4e85-a807-5fb4d58463cc \
 -nographic \
 -nodefaults \
Author	SHA1	Message	Date
Ján Tomko	1e51b78a92	api: disallow virConnectGetDomainCapabilities on read-only connections This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `8afa68bac0`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 10:18:16 +02:00
Ján Tomko	a9e40f2320	api: disallow virDomainSaveImageGetXMLDesc on read-only connections The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `aed6a032ce`) Signed-off-by: Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit `12a51f372` which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 10:18:16 +02:00
Andrea Bolognani	c998537991	spec: Fix indentation Commit `ffc49e579c` broke syntax-check: cppi: libvirt.spec.in: line 622: not properly indented cppi: libvirt.spec.in: line 624: not properly indented cppi: libvirt.spec.in: line 640: not properly indented cppi: libvirt.spec.in: line 642: not properly indented maint.mk: incorrect preprocessor indentation cfg.mk:697: recipe for target 'sc_spec_indentation' failed Indent the new conditionals properly. (cherry picked from commit `55d8daa07e`)	2016-10-04 11:59:11 +02:00
Martin Kletzander	8b7b45065e	qemu: Only use memory-backend-file with NUMA if needed If this reminds you of a commit message from around a year ago, it's `41c2aa729f` and yes, we're dealing with "the same thing" again. Or `f309db1f4d` and it's similar. There is a logic in place that if there is no real need for memory-backend-file, qemuBuildMemoryBackendStr() returns 0. However that wasn't the case with hugepage backing. The reason for that was that we abused the 'pagesize' variable for storing that information, but we should rather have a separate one that specifies whether we really need the new object for hugepage backing. And that variable should be set only if this particular NUMA cell needs special treatment WRT hugepages. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1372153 Signed-off-by: Martin Kletzander <mkletzan@redhat.com> (cherry picked from commit 4372a7845acbc6974f6027ef68e7dd3eeb47f425)	2016-10-04 08:37:49 +02:00
John Ferlan	b9fed351d4	qemu: Fix the command line generation for rbd auth using aes secrets https://bugzilla.redhat.com/show_bug.cgi?id=1182074 Since libvirt still uses a legacy qemu arg format to add a disk, the manner in which the 'password-secret' argument is passed to qemu needs to change to prepend a 'file.' If in the future, usage of the more modern disk format, then the prepended 'file.' can be removed. Fix based on Jim Fehlig <jfehlig@suse.com> posting and subsequent upstream list followups, see: http://www.redhat.com/archives/libvir-list/2016-August/msg00777.html for details. Introduced by commit id 'a1344f70'. (cherry picked from commit `d53d465083`) Resolved a couple of conflicts due to upstream commits not present in the v2.0-maint branch	2016-08-17 08:26:20 -04:00
Daniel P. Berrange	f3cac03520	libvirt.spec.in: require systemd-container on >= f24 The systemd-machined tools libvirt uses were split into a systemd-container RPM. Without depending on this, libvirt may silently fallback to the non-systemd cgroup impl which is not desirable. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit `ffc49e579c`)	2016-07-13 17:13:32 +01:00