api: disallow virConnect*HypervisorCPU on read-only connections

These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit bf6c2830b6) Signed-off-by: Ján Tomko <jtomko@redhat.com>
api: disallow virConnectGetDomainCapabilities on read-only connections
2025-11-03 08:24:18 +03:00 · 2019-06-24 09:54:57 +02:00 · 2019-06-24 09:54:57 +02:00 · 2019-06-24 09:54:57 +02:00 · 2019-06-24 09:54:57 +02:00 · 2019-05-21 13:29:20 +01:00
9 changed files with 34 additions and 12 deletions
--- a/src/admin/admin_server_dispatch.c
+++ b/src/admin/admin_server_dispatch.c
@@ -66,6 +66,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED,
                   void *opaque)
 {
    struct daemonAdmClientPrivate *priv;
+    uid_t clientuid;
+    gid_t clientgid;
+    pid_t clientpid;
+    unsigned long long timestamp;
+
+    if (virNetServerClientGetUNIXIdentity(client,
+                                          &clientuid,
+                                          &clientgid,
+                                          &clientpid,
+                                          &timestamp) < 0)
+        return NULL;
+
+    VIR_DEBUG("New client pid %lld uid %lld",
+              (long long)clientpid,
+              (long long)clientuid);
+
+    if (geteuid() != clientuid) {
+        virReportRestrictedError(_("Disallowing client %lld with uid %lld"),
+                                 (long long)clientpid,
+                                 (long long)clientuid);
+        return NULL;
+    }

    if (VIR_ALLOC(priv) < 0)
        return NULL;
--- a/src/libvirt-domain.c
+++ b/src/libvirt-domain.c
@@ -1073,9 +1073,7 @@ virDomainRestoreFlags(virConnectPtr conn, const char *from, const char *dxml,
 * previously by virDomainSave() or virDomainSaveFlags().
 *
 * No security-sensitive data will be included unless @flags contains
- * VIR_DOMAIN_XML_SECURE; this flag is rejected on read-only
- * connections.  For this API, @flags should not contain either
- * VIR_DOMAIN_XML_INACTIVE or VIR_DOMAIN_XML_UPDATE_CPU.
+ * VIR_DOMAIN_XML_SECURE.
 *
 * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of
 * error.  The caller must free() the returned value.
@@ -1091,12 +1089,7 @@ virDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *file,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(file, error);
-
-    if ((conn->flags & VIR_CONNECT_RO) && (flags & VIR_DOMAIN_XML_SECURE)) {
-        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
-                       _("virDomainSaveImageGetXMLDesc with secure flag"));
-        goto error;
-    }
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainSaveImageGetXMLDesc) {
        char *ret;
@@ -9497,6 +9490,7 @@ virDomainManagedSaveDefineXML(virDomainPtr domain, const char *dxml,

    virCheckDomainReturn(domain, -1);
    conn = domain->conn;
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->domainManagedSaveDefineXML) {
        int ret;
@@ -11288,6 +11282,7 @@ virConnectGetDomainCapabilities(virConnectPtr conn,
    virResetLastError();

    virCheckConnectReturn(conn, NULL);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectGetDomainCapabilities) {
        char *ret;
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -1041,6 +1041,7 @@ virConnectCompareHypervisorCPU(virConnectPtr conn,

    virCheckConnectReturn(conn, VIR_CPU_COMPARE_ERROR);
    virCheckNonNullArgGoto(xmlCPU, error);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectCompareHypervisorCPU) {
        int ret;
@@ -1234,6 +1235,7 @@ virConnectBaselineHypervisorCPU(virConnectPtr conn,

    virCheckConnectReturn(conn, NULL);
    virCheckNonNullArgGoto(xmlCPUs, error);
+    virCheckReadOnlyGoto(conn->flags, error);

    if (conn->driver->connectBaselineHypervisorCPU) {
        char *cpu;
--- a/src/locking/virtlockd-admin.socket.in
+++ b/src/locking/virtlockd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
 Service=virtlockd.service
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/locking/virtlockd.socket.in
+++ b/src/locking/virtlockd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service

 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/logging/virtlogd-admin.socket.in
+++ b/src/logging/virtlogd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
 Service=virtlogd.service
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/logging/virtlogd.socket.in
+++ b/src/logging/virtlogd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service

 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
+SocketMode=0600

 [Install]
 WantedBy=sockets.target
--- a/src/qemu/qemu_driver.c
+++ b/src/qemu/qemu_driver.c
@@ -6798,7 +6798,7 @@ qemuDomainSaveImageGetXMLDesc(virConnectPtr conn, const char *path,
    if (fd < 0)
        goto cleanup;

-    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def, flags) < 0)
+    if (virDomainSaveImageGetXMLDescEnsureACL(conn, def) < 0)
        goto cleanup;

    ret = qemuDomainDefFormatXML(driver, def, flags);
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -5226,8 +5226,7 @@ enum remote_procedure {
    /**
     * @generate: both
     * @priority: high
-     * @acl: domain:read
-     * @acl: domain:read_secure:VIR_DOMAIN_XML_SECURE
+     * @acl: domain:write
     */
    REMOTE_PROC_DOMAIN_SAVE_IMAGE_GET_XML_DESC = 235,
Author	SHA1	Message	Date
Ján Tomko	dd88b69a20	api: disallow virConnect*HypervisorCPU on read-only connections These APIs can be used to execute arbitrary emulators. Forbid them on read-only connections. Fixes: CVE-2019-10168 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `bf6c2830b6`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:54:57 +02:00
Ján Tomko	6452b9fdff	api: disallow virConnectGetDomainCapabilities on read-only connections This API can be used to execute arbitrary emulators. Forbid it on read-only connections. Fixes: CVE-2019-10167 Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `8afa68bac0`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:54:57 +02:00
Ján Tomko	0a744e1551	api: disallow virDomainManagedSaveDefineXML on read-only connections The virDomainManagedSaveDefineXML can be used to alter the domain's config used for managedsave or even execute arbitrary emulator binaries. Forbid it on read-only connections. Fixes: CVE-2019-10166 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `db0b78457f`) Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:54:57 +02:00
Ján Tomko	568c735d7b	api: disallow virDomainSaveImageGetXMLDesc on read-only connections The virDomainSaveImageGetXMLDesc API is taking a path parameter, which can point to any path on the system. This file will then be read and parsed by libvirtd running with root privileges. Forbid it on read-only connections. Fixes: CVE-2019-10161 Reported-by: Matthias Gerstner <mgerstner@suse.de> Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `aed6a032ce`) Signed-off-by: Ján Tomko <jtomko@redhat.com> Conflicts: src/libvirt-domain.c src/remote/remote_protocol.x Upstream commit `12a51f372` which introduced the VIR_DOMAIN_SAVE_IMAGE_XML_SECURE alias for VIR_DOMAIN_XML_SECURE is not backported. Just skip the commit since we now disallow the whole API on read-only connections, regardless of the flag. Signed-off-by: Ján Tomko <jtomko@redhat.com>	2019-06-24 09:54:57 +02:00
Daniel P. Berrangé	a474f18dce	logging: restrict sockets to mode 0600 The virtlogd daemon's only intended client is the libvirtd daemon. As such it should never allow clients from other user accounts to connect. The code already enforces this and drops clients from other UIDs, but we can get earlier (and thus stronger) protection against DoS by setting the socket permissions to 0600 Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `e37bd65f99`)	2019-05-21 13:29:20 +01:00
Daniel P. Berrangé	ea014c9fcf	locking: restrict sockets to mode 0600 The virtlockd daemon's only intended client is the libvirtd daemon. As such it should never allow clients from other user accounts to connect. The code already enforces this and drops clients from other UIDs, but we can get earlier (and thus stronger) protection against DoS by setting the socket permissions to 0600 Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `f111e09468`)	2019-05-21 13:29:20 +01:00
Daniel P. Berrangé	b0f788c2d3	admin: reject clients unless their UID matches the current UID The admin protocol RPC messages are only intended for use by the user running the daemon. As such they should not be allowed for any client UID that does not match the server UID. Fixes CVE-2019-10132 Reviewed-by: Ján Tomko <jtomko@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> (cherry picked from commit `96f41cd765`)	2019-05-21 13:29:20 +01:00