I have pushed the following series to the master branch, as well as
the the backport of patch 4 to all branches impacted by the CVE
(v1.1.0 onwards). Basically, when ACLs permit fine-grained control
of what domains a user can manage, a user that was denied
domain:getattr for a particular domain, or denied
connect:search_domains in general, could use the event registration
API to gain access to domains that should have been hidden from that
user. The patch was reviewed offlist during the time when the
vulnerability was under embargo.
In the process of fixing this, I made quite a few improvements to
the underlying mechanisms for events. Among other things, I
want to switch libvirt over to using server-side filtering rather
than the current implementation of client-side filtering, for
increased efficiency in the case where a hypervisor hosts many
guests but the client only cares about events on a small subset of
those guests. The existing RPC calls for domain events did not
allow this, but the brand new network events had not yet had their
RPC baked with a formal release. At one point, I had tried making
the use of connect:search_networks conditional on whether a
non-NULL network had been requested, which requires server-side
filtering. The final incarnation of the CVE fix no longer bypasses
connect:search_networks for a NULL network, so the first three
patches are now technically unrelated to the CVE fix; but as the
work is already done and reviewed and as it is easier to avoid
bloat in the RPC protocol by getting it right from the beginning,
I still pushed those patches to the master branch. NOTE: if you
were testing network events with libvirt.git or with the 1.2.1
release candidates, you must ensure that you match your client's
use of libvirt.so with the libvirtd - early users of network
events are unable to communicate with the RPC wire representation
that will actually be in 1.2.1 as a result of this series.
I will also be posting a followup series, for application after
1.2.1 is released, which adds server-side filtering of domain
events, as the counterpart of the network event filtering
added in this series. There, we already have existing RPC code
baked into releases, so there is no longer a rush to get the
patches in before a release freezes a mistake.
Eric Blake (4):
event: track callbackID on daemon side of RPC
event: add notion of remoteID for filtering client network events
event: wire up RPC for server-side network event filtering
event: filter global events by domain:getattr ACL [CVE-2014-0028]
daemon/libvirtd.h | 7 +-
daemon/remote.c | 131 +++++++++++++++++--------
src/access/viraccessperm.h | 6 +-
src/conf/domain_event.c | 38 ++++++-
src/conf/domain_event.h | 10 +-
src/conf/network_event.c | 69 ++++++++++++-
src/conf/network_event.h | 18 +++-
src/conf/object_event.c | 212 ++++++++++++++++++++++++++++++++--------
src/conf/object_event.h | 30 +++---
src/conf/object_event_private.h | 31 ++++++
src/libvirt_private.syms | 1 -
src/libxl/libxl_driver.c | 2 +
src/lxc/lxc_driver.c | 2 +
src/network/bridge_driver.c | 1 +
src/qemu/qemu_driver.c | 2 +
src/remote/remote_driver.c | 86 +++++++++-------
src/remote/remote_protocol.x | 23 ++---
src/remote_protocol-structs | 9 +-
src/test/test_driver.c | 6 +-
src/uml/uml_driver.c | 2 +
src/vbox/vbox_tmpl.c | 4 +-
src/xen/xen_driver.c | 2 +
22 files changed, 527 insertions(+), 165 deletions(-)
--
1.8.4.2