[libvirt] [PATCH 0/4] CVE-2014-0028: domain events vs. ACL filtering

I have pushed the following series to the master branch, as well as the the backport of patch 4 to all branches impacted by the CVE (v1.1.0 onwards). Basically, when ACLs permit fine-grained control of what domains a user can manage, a user that was denied domain:getattr for a particular domain, or denied connect:search_domains in general, could use the event registration API to gain access to domains that should have been hidden from that user. The patch was reviewed offlist during the time when the vulnerability was under embargo. In the process of fixing this, I made quite a few improvements to the underlying mechanisms for events. Among other things, I want to switch libvirt over to using server-side filtering rather than the current implementation of client-side filtering, for increased efficiency in the case where a hypervisor hosts many guests but the client only cares about events on a small subset of those guests. The existing RPC calls for domain events did not allow this, but the brand new network events had not yet had their RPC baked with a formal release. At one point, I had tried making the use of connect:search_networks conditional on whether a non-NULL network had been requested, which requires server-side filtering. The final incarnation of the CVE fix no longer bypasses connect:search_networks for a NULL network, so the first three patches are now technically unrelated to the CVE fix; but as the work is already done and reviewed and as it is easier to avoid bloat in the RPC protocol by getting it right from the beginning, I still pushed those patches to the master branch. NOTE: if you were testing network events with libvirt.git or with the 1.2.1 release candidates, you must ensure that you match your client's use of libvirt.so with the libvirtd - early users of network events are unable to communicate with the RPC wire representation that will actually be in 1.2.1 as a result of this series. I will also be posting a followup series, for application after 1.2.1 is released, which adds server-side filtering of domain events, as the counterpart of the network event filtering added in this series. There, we already have existing RPC code baked into releases, so there is no longer a rush to get the patches in before a release freezes a mistake. Eric Blake (4): event: track callbackID on daemon side of RPC event: add notion of remoteID for filtering client network events event: wire up RPC for server-side network event filtering event: filter global events by domain:getattr ACL [CVE-2014-0028] daemon/libvirtd.h | 7 +- daemon/remote.c | 131 +++++++++++++++++-------- src/access/viraccessperm.h | 6 +- src/conf/domain_event.c | 38 ++++++- src/conf/domain_event.h | 10 +- src/conf/network_event.c | 69 ++++++++++++- src/conf/network_event.h | 18 +++- src/conf/object_event.c | 212 ++++++++++++++++++++++++++++++++-------- src/conf/object_event.h | 30 +++--- src/conf/object_event_private.h | 31 ++++++ src/libvirt_private.syms | 1 - src/libxl/libxl_driver.c | 2 + src/lxc/lxc_driver.c | 2 + src/network/bridge_driver.c | 1 + src/qemu/qemu_driver.c | 2 + src/remote/remote_driver.c | 86 +++++++++------- src/remote/remote_protocol.x | 23 ++--- src/remote_protocol-structs | 9 +- src/test/test_driver.c | 6 +- src/uml/uml_driver.c | 2 + src/vbox/vbox_tmpl.c | 4 +- src/xen/xen_driver.c | 2 + 22 files changed, 527 insertions(+), 165 deletions(-) -- 1.8.4.2