Re: [libvirt] [PATCH] event: move event filtering to daemon (regression fix)
On 02/05/2014 06:56 AM, Daniel P. Berrange wrote:
On Tue, Jan 28, 2014 at 03:48:19PM -0700, Eric Blake wrote:
> Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
> need to check the ACL rules to filter which events to send. But
> it overlooked one thing: the event dispatch queue is running in
> the main loop thread, and therefore does not normally have a
> current virIdentityPtr. But filter checks can be based on current
> identity, so when libvirtd.conf contains access_drivers=["polkit"],
> we ended up rejecting access for EVERY event due to failure to
> look up the current identity, even if it should have been allowed.
>
ACK
Thanks; I've updated the commit message to mention
https://bugzilla.redhat.com/show_bug.cgi?id=1058839, and will have the
backport pushed to all affected maint branches shortly.
--
Eric Blake eblake redhat com +1-919-301-3266
Libvirt virtualization library http://libvirt.org
Attachments:
- signature.asc (application/pgp-signature — 604 bytes)