[PATCH v3] virt-aa-helper: disallow graphics socket read permissions
The VM does not need read permission for its own sockets to create,
bind(), listen(), accept() connections or to recv(), send(), etc. on
those connections.
This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
(virt-aa-helper: disallow VNC socket read permissions),
but then b6465e1aa49397367a9cd0f27110b9c2280a7385
(graphics: introduce new listen type 'socket')
and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
(vnc: add support for listen type 'socket') reverted it.
Unless the read permission is omitted, VMs can connect to each other's
VNC/graphics sockets.
Signed-off-by: Simon Arlott <libvirt(a)octiron.net>
---
Updated version that adds a comment to the code to prevent further
weakening of security on sockets.
src/security/virt-aa-helper.c | 7 ++++++-
tests/virt-aa-helper-test | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 12429278fb..e9cc865552 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1051,9 +1051,14 @@ get_files(vahControl * ctl)
for (n = 0; n < graphics->nListens; n++) {
virDomainGraphicsListenDef listenObj = graphics->listens[n];
+ /* Accepting connections on sockets only requires write
+ * permission. Making connections to them requires read
+ * permission. Don't allow read permission because VMs
+ * should not be connecting to each other.
+ */
if (listenObj.type == VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_SOCKET &&
listenObj.socket &&
- vah_add_file(&buf, listenObj.socket, "rw"))
+ vah_add_file(&buf, listenObj.socket, "w"))
goto cleanup;
}
}
diff --git a/tests/virt-aa-helper-test b/tests/virt-aa-helper-test
index 83f53acef6..776f0b43a6 100755
--- a/tests/virt-aa-helper-test
+++ b/tests/virt-aa-helper-test
@@ -370,7 +370,7 @@ sed -e "s,###UUID###,$uuid,g" -e
"s,###DISK###,$disk1,g" "$template_xml" > "$tes
testme "0" "hugepages" "-r -u $valid_uuid -F
/run/hugepages/kvm/\*\*" "$test_xml"
"/run/hugepages/kvm/.*rwk,$"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,<graphics.*>,<graphics type='vnc'
socket='/var/lib/libvirt/qemu/myself.vnc'><listen type='address'
address='0.0.0.0'/></graphics>,g" "$template_xml" >
"$test_xml"
-testme "0" "vnc socket" "-r -u $valid_uuid"
"$test_xml" "/var/lib/libvirt/qemu/myself.vnc.*rw,$"
+testme "0" "vnc socket" "-r -u $valid_uuid"
"$test_xml" "/var/lib/libvirt/qemu/myself.vnc.*\s\+w,$"
sed -e "s,###UUID###,$uuid,g" -e "s,###DISK###,$disk1,g" -e
"s,</devices>,<input type='passthrough'
bus='virtio'><source evdev='$disk2'
/></input></devices>,g" "$template_xml" >
"$test_xml"
testme "0" "input dev passthrough" "-r -u $valid_uuid"
"$test_xml" "$disk2.*rw,$"
--
2.17.1
--
Simon Arlott