Re: [libvirt] [PATCH] api: require write permission for guest agent interaction

On Tue, Jan 21, 2014 at 10:47:07AM -0700, Eric Blake wrote: > I noticed that we allow virDomainGetVcpusFlags even for read-only > connections, but that with a flag, it can require guest agent > interaction. It is feasible that a malicious guest could > intentionally abuse the replies it sends over the guest agent > connection to possibly trigger a bug in libvirt's JSON parser, > or withhold an answer so as to prevent the use of the agent > in a later command such as a shutdown request. Although we > don't know of any such exploits now (and therefore don't mind > posting this patch publicly without trying to get a CVE assigned), > it is better to err on the side of caution and explicitly require > full access to any domain where the API requires guest interaction > to operate correctly. > > I audited all commands that are marked as conditionally using a > guest agent. Note that at least virDomainFSTrim is documented > as needing a guest agent, but that such use is unconditional > depending on the hypervisor (so the existing domain:fs_trim ACL > should be sufficient there, rather than also requirng domain:write). > But when designing future APIs, such as the plans for obtaining > a domain's IP addresses, we should copy the approach of this patch > in making interaction with the guest be specified via a flag, and > use that flag to also require stricter access checks. >

ACK