On Thu, Jan 09, 2025 at 12:03:58AM -0500, Takuya Nakaike wrote:
This patch is a draft implementation to pass a domain XML to a polkit access driver. With this new feature, a polkit rule can verify the domain XML to be deployed on a host, and thus protect deploying a malicious VM.
There is a discussion about this new feature in the following issue.
https://gitlab.com/libvirt/libvirt/-/issues/719
Any question, comment, and suggestion are welcome. Thanks,
Lets keep discussion on that issue. My comments there express why I think this is a bad approach that should not be merged.
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c index 83381183a5..56457010e0 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -177,10 +177,12 @@ virAccessDriverPolkitCheckDomain(virAccessManager *manager, virAccessPermDomain perm) { char uuidstr[VIR_UUID_STRING_BUFLEN]; + char *xml = virAccessManagerGetXMLDesc(domain); const char *attrs[] = { "connect_driver", driverName, "domain_name", domain->name, "domain_uuid", uuidstr, + "xml", xml != NULL ? xml : "", NULL, };
NB, that's a memory leak With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|