5 Feb
2014
5 Feb
'14
8:43 a.m.
On 01/28/2014 03:48 PM, Eric Blake wrote:
Commit f9f56340 for CVE-2014-0028 almost had the right idea - we need to check the ACL rules to filter which events to send. But it overlooked one thing: the event dispatch queue is running in the main loop thread, and therefore does not normally have a current virIdentityPtr. But filter checks can be based on current identity, so when libvirtd.conf contains access_drivers=["polkit"], we ended up rejecting access for EVERY event due to failure to look up the current identity, even if it should have been allowed.
Ping. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org