On 12/5/19 10:08 AM, Jonathon Jongsma wrote:
We have to assume that the guest agent may be malicious, so we
don't want to
allow any agent queries to block any other libvirt API. By holding a monitor
job and an agent job while we're querying the agent, any other threads will be
blocked from using the monitor while the agent is unresponsive. Because libvirt
waits forever for an agent response, this makes us vulnerable to a denial of
service from a malicious (or simply buggy) guest agent.
This series of patches attempts to remove any cases where we were holding both
jobs at the same time, removes a convenience function which allows us to grab
both jobs at once, and updates documentation regarding this issue.
Are any of these worth CVEs? Are any of the APIs usable on a read-only
connection? (My quick glance says no, it looks like they all require
read-write). What about ACLs?
Jonathon Jongsma (8):
qemu: don't take agent and monitor job for shutdown
For example, virDomainShutdownFlags requires @acl
domain:write:VIR_DOMAIN_SHUTDOWN_GUEST_AGENT (that is, if you request
guest agent shutdown, you have to have the equivalent of domain:write
ACL privilege which is effectively root permissions, precisely because
the guest agent is untrusted). While a DoS is bad, you already have
enough permissions to shoot yourself in the foot in other ways, so it is
not a privilege escalation and thus not a CVE.
qemu: don't hold a monitor and agent job for reboot
qemu: don't hold both jobs for suspend
qemu: don't hold monitor and agent job when setting time
qemu: don't hold monitor job for fsinfo
qemu: don't hold monitor job for GetGuestInfo()
But virDomainGetFSIinfo only requires @acl: domain:fs_freeze. Is it
possible for a user to have domain:fs_freeze permission but not
domain:write permission? If so, we have a CVE because of the DoS, at
least when ACLs are in effect.
qemu: remove use of qemuDomainObjBeginJobWithAgent()
qemu: remove qemuDomainObjBegin/EndJobWithAgent()
src/qemu/THREADS.txt | 58 +-----
src/qemu/qemu_domain.c | 56 +-----
src/qemu/qemu_domain.h | 7 -
src/qemu/qemu_driver.c | 405 +++++++++++++++++++++++++----------------
4 files changed, 258 insertions(+), 268 deletions(-)
--
Eric Blake, Principal Software Engineer
Red Hat, Inc. +1-919-301-3226
Virtualization:
qemu.org |
libvirt.org