[libvirt] [PATCH RFC] lib: Forbid guest interaction with RO connections in virDomainGetVcpusFlags
Don't allow guest agent interaction by read-only connections as the agent may be mailicious. --- src/libvirt.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/libvirt.c b/src/libvirt.c index 0cdac0d..f064f32 100644 --- a/src/libvirt.c +++ b/src/libvirt.c @@ -9891,6 +9891,12 @@ virDomainGetVcpusFlags(virDomainPtr domain, unsigned int flags) return -1; } + if (flags & VIR_DOMAIN_VCPU_GUEST && + domain->conn->flags & VIR_CONNECT_RO) { + virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__); + goto error; + } + /* At most one of these two flags should be set. */ if ((flags & VIR_DOMAIN_AFFECT_LIVE) && (flags & VIR_DOMAIN_AFFECT_CONFIG)) { -- 1.8.3.2
On 07/16/2013 08:37 AM, Peter Krempa wrote:
Don't allow guest agent interaction by read-only connections as the agent may be mailicious.
s/mailicious/malicious/
--- src/libvirt.c | 6 ++++++ 1 file changed, 6 insertions(+)
Do we have any other commands that a read-only connection can use to interact with a guest agent? A quick check shows that many other commands with an AGENT flag already require read-only connections at all times (such as virDomainReboot, virDomainSendProcessSignal, virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least virDomainGetHostname is permitted on a read-only connection with an allowance for guest agent interaction. Also, I'm wondering if we also need any work in the ACL framework for controlling whether a command is permitted to require guest interaction. For example, does it make sense to have an ACL that says a guest shutdown via ACPI is permitted (it does not matter if the guest responds), but a guest shutdown via the agent should be prevented (because interacting with the agent of a malicious guest is too risky)? At any rate, I think we need a v2 that covers all possible agent interaction commands, if we are going to go with this approach (but the idea does make sense to me). -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
On Tue, Jul 16, 2013 at 09:46:49AM -0600, Eric Blake wrote:
On 07/16/2013 08:37 AM, Peter Krempa wrote:
Don't allow guest agent interaction by read-only connections as the agent may be mailicious.
s/mailicious/malicious/
--- src/libvirt.c | 6 ++++++ 1 file changed, 6 insertions(+)
Do we have any other commands that a read-only connection can use to interact with a guest agent? A quick check shows that many other commands with an AGENT flag already require read-only connections at all times (such as virDomainReboot, virDomainSendProcessSignal, virDomainSetVcpusFlags, and virDomainSnapshotCreateXML), but at least virDomainGetHostname is permitted on a read-only connection with an allowance for guest agent interaction.
Also, I'm wondering if we also need any work in the ACL framework for controlling whether a command is permitted to require guest interaction. For example, does it make sense to have an ACL that says a guest shutdown via ACPI is permitted (it does not matter if the guest responds), but a guest shutdown via the agent should be prevented (because interacting with the agent of a malicious guest is too risky)?
At any rate, I think we need a v2 that covers all possible agent interaction commands, if we are going to go with this approach (but the idea does make sense to me).
Yes, the ACL code is intended to obsolete the read-only flag. So anything that can be expressed with the read-only flag, must also be doable using the ACLs. We don't want to end up with one ACL permission for every guest agent command though. I think it would be sufficient to just use the generic domani 'write' permission bit to enforce this. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|
participants (3)
-
Daniel P. Berrange -
Eric Blake -
Peter Krempa