[libvirt] [PATCH 0/3] Fix for polkit race condition

newer
[libvirt] [v0.9.12-maint 0/9] CVE...

Daniel P. Berrange

18 Sep 2013 18 Sep '13

2:20 p.m.

From: "Daniel P. Berrange" <berrange@redhat.com> The following 3 patches have been reviewed on the libvirt-security list as the libvirt side of the fix for polkit CVE-2013-4288. Given that it was already reviewed, I have pushed this. Daniel P. Berrange (3): Also store user & group ID values in virIdentity Ensure system identity includes process start time Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) configure.ac | 8 ++++++++ daemon/remote.c | 22 ++++++++++++++++++--- libvirt.spec.in | 3 +-- src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++----- src/rpc/virnetserverclient.c | 18 +++++++++++++++++ src/util/viridentity.c | 39 +++++++++++++++++++++++++++++++++---- src/util/viridentity.h | 2 ++ 7 files changed, 118 insertions(+), 14 deletions(-) -- 1.8.3.1

Show replies by date

Daniel P. Berrange

18 Sep 18 Sep

2:20 p.m.

New subject: [libvirt] [PATCH 1/3] Also store user & group ID values in virIdentity

From: "Daniel P. Berrange" <berrange@redhat.com> Future improvements to the polkit code will require access to the numeric user ID, not merely user name. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/rpc/virnetserverclient.c | 18 ++++++++++++++++++ src/util/viridentity.c | 23 +++++++++++++++++++---- src/util/viridentity.h | 2 ++ 3 files changed, 39 insertions(+), 4 deletions(-) diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index 83d5cf1..19c4100 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -652,7 +652,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) char *processid = NULL; char *processtime = NULL; char *username = NULL; + char *userid = NULL; char *groupname = NULL; + char *groupid = NULL; #if WITH_SASL char *saslname = NULL; #endif @@ -672,8 +674,12 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) if (!(username = virGetUserName(uid))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)uid) < 0) + goto cleanup; if (!(groupname = virGetGroupName(gid))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)gid) < 0) + goto cleanup; if (virAsprintf(&processid, "%llu", (unsigned long long)pid) < 0) goto cleanup; @@ -710,11 +716,21 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0) goto error; + if (userid && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_USER_ID, + userid) < 0) + goto error; if (groupname && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0) goto error; + if (groupid && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, + groupid) < 0) + goto error; if (processid && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, @@ -745,7 +761,9 @@ virNetServerClientCreateIdentity(virNetServerClientPtr client) cleanup: VIR_FREE(username); + VIR_FREE(userid); VIR_FREE(groupname); + VIR_FREE(groupid); VIR_FREE(processid); VIR_FREE(processtime); VIR_FREE(seccontext); diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 781f660..03c375b 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -133,7 +133,9 @@ int virIdentitySetCurrent(virIdentityPtr ident) virIdentityPtr virIdentityGetSystem(void) { char *username = NULL; + char *userid = NULL; char *groupname = NULL; + char *groupid = NULL; char *seccontext = NULL; virIdentityPtr ret = NULL; #if WITH_SELINUX @@ -147,8 +149,13 @@ virIdentityPtr virIdentityGetSystem(void) if (!(username = virGetUserName(getuid()))) goto cleanup; + if (virAsprintf(&userid, "%d", (int)getuid()) < 0) + goto cleanup; + if (!(groupname = virGetGroupName(getgid()))) goto cleanup; + if (virAsprintf(&groupid, "%d", (int)getgid()) < 0) + goto cleanup; #if WITH_SELINUX if (getcon(&con) < 0) { @@ -166,16 +173,22 @@ virIdentityPtr virIdentityGetSystem(void) if (!(ret = virIdentityNew())) goto cleanup; - if (username && - virIdentitySetAttr(ret, + if (virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_USER_NAME, username) < 0) goto error; - if (groupname && - virIdentitySetAttr(ret, + if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_USER_ID, + userid) < 0) + goto error; + if (virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, groupname) < 0) goto error; + if (virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, + groupid) < 0) + goto error; if (seccontext && virIdentitySetAttr(ret, VIR_IDENTITY_ATTR_SELINUX_CONTEXT, @@ -188,7 +201,9 @@ virIdentityPtr virIdentityGetSystem(void) cleanup: VIR_FREE(username); + VIR_FREE(userid); VIR_FREE(groupname); + VIR_FREE(groupid); VIR_FREE(seccontext); VIR_FREE(processid); return ret; diff --git a/src/util/viridentity.h b/src/util/viridentity.h index 4bae8d6..a240c2d 100644 --- a/src/util/viridentity.h +++ b/src/util/viridentity.h @@ -29,7 +29,9 @@ typedef virIdentity *virIdentityPtr; typedef enum { VIR_IDENTITY_ATTR_UNIX_USER_NAME, + VIR_IDENTITY_ATTR_UNIX_USER_ID, VIR_IDENTITY_ATTR_UNIX_GROUP_NAME, + VIR_IDENTITY_ATTR_UNIX_GROUP_ID, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, VIR_IDENTITY_ATTR_SASL_USER_NAME, -- 1.8.3.1

Daniel P. Berrange

2:20 p.m.

New subject: [libvirt] [PATCH 2/3] Ensure system identity includes process start time

From: "Daniel P. Berrange" <berrange@redhat.com> The polkit access driver will want to use the process start time field. This was already set for network identities, but not for the system identity. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- src/util/viridentity.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 03c375b..f681f85 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -35,6 +35,7 @@ #include "virthread.h" #include "virutil.h" #include "virstring.h" +#include "virprocess.h" #define VIR_FROM_THIS VIR_FROM_IDENTITY @@ -142,11 +143,20 @@ virIdentityPtr virIdentityGetSystem(void) security_context_t con; #endif char *processid = NULL; + unsigned long long timestamp; + char *processtime = NULL; if (virAsprintf(&processid, "%llu", (unsigned long long)getpid()) < 0) goto cleanup; + if (virProcessGetStartTime(getpid(), ×tamp) < 0) + goto cleanup; + + if (timestamp != 0 && + virAsprintf(&processtime, "%llu", timestamp) < 0) + goto cleanup; + if (!(username = virGetUserName(getuid()))) goto cleanup; if (virAsprintf(&userid, "%d", (int)getuid()) < 0) @@ -198,6 +208,11 @@ virIdentityPtr virIdentityGetSystem(void) VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, processid) < 0) goto error; + if (processtime && + virIdentitySetAttr(ret, + VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, + processtime) < 0) + goto error; cleanup: VIR_FREE(username); @@ -206,6 +221,7 @@ cleanup: VIR_FREE(groupid); VIR_FREE(seccontext); VIR_FREE(processid); + VIR_FREE(processtime); return ret; error: -- 1.8.3.1

Daniel P. Berrange

2:20 p.m.

New subject: [libvirt] [PATCH 3/3] Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)

From: "Daniel P. Berrange" <berrange@redhat.com> With the existing pkcheck (pid, start time) tuple for identifying the process, there is a race condition, where a process can make a libvirt RPC call and in another thread exec a setuid application, causing it to change to effective UID 0. This in turn causes polkit to do its permission check based on the wrong UID. To address this, libvirt must get the UID the caller had at time of connect() (from SO_PEERCRED) and pass a (pid, start time, uid) triple to the pkcheck program. This fix requires that libvirt is re-built against a version of polkit that has the fix for its CVE-2013-4288, so that libvirt can see 'pkg-config --variable pkcheck_supports_uid polkit-gobject-1' Signed-off-by: Colin Walters <walters@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> --- configure.ac | 8 ++++++++ daemon/remote.c | 22 ++++++++++++++++++--- libvirt.spec.in | 3 +-- src/access/viraccessdriverpolkit.c | 40 +++++++++++++++++++++++++++++++++----- 4 files changed, 63 insertions(+), 10 deletions(-) diff --git a/configure.ac b/configure.ac index 69a01ae..553015a 100644 --- a/configure.ac +++ b/configure.ac @@ -1257,6 +1257,14 @@ if test "x$with_polkit" = "xyes" || test "x$with_polkit" = "xcheck"; then AC_PATH_PROG([PKCHECK_PATH],[pkcheck], [], [/usr/sbin:$PATH]) if test "x$PKCHECK_PATH" != "x" ; then AC_DEFINE_UNQUOTED([PKCHECK_PATH],["$PKCHECK_PATH"],[Location of pkcheck program]) + AC_MSG_CHECKING([whether pkcheck supports uid value]) + pkcheck_supports_uid=`$PKG_CONFIG --variable pkcheck_supports_uid polkit-gobject-1` + if test "x$pkcheck_supports_uid" = "xtrue"; then + AC_MSG_RESULT([yes]) + AC_DEFINE_UNQUOTED([PKCHECK_SUPPORTS_UID], 1, [Pass uid to pkcheck]) + else + AC_MSG_RESULT([no]) + fi AC_DEFINE_UNQUOTED([WITH_POLKIT], 1, [use PolicyKit for UNIX socket access checks]) AC_DEFINE_UNQUOTED([WITH_POLKIT1], 1, diff --git a/daemon/remote.c b/daemon/remote.c index 2aff7c1..6b082cf 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, int status = -1; char *ident = NULL; bool authdismissed = 0; + bool supportsuid = false; char *pkout = NULL; struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client); virCommandPtr cmd = NULL; + static bool polkitInsecureWarned; virMutexLock(&priv->lock); action = virNetServerClientGetReadonly(client) ? @@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, goto authfail; } + if (timestamp == 0) { + VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", + (long long)callerPid); + goto authfail; + } + VIR_INFO("Checking PID %lld running as %d", (long long) callerPid, callerUid); virCommandAddArg(cmd, "--process"); - if (timestamp != 0) { - virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); +# ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +# endif + if (supportsuid) { + virCommandAddArgFormat(cmd, "%lld,%llu,%lu", + (long long) callerPid, timestamp, (unsigned long) callerUid); } else { - virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); } virCommandAddArg(cmd, "--allow-user-interaction"); diff --git a/libvirt.spec.in b/libvirt.spec.in index a55e87c..f899149 100644 --- a/libvirt.spec.in +++ b/libvirt.spec.in @@ -509,8 +509,7 @@ BuildRequires: cyrus-sasl-devel %endif %if %{with_polkit} %if 0%{?fedora} >= 12 || 0%{?rhel} >= 6 -# Only need the binary, not -devel -BuildRequires: polkit >= 0.93 +BuildRequires: polkit-devel >= 0.93 %else BuildRequires: PolicyKit-devel >= 0.6 %endif diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c index b472bc3..ff82583 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -72,8 +72,12 @@ static char * virAccessDriverPolkitFormatProcess(const char *actionid) { virIdentityPtr identity = virIdentityGetCurrent(); - const char *process = NULL; + const char *callerPid = NULL; + const char *callerTime = NULL; + const char *callerUid = NULL; char *ret = NULL; + bool supportsuid = false; + static bool polkitInsecureWarned; if (!identity) { virAccessError(VIR_ERR_ACCESS_DENIED, @@ -81,17 +85,43 @@ virAccessDriverPolkitFormatProcess(const char *actionid) actionid); return NULL; } - if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0) + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &callerPid) < 0) + goto cleanup; + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME, &callerTime) < 0) + goto cleanup; + if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_USER_ID, &callerUid) < 0) goto cleanup; - if (!process) { + if (!callerPid) { virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", _("No UNIX process ID available")); goto cleanup; } - - if (VIR_STRDUP(ret, process) < 0) + if (!callerTime) { + virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No UNIX process start time available")); + goto cleanup; + } + if (!callerUid) { + virAccessError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No UNIX caller UID available")); goto cleanup; + } + +#ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +#endif + if (supportsuid) { + if (virAsprintf(&ret, "%s,%s,%s", callerPid, callerTime, callerUid) < 0) + goto cleanup; + } else { + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + if (virAsprintf(&ret, "%s,%s", callerPid, callerTime) < 0) + goto cleanup; + } cleanup: virObjectUnref(identity); -- 1.8.3.1

Jiri Denemark

19 Sep 19 Sep

12:59 p.m.

New subject: [libvirt] [PATCH 3/3] Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)

...

diff --git a/daemon/remote.c b/daemon/remote.c index 2aff7c1..6b082cf 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -2738,10 +2738,12 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, int status = -1; char *ident = NULL; bool authdismissed = 0; + bool supportsuid = false; char *pkout = NULL; struct daemonClientPrivate *priv = virNetServerClientGetPrivateData(client); virCommandPtr cmd = NULL; + static bool polkitInsecureWarned;

virMutexLock(&priv->lock); action = virNetServerClientGetReadonly(client) ? @@ -2763,14 +2765,28 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, goto authfail; }

+ if (timestamp == 0) { + VIR_WARN("Failing polkit auth due to missing client (pid=%lld) start time", + (long long)callerPid); + goto authfail; + } + VIR_INFO("Checking PID %lld running as %d", (long long) callerPid, callerUid);

virCommandAddArg(cmd, "--process"); - if (timestamp != 0) { - virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); +# ifdef PKCHECK_SUPPORTS_UID + supportsuid = true; +# endif + if (supportsuid) { + virCommandAddArgFormat(cmd, "%lld,%llu,%lu", + (long long) callerPid, timestamp, (unsigned long) callerUid); } else { - virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + if (!polkitInsecureWarned) { + VIR_WARN("No support for caller UID with pkcheck. This deployment is known to be insecure."); + polkitInsecureWarned = true; + } + virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); } virCommandAddArg(cmd, "--allow-user-interaction");

Coverity doesn't really like this change because one branch of the above "if" statement is always dead... Jirka

Eric Blake

18 Sep 18 Sep

2:40 p.m.

New subject: [libvirt] [PATCH 0/2] v0.10.2-maint backport for CVE-2013-4311

Also discussed on the security list, and now pushed to v0.10.2-maint. I'm working on patching v1.0.5-maint next, since that also affects Fedora. ALL of the v*-maint branches need this backported; although I have just been focusing on the Fedora branches, I'm willing to help do the work for other branches that matter to anyone else. Cole will be cutting 1.0.5.6 and 0.10.2.8 later today. Daniel P. Berrange (2): Include process start time when doing polkit checks Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311) configure.ac | 8 +++ daemon/remote.c | 28 ++++++++-- libvirt.spec.in | 3 +- src/rpc/virnetserverclient.c | 8 ++- src/rpc/virnetserverclient.h | 3 +- src/rpc/virnetsocket.c | 19 +++++-- src/rpc/virnetsocket.h | 3 +- src/util/virprocess.c | 118 +++++++++++++++++++++++++++++++++++++++++++ src/util/virprocess.h | 3 ++ src/util/virstring.c | 11 ++++ src/util/virstring.h | 2 + 11 files changed, 192 insertions(+), 14 deletions(-) -- 1.8.3.1

Eric Blake

2:40 p.m.

New subject: [libvirt] [PATCH 1/2] Include process start time when doing polkit checks

From: "Daniel P. Berrange" <berrange@redhat.com> Since PIDs can be reused, polkit prefers to be given a (PID,start time) pair. If given a PID on its own, it will attempt to lookup the start time in /proc/pid/stat, though this is subject to races. It is safer if the client app resolves the PID start time itself, because as long as the app has the client socket open, the client PID won't be reused. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> (cherry picked from commit 979e9c56a7aadf2dcfbddd1abfbad594b78b4468) Signed-off-by: Eric Blake <eblake@redhat.com> Conflicts: src/libvirt_private.syms - not backported src/locking/lock_daemon.c - not backported src/rpc/virnetserverclient.c src/rpc/virnetsocket.c src/rpc/virnetsocket.h src/util/viridentity.h - not backported src/util/virprocess.c src/util/virprocess.h src/util/virstring.c src/util/virstring.h Most conflicts were contextual (this patch adds new functions, but upstream intermediate patches not backported here also added new features, and the resolution was picking out just the portions needed by this commit). virnetsocket.c also had slightly different locking semantics. --- daemon/remote.c | 12 +++-- src/rpc/virnetserverclient.c | 8 ++- src/rpc/virnetserverclient.h | 3 +- src/rpc/virnetsocket.c | 19 +++++-- src/rpc/virnetsocket.h | 3 +- src/util/virprocess.c | 118 +++++++++++++++++++++++++++++++++++++++++++ src/util/virprocess.h | 3 ++ src/util/virstring.c | 11 ++++ src/util/virstring.h | 2 + 9 files changed, 167 insertions(+), 12 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 4b89df3..dd608cd 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -2351,6 +2351,7 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED, uid_t callerUid; gid_t callerGid; pid_t callerPid; + unsigned long long timestamp; /* If the client is root then we want to bypass the * policykit auth to avoid root being denied if @@ -2358,7 +2359,7 @@ remoteDispatchAuthList(virNetServerPtr server ATTRIBUTE_UNUSED, */ if (auth == VIR_NET_SERVER_SERVICE_AUTH_POLKIT) { if (virNetServerClientGetUNIXIdentity(client, &callerUid, &callerGid, - &callerPid) < 0) { + &callerPid, ×tamp) < 0) { /* Don't do anything on error - it'll be validated at next * phase of auth anyway */ virResetLastError(); @@ -2786,6 +2787,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, pid_t callerPid = -1; gid_t callerGid = -1; uid_t callerUid = -1; + unsigned long long timestamp; const char *action; int status = -1; char *ident = NULL; @@ -2811,7 +2813,7 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, } if (virNetServerClientGetUNIXIdentity(client, &callerUid, &callerGid, - &callerPid) < 0) { + &callerPid, ×tamp) < 0) { goto authfail; } @@ -2819,7 +2821,11 @@ remoteDispatchAuthPolkit(virNetServerPtr server ATTRIBUTE_UNUSED, (long long) callerPid, callerUid); virCommandAddArg(cmd, "--process"); - virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + if (timestamp != 0) { + virCommandAddArgFormat(cmd, "%lld,%llu", (long long) callerPid, timestamp); + } else { + virCommandAddArgFormat(cmd, "%lld", (long long) callerPid); + } virCommandAddArg(cmd, "--allow-user-interaction"); if (virAsprintf(&ident, "pid:%lld,uid:%d", diff --git a/src/rpc/virnetserverclient.c b/src/rpc/virnetserverclient.c index 1ac5677..c49e3c2 100644 --- a/src/rpc/virnetserverclient.c +++ b/src/rpc/virnetserverclient.c @@ -466,16 +466,20 @@ int virNetServerClientGetFD(virNetServerClientPtr client) } int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client, - uid_t *uid, gid_t *gid, pid_t *pid) + uid_t *uid, gid_t *gid, pid_t *pid, + unsigned long long *timestamp) { int ret = -1; virNetServerClientLock(client); if (client->sock) - ret = virNetSocketGetUNIXIdentity(client->sock, uid, gid, pid); + ret = virNetSocketGetUNIXIdentity(client->sock, + uid, gid, pid, + timestamp); virNetServerClientUnlock(client); return ret; } + bool virNetServerClientIsSecure(virNetServerClientPtr client) { bool secure = false; diff --git a/src/rpc/virnetserverclient.h b/src/rpc/virnetserverclient.h index 3ce1889..2e97b42 100644 --- a/src/rpc/virnetserverclient.h +++ b/src/rpc/virnetserverclient.h @@ -78,7 +78,8 @@ int virNetServerClientSetIdentity(virNetServerClientPtr client, const char *virNetServerClientGetIdentity(virNetServerClientPtr client); int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client, - uid_t *uid, gid_t *gid, pid_t *pid); + uid_t *uid, gid_t *gid, pid_t *pid, + unsigned long long *timestamp); void *virNetServerClientGetPrivateData(virNetServerClientPtr client); diff --git a/src/rpc/virnetsocket.c b/src/rpc/virnetsocket.c index 6ffa06e..97d50c0 100644 --- a/src/rpc/virnetsocket.c +++ b/src/rpc/virnetsocket.c @@ -987,31 +987,40 @@ int virNetSocketGetPort(virNetSocketPtr sock) int virNetSocketGetUNIXIdentity(virNetSocketPtr sock, uid_t *uid, gid_t *gid, - pid_t *pid) + pid_t *pid, + unsigned long long *timestamp) { struct ucred cr; socklen_t cr_len = sizeof(cr); + int ret = -1; + virMutexLock(&sock->lock); if (getsockopt(sock->fd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len) < 0) { virReportSystemError(errno, "%s", _("Failed to get client socket identity")); - virMutexUnlock(&sock->lock); - return -1; + goto cleanup; } + if (virProcessGetStartTime(cr.pid, timestamp) < 0) + goto cleanup; + *pid = cr.pid; *uid = cr.uid; *gid = cr.gid; + ret = 0; + +cleanup: virMutexUnlock(&sock->lock); - return 0; + return ret; } #else int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED, uid_t *uid ATTRIBUTE_UNUSED, gid_t *gid ATTRIBUTE_UNUSED, - pid_t *pid ATTRIBUTE_UNUSED) + pid_t *pid ATTRIBUTE_UNUSED, + unsigned long long *timestamp ATTRIBUTE_UNUSED) { /* XXX Many more OS support UNIX socket credentials we could port to. See dbus ....*/ virReportSystemError(ENOSYS, "%s", diff --git a/src/rpc/virnetsocket.h b/src/rpc/virnetsocket.h index 261d923..3d88cc3 100644 --- a/src/rpc/virnetsocket.h +++ b/src/rpc/virnetsocket.h @@ -105,7 +105,8 @@ int virNetSocketGetPort(virNetSocketPtr sock); int virNetSocketGetUNIXIdentity(virNetSocketPtr sock, uid_t *uid, gid_t *gid, - pid_t *pid); + pid_t *pid, + unsigned long long *timestamp); int virNetSocketSetBlocking(virNetSocketPtr sock, bool blocking); diff --git a/src/util/virprocess.c b/src/util/virprocess.c index 958f5f7..08a6f19 100644 --- a/src/util/virprocess.c +++ b/src/util/virprocess.c @@ -26,11 +26,19 @@ #include <errno.h> #include <sys/wait.h> +#ifdef __FreeBSD__ +# include <sys/param.h> +# include <sys/sysctl.h> +# include <sys/user.h> +#endif + +#include "viratomic.h" #include "virprocess.h" #include "virterror_internal.h" #include "memory.h" #include "logging.h" #include "util.h" +#include "virstring.h" #define VIR_FROM_THIS VIR_FROM_NONE @@ -235,3 +243,113 @@ int virProcessKill(pid_t pid, int sig) return kill(pid, sig); #endif } + + +#ifdef __linux__ +/* + * Port of code from polkitunixprocess.c under terms + * of the LGPLv2+ + */ +int virProcessGetStartTime(pid_t pid, + unsigned long long *timestamp) +{ + char *filename = NULL; + char *buf = NULL; + char *tmp; + int ret = -1; + int len; + char **tokens = NULL; + + if (virAsprintf(&filename, "/proc/%llu/stat", + (unsigned long long)pid) < 0) { + virReportOOMError(); + return -1; + } + + if ((len = virFileReadAll(filename, 1024, &buf)) < 0) + goto cleanup; + + /* start time is the token at index 19 after the '(process name)' entry - since only this + * field can contain the ')' character, search backwards for this to avoid malicious + * processes trying to fool us + */ + + if (!(tmp = strrchr(buf, ')'))) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot find start time in %s"), + filename); + goto cleanup; + } + tmp += 2; /* skip ') ' */ + if ((tmp - buf) >= len) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot find start time in %s"), + filename); + goto cleanup; + } + + tokens = virStringSplit(tmp, " ", 0); + + if (virStringListLength(tokens) < 20) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot find start time in %s"), + filename); + goto cleanup; + } + + if (virStrToLong_ull(tokens[19], + NULL, + 10, + timestamp) < 0) { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Cannot parse start time %s in %s"), + tokens[19], filename); + goto cleanup; + } + + ret = 0; + +cleanup: + virStringFreeList(tokens); + VIR_FREE(filename); + VIR_FREE(buf); + return ret; +} +#elif defined(__FreeBSD__) +int virProcessGetStartTime(pid_t pid, + unsigned long long *timestamp) +{ + struct kinfo_proc p; + int mib[4]; + size_t len = 4; + + sysctlnametomib("kern.proc.pid", mib, &len); + + len = sizeof(struct kinfo_proc); + mib[3] = pid; + + if (sysctl(mib, 4, &p, &len, NULL, 0) < 0) { + virReportSystemError(errno, "%s", + _("Unable to query process ID start time")); + return -1; + } + + *timestamp = (unsigned long long)p.ki_start.tv_sec; + + return 0; + +} +#else +int virProcessGetStartTime(pid_t pid, + unsigned long long *timestamp) +{ + static int warned = 0; + if (virAtomicIntInc(&warned) == 1) { + VIR_WARN("Process start time of pid %llu not available on this platform", + (unsigned long long)pid); + warned = true; + } + *timestamp = 0; + return 0; +} +#endif diff --git a/src/util/virprocess.h b/src/util/virprocess.h index 048a73c..30ca21f 100644 --- a/src/util/virprocess.h +++ b/src/util/virprocess.h @@ -39,4 +39,7 @@ virProcessWait(pid_t pid, int *exitstatus) int virProcessKill(pid_t pid, int sig); +int virProcessGetStartTime(pid_t pid, + unsigned long long *timestamp); + #endif /* __VIR_PROCESS_H__ */ diff --git a/src/util/virstring.c b/src/util/virstring.c index 1917e9a..92289eb 100644 --- a/src/util/virstring.c +++ b/src/util/virstring.c @@ -166,3 +166,14 @@ void virStringFreeList(char **strings) } VIR_FREE(strings); } + + +size_t virStringListLength(char **strings) +{ + size_t i = 0; + + while (strings && strings[i]) + i++; + + return i; +} diff --git a/src/util/virstring.h b/src/util/virstring.h index a569fe0..d68ed2f 100644 --- a/src/util/virstring.h +++ b/src/util/virstring.h @@ -35,4 +35,6 @@ char *virStringJoin(const char **strings, void virStringFreeList(char **strings); +size_t virStringListLength(char **strings); + #endif /* __VIR_STRING_H__ */ -- 1.8.3.1

Eric Blake

2:40 p.m.

New subject: [libvirt] [PATCH 2/2] Add support for using 3-arg pkcheck syntax for process (CVE-2013-4311)

Daniel P. Berrange

2:47 p.m.

New subject: [libvirt] [PATCH 0/2] v0.10.2-maint backport for CVE-2013-4311

On Wed, Sep 18, 2013 at 08:40:26AM -0600, Eric Blake wrote:

...

Also discussed on the security list, and now pushed to v0.10.2-maint. I'm working on patching v1.0.5-maint next, since that also affects Fedora. ALL of the v*-maint branches need this backported; although I have just been focusing on the Fedora branches, I'm willing to help do the work for other branches that matter to anyone else. Cole will be cutting 1.0.5.6 and 0.10.2.8 later today.

I've got rebases prepared for most of the other branches. I'll keep the list updated with where I am. I'll be pushing v1.1.2-maint shortly, since that cherry picks without any conflicts. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

Daniel P. Berrange

5:02 p.m.

New subject: [libvirt] [PATCH 0/2] v0.10.2-maint backport for CVE-2013-4311

On Wed, Sep 18, 2013 at 03:47:46PM +0100, Daniel P. Berrange wrote:

...

On Wed, Sep 18, 2013 at 08:40:26AM -0600, Eric Blake wrote:

...
Also discussed on the security list, and now pushed to v0.10.2-maint. I'm working on patching v1.0.5-maint next, since that also affects Fedora. ALL of the v*-maint branches need this backported; although I have just been focusing on the Fedora branches, I'm willing to help do the work for other branches that matter to anyone else. Cole will be cutting 1.0.5.6 and 0.10.2.8 later today.

I've got rebases prepared for most of the other branches. I'll keep the list updated with where I am.

I'll be pushing v1.1.2-maint shortly, since that cherry picks without any conflicts.

FYI I have pushed backports to all branches from v1.1.2-maint down to v1.0.3-maint inclusive. Daniel -- |: http://berrange.com -o- http://www.flickr.com/photos/dberrange/ :| |: http://libvirt.org -o- http://virt-manager.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: http://entangle-photo.org -o- http://live.gnome.org/gtk-vnc :|

4366

Age (days ago)

4367

Last active (days ago)

List overview

Download

9 comments

3 participants

participants (3)

Daniel P. Berrange
Eric Blake
Jiri Denemark

[libvirt] [PATCH 0/3] Fix for polkit race condition

tags

participants (3)