Re: [PATCH] virt-aa-helper: disallow VNC socket read permissions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/11/2016 03:06 AM, Cedric Bosdonnat wrote:
> On Fri, 2016-04-08 at 18:55 +0200, Guido Günther wrote:
>> On Fri, Apr 08, 2016 at 09:01:33AM -0400, Cole Robinson wrote:
>>> From: Simon Arlott <bugzilla.redhat.simon@xxxxxxxxxx>
>>>
>>> The VM does not need read permission for its own VNC socket to
>>> create(),
>>> bind(), accept() connections or to receive(), send(), etc. on
>>> connections.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1312573
>>> ---
>>>  src/security/virt-aa-helper.c | 2 +-
>>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa
>>> -helper.c
>>> index 50d2a08..a4cb409 100644
>>> --- a/src/security/virt-aa-helper.c
>>> +++ b/src/security/virt-aa-helper.c
>>> @@ -1062,7 +1062,7 @@ get_files(vahControl * ctl)
>>>      for (i = 0; i < ctl->def->ngraphics; i++) {
>>>          if (ctl->def->graphics[i]->type ==
>>> VIR_DOMAIN_GRAPHICS_TYPE_VNC &&
>>>              ctl->def->graphics[i]->data.vnc.socket &&
>>> -            vah_add_file(&buf, ctl->def->graphics[i]
>>> ->data.vnc.socket, "rw"))
>>> +            vah_add_file(&buf, ctl->def->graphics[i]
>>> ->data.vnc.socket, "w"))
>>>              goto cleanup;
>>>      }
>>
>> ACK. I'd be great if Jamie or Cedric would comment also though on
>> this
>> security sensitive stuff.
> 
> I'm not a socket expert, but it sounds weird to me that recv doesn't
> need read access to the socket file. ACK to this patch as long a read
> is really not needed.
> 
> Jamie, any thoughts?
> 

Maybe someone with an apparmor setup can give it a test?

  <graphics type='vnc' socket='/tmp/foo.vnc'/>

Then open the VM locally in virt-manager (virt-viewer probably has a URI for
it too but I didn't figure it out. Make sure the app isn't using the libvirt
OpenGraphics API though since that won't go through the actual socket)

Thanks,
Cole

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]