Re: [PATCH 9/9] remote: pass identity across to newly opened daemons

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Sep 13, 2019 at 05:13:09PM +0200, Michal Privoznik wrote:
> On 9/5/19 1:56 PM, Daniel P. Berrangé wrote:
> > When opening a connection to a second driver inside the daemon, we must
> > ensure the identity of the current user is passed across. This allows
> > the second daemon to perform access control checks against the real end
> > users, instead of against the libvirt daemon that's proxying across the
> > API calls.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
> > ---
> >   src/libvirt_remote.syms             |   1 +
> >   src/remote/remote_daemon_dispatch.c | 112 +++++++++++++++++++++++++---
> >   src/remote/remote_driver.c          |   1 +
> >   src/remote/remote_protocol.x        |  16 +++-
> >   src/remote_protocol-structs         |   8 ++
> >   src/rpc/virnetserverclient.c        |  12 +++
> >   src/rpc/virnetserverclient.h        |   2 +
> >   7 files changed, 139 insertions(+), 13 deletions(-)
> > 
> 
> 
> >   /* Define the program number, protocol version and procedure numbers here. */
> > @@ -6603,5 +6611,11 @@ enum remote_procedure {
> >        * @generate: none
> >        * @acl: domain:write
> >        */
> > -    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418
> > +    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418,
> > +
> > +    /**
> > +     * @generate: client
> > +     * @acl: connect:write
> > +     */
> > +    REMOTE_PROC_CONNECT_SET_IDENTITY = 419
> 
> IIUC, the only thing that stops a malicious user from switching identity is
> that they have write access on the opened connection?

We consider 'write' access as equivalent to root shell access, but perhaps
there is none the less value in having an explicit permission bit for this
operation.

> Because on one hand we want secondary daemons to accept identity switches
> from the proxy daemon, but at the same time we don't want users to do that.

In an out of the box config with no ACLs defined in polkit, this will
correctly operate. the proxy will get approved by default since it is
runnig root & thus polkit grants access regardless. Everything else
is denied by default.

If polkit is not enabled, then the user can invoke this RPC, but of
course without polkit your privileges are again eqiuv to root.

> Code-wise, patches are good and I'd ACK them, but this is a bit unclear to
> me so I'd like to understand it more first.
> 
> >   };
> > diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs
> > index 616c3d5d52..71169c4148 100644
> > --- a/src/remote_protocol-structs
> > +++ b/src/remote_protocol-structs
> > @@ -3115,6 +3115,13 @@ struct remote_domain_get_guest_info_ret {
> >                   u_int              params_len;
> >                   remote_typed_param * params_val;
> >           } params;
> > +}
> 
> s/}/};/
> 
> > +struct remote_connect_set_identity_args {
> > +        struct {
> > +                u_int              params_len;
> > +                remote_typed_param * params_val;
> > +        } params;
> > +        u_int                      flags;
> >   };
> 
> Michal

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux