On Thu, Jan 09, 2025 at 12:03:58AM -0500, Takuya Nakaike wrote: > This patch is a draft implementation to pass a domain > XML to a polkit access driver. With this new feature, a polkit rule can > verify the domain XML to be deployed on a host, and thus protect deploying a > malicious VM. > > There is a discussion about this new feature in the following issue. > > https://gitlab.com/libvirt/libvirt/-/issues/719 > > Any question, comment, and suggestion are welcome. Thanks, Lets keep discussion on that issue. My comments there express why I think this is a bad approach that should not be merged. > diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c > index 83381183a5..56457010e0 100644 > --- a/src/access/viraccessdriverpolkit.c > +++ b/src/access/viraccessdriverpolkit.c > @@ -177,10 +177,12 @@ virAccessDriverPolkitCheckDomain(virAccessManager *manager, > virAccessPermDomain perm) > { > char uuidstr[VIR_UUID_STRING_BUFLEN]; > + char *xml = virAccessManagerGetXMLDesc(domain); > const char *attrs[] = { > "connect_driver", driverName, > "domain_name", domain->name, > "domain_uuid", uuidstr, > + "xml", xml != NULL ? xml : "", > NULL, > }; NB, that's a memory leak With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
