From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.
Also make virConnectDomainXMLFromNative API require a full
read-write connection and 'connect:write' permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
Pushed as a security fix
---
src/libvirt.c | 4 ++++
src/remote/remote_protocol.x | 4 ++--
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/libvirt.c b/src/libvirt.c
index 9f579a6..7fa675a 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4611,6 +4611,10 @@ char *virConnectDomainXMLFromNative(virConnectPtr conn,
virDispatchError(NULL);
return NULL;
}
+ if (conn->flags & VIR_CONNECT_RO) {
+ virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+ goto error;
+ }
virCheckNonNullArgGoto(nativeFormat, error);
virCheckNonNullArgGoto(nativeConfig, error);
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index 810eeca..f942670 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3826,13 +3826,13 @@ enum remote_procedure {
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
/**
* @generate: both
- * @acl: connect:read
+ * @acl: connect:write
*/
REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list