On 01/22/2014 03:52 AM, Daniel P. Berrange wrote: > On Tue, Jan 21, 2014 at 10:47:07AM -0700, Eric Blake wrote: >> I noticed that we allow virDomainGetVcpusFlags even for read-only >> connections, but that with a flag, it can require guest agent >> interaction. It is feasible that a malicious guest could >> intentionally abuse the replies it sends over the guest agent >> connection to possibly trigger a bug in libvirt's JSON parser, >> or withhold an answer so as to prevent the use of the agent >> in a later command such as a shutdown request. Although we >> don't know of any such exploits now (and therefore don't mind >> posting this patch publicly without trying to get a CVE assigned), >> it is better to err on the side of caution and explicitly require >> full access to any domain where the API requires guest interaction >> to operate correctly. >> >> I audited all commands that are marked as conditionally using a >> guest agent. Note that at least virDomainFSTrim is documented >> as needing a guest agent, but that such use is unconditional >> depending on the hypervisor (so the existing domain:fs_trim ACL >> should be sufficient there, rather than also requirng domain:write). >> But when designing future APIs, such as the plans for obtaining >> a domain's IP addresses, we should copy the approach of this patch >> in making interaction with the guest be specified via a flag, and >> use that flag to also require stricter access checks. >> > > ACK Thanks; pushed. -- Eric Blake eblake redhat com +1-919-301-3266 Libvirt virtualization library http://libvirt.org
Attachment:
signature.asc
Description: OpenPGP digital signature
-- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list