[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt] [PATCH] event: move event filtering to daemon (regression fix)



On Tue, Jan 28, 2014 at 03:48:19PM -0700, Eric Blake wrote:
> Commit f9f56340 for CVE-2014-0028 almost had the right idea - we
> need to check the ACL rules to filter which events to send.  But
> it overlooked one thing: the event dispatch queue is running in
> the main loop thread, and therefore does not normally have a
> current virIdentityPtr.  But filter checks can be based on current
> identity, so when libvirtd.conf contains access_drivers=["polkit"],
> we ended up rejecting access for EVERY event due to failure to
> look up the current identity, even if it should have been allowed.
> 
> Furthermore, even for events that are triggered by API calls, it
> is important to remember that the point of events is that they can
> be copied across multiple connections, which may have separate
> identities and permissions.  So even if events were dispatched
> from a context where we have an identity, we must change to the
> correct identity of the connection that will be receiving the
> event, rather than basing a decision on the context that triggered
> the event, when deciding whether to filter an event to a
> particular connection.
> 
> If there were an easy way to get from virConnectPtr to the
> appropriate virIdentityPtr, then object_event.c could adjust the
> identity prior to checking whether to dispatch an event.  But
> setting up that back-reference is a bit invasive.  Instead, it
> is easier to delay the filtering check until lower down the
> stack, at the point where we have direct access to the RPC
> client object that owns an identity.  As such, this patch ends
> up reverting a large portion of the framework of commit f9f56340.
> We also have to teach 'make check' to special-case the fact that
> the event registration filtering is done at the point of dispatch,
> rather than the point of registration.  Note that even though we
> don't actually use virConnectDomainEventRegisterCheckACL (because
> the RegisterAny variant is sufficient), we still generate the
> function for the purposes of documenting that the filtering
> takes place.
> 
> Also note that I did not entirely delete the notion of a filter
> from object_event.c; I still plan on using that for my upcoming
> patch series for qemu monitor events in libvirt-qemu.so.  In
> other words, while this patch changes ACL filtering to live in
> remote.c and therefore we have no current client of the filtering
> in object_event.c, the notion of filtering in object_event.c is
> still useful down the road.
> 
> * src/check-aclrules.pl: Exempt event registration from having to
> pass checkACL filter down call stack.
> * daemon/remote.c (remoteRelayDomainEventCheckACL)
> (remoteRelayNetworkEventCheckACL): New functions.
> (remoteRelay*Event*): Use new functions.
> * src/conf/domain_event.h (virDomainEventStateRegister)
> (virDomainEventStateRegisterID): Drop unused parameter.
> * src/conf/network_event.h (virNetworkEventStateRegisterID):
> Likewise.
> * src/conf/domain_event.c (virDomainEventFilter): Delete unused
> function.
> * src/conf/network_event.c (virNetworkEventFilter): Likewise.
> * src/libxl/libxl_driver.c: Adjust caller.
> * src/lxc/lxc_driver.c: Likewise.
> * src/network/bridge_driver.c: Likewise.
> * src/qemu/qemu_driver.c: Likewise.
> * src/remote/remote_driver.c: Likewise.
> * src/test/test_driver.c: Likewise.
> * src/uml/uml_driver.c: Likewise.
> * src/vbox/vbox_tmpl.c: Likewise.
> * src/xen/xen_driver.c: Likewise.
> 
> Signed-off-by: Eric Blake <eblake redhat com>
> ---
>  daemon/remote.c             | 257 ++++++++++++++++++++++++++++----------------
>  src/check-aclrules.pl       |   7 +-
>  src/conf/domain_event.c     |  35 +-----
>  src/conf/domain_event.h     |   8 +-
>  src/conf/network_event.c    |  31 +-----
>  src/conf/network_event.h    |   6 +-
>  src/libxl/libxl_driver.c    |   2 -
>  src/lxc/lxc_driver.c        |   2 -
>  src/network/bridge_driver.c |   1 -
>  src/qemu/qemu_driver.c      |   2 -
>  src/remote/remote_driver.c  |   4 +-
>  src/test/test_driver.c      |   6 +-
>  src/uml/uml_driver.c        |   2 -
>  src/vbox/vbox_tmpl.c        |   4 +-
>  src/xen/xen_driver.c        |   2 -
>  15 files changed, 188 insertions(+), 181 deletions(-)

ACK

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]