[libvirt] [PATCH 9/9] remote: pass identity across to newly opened daemons

Michal Privoznik mprivozn at redhat.com
Fri Sep 13 15:13:09 UTC 2019


On 9/5/19 1:56 PM, Daniel P. Berrangé wrote:
> When opening a connection to a second driver inside the daemon, we must
> ensure the identity of the current user is passed across. This allows
> the second daemon to perform access control checks against the real end
> users, instead of against the libvirt daemon that's proxying across the
> API calls.
> 
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>   src/libvirt_remote.syms             |   1 +
>   src/remote/remote_daemon_dispatch.c | 112 +++++++++++++++++++++++++---
>   src/remote/remote_driver.c          |   1 +
>   src/remote/remote_protocol.x        |  16 +++-
>   src/remote_protocol-structs         |   8 ++
>   src/rpc/virnetserverclient.c        |  12 +++
>   src/rpc/virnetserverclient.h        |   2 +
>   7 files changed, 139 insertions(+), 13 deletions(-)
> 


>   /* Define the program number, protocol version and procedure numbers here. */
> @@ -6603,5 +6611,11 @@ enum remote_procedure {
>        * @generate: none
>        * @acl: domain:write
>        */
> -    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418
> +    REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418,
> +
> +    /**
> +     * @generate: client
> +     * @acl: connect:write
> +     */
> +    REMOTE_PROC_CONNECT_SET_IDENTITY = 419

IIUC, the only thing that stops a malicious user from switching identity 
is that they have write access on the opened connection?
Because on one hand we want secondary daemons to accept identity 
switches from the proxy daemon, but at the same time we don't want users 
to do that.

Code-wise, patches are good and I'd ACK them, but this is a bit unclear 
to me so I'd like to understand it more first.

>   };
> diff --git a/src/remote_protocol-structs b/src/remote_protocol-structs
> index 616c3d5d52..71169c4148 100644
> --- a/src/remote_protocol-structs
> +++ b/src/remote_protocol-structs
> @@ -3115,6 +3115,13 @@ struct remote_domain_get_guest_info_ret {
>                   u_int              params_len;
>                   remote_typed_param * params_val;
>           } params;
> +}

s/}/};/

> +struct remote_connect_set_identity_args {
> +        struct {
> +                u_int              params_len;
> +                remote_typed_param * params_val;
> +        } params;
> +        u_int                      flags;
>   };

Michal




More information about the libvir-list mailing list