[libvirt] [PATCH 9/9] remote: pass identity across to newly opened daemons
Michal Privoznik
mprivozn at redhat.com
Fri Sep 13 15:40:29 UTC 2019
On 9/13/19 5:23 PM, Daniel P. Berrangé wrote:
> On Fri, Sep 13, 2019 at 05:13:09PM +0200, Michal Privoznik wrote:
>> On 9/5/19 1:56 PM, Daniel P. Berrangé wrote:
>>> When opening a connection to a second driver inside the daemon, we must
>>> ensure the identity of the current user is passed across. This allows
>>> the second daemon to perform access control checks against the real end
>>> users, instead of against the libvirt daemon that's proxying across the
>>> API calls.
>>>
>>> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
>>> ---
>>> src/libvirt_remote.syms | 1 +
>>> src/remote/remote_daemon_dispatch.c | 112 +++++++++++++++++++++++++---
>>> src/remote/remote_driver.c | 1 +
>>> src/remote/remote_protocol.x | 16 +++-
>>> src/remote_protocol-structs | 8 ++
>>> src/rpc/virnetserverclient.c | 12 +++
>>> src/rpc/virnetserverclient.h | 2 +
>>> 7 files changed, 139 insertions(+), 13 deletions(-)
>>>
>>
>>
>>> /* Define the program number, protocol version and procedure numbers here. */
>>> @@ -6603,5 +6611,11 @@ enum remote_procedure {
>>> * @generate: none
>>> * @acl: domain:write
>>> */
>>> - REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418
>>> + REMOTE_PROC_DOMAIN_GET_GUEST_INFO = 418,
>>> +
>>> + /**
>>> + * @generate: client
>>> + * @acl: connect:write
>>> + */
>>> + REMOTE_PROC_CONNECT_SET_IDENTITY = 419
>>
>> IIUC, the only thing that stops a malicious user from switching identity is
>> that they have write access on the opened connection?
>
> We consider 'write' access as equivalent to root shell access, but perhaps
> there is none the less value in having an explicit permission bit for this
> operation.
>
Agreed, you can post it in as a follow up patch.
>> Because on one hand we want secondary daemons to accept identity switches
>> from the proxy daemon, but at the same time we don't want users to do that.
>
> In an out of the box config with no ACLs defined in polkit, this will
> correctly operate. the proxy will get approved by default since it is
> runnig root & thus polkit grants access regardless. Everything else
> is denied by default.
>
> If polkit is not enabled, then the user can invoke this RPC, but of
> course without polkit your privileges are again eqiuv to root.
Right, this is exactly what I though. Alright,
Reviewed-by: Michal Privoznik <mprivozn at redhat.com> to the whole patchset.
Michal
More information about the libvir-list
mailing list