[PATCH] virt-aa-helper: disallow graphics socket read permissions
Simon Arlott
libvirt at octiron.net
Thu May 28 09:31:52 UTC 2020
The VM does not need read permission for its own sockets to create(),
bind(), accept() connections or to recv(), send(), etc. on connections.
This was fixed in ab9569e5460d1e4737fe8b625c67687dc2204665
(virt-aa-helper: disallow VNC socket read permissions),
but then b6465e1aa49397367a9cd0f27110b9c2280a7385
(graphics: introduce new listen type 'socket')
and acc83afe333bfadd3f7f79091d38ca3d7da1eeb2
(acc83afe333bfadd3f7f79091d38ca3d7da1eeb2) reverted it.
Unless the read permission is omitted, VMs can connect to each other's
VNC/graphics sockets.
Signed-off-by: Simon Arlott <libvirt at octiron.net>
---
src/security/virt-aa-helper.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/security/virt-aa-helper.c b/src/security/virt-aa-helper.c
index 6e6dd1b1db..fddbdafc41 100644
--- a/src/security/virt-aa-helper.c
+++ b/src/security/virt-aa-helper.c
@@ -1053,7 +1053,7 @@ get_files(vahControl * ctl)
if (listenObj.type == VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_SOCKET &&
listenObj.socket &&
- vah_add_file(&buf, listenObj.socket, "rw"))
+ vah_add_file(&buf, listenObj.socket, "w"))
goto cleanup;
}
}
--
2.17.1
--
Simon Arlott
More information about the libvir-list
mailing list