Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2:Test
libvirt
CVE-2010-223x-0008.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2010-223x-0008.patch of Package libvirt
>From e7db25186de8cb278f2b5f5c51e965129defaa11 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrange <berrange@redhat.com> Date: Tue, 15 Jun 2010 17:58:58 +0100 Subject: [PATCH 08/10] Disable all disk probing in QEMU driver & add config option to re-enable Disk format probing is now disabled by default. A new config option in /etc/qemu/qemu.conf will re-enable it for existing deployments where this causes trouble --- src/qemu/libvirtd_qemu.aug | 1 + src/qemu/qemu.conf | 12 ++++++++++++ src/qemu/qemu_conf.c | 4 ++++ src/qemu/qemu_conf.h | 1 + src/qemu/qemu_driver.c | 36 +++++++++++++++++++++++------------- src/qemu/qemu_security_dac.c | 2 +- src/qemu/test_libvirtd_qemu.aug | 4 ++++ src/security/security_apparmor.c | 12 ++++++++---- src/security/security_driver.c | 16 ++++++++++++++-- src/security/security_driver.h | 10 ++++++++-- src/security/security_selinux.c | 9 ++++++--- src/security/virt-aa-helper.c | 10 +++++++++- tests/seclabeltest.c | 2 +- 13 files changed, 92 insertions(+), 27 deletions(-) Index: libvirt-0.7.2/src/qemu/qemu.conf =================================================================== --- libvirt-0.7.2.orig/src/qemu/qemu.conf +++ libvirt-0.7.2/src/qemu/qemu.conf @@ -152,3 +152,15 @@ # in a location of $MOUNTPOINT/libvirt/qemu # hugetlbfs_mount = "/dev/hugepages" + + + +# If allow_disk_format_probing is enabled, libvirt will probe disk +# images to attempt to identify their format, when not otherwise +# specified in the XML. This is disabled by default. +# +# WARNING: Enabling probing is a security hole in almost all +# deployments. It is strongly recommended that users update their +# guest XML <disk> elements to include <driver type='XXXX'/> +# elements instead of enabling this option. +# allow_disk_format_probing = 1 Index: libvirt-0.7.2/src/qemu/qemu_conf.c =================================================================== --- libvirt-0.7.2.orig/src/qemu/qemu_conf.c +++ libvirt-0.7.2/src/qemu/qemu_conf.c @@ -318,6 +318,10 @@ int qemudLoadDriverConfig(struct qemud_d } } + p = virConfGetValue (conf, "allow_disk_format_probing"); + CHECK_TYPE ("allow_disk_format_probing", VIR_CONF_LONG); + if (p) driver->allowDiskFormatProbing = p->l; + virConfFree (conf); return 0; } Index: libvirt-0.7.2/src/qemu/qemu_driver.c =================================================================== --- libvirt-0.7.2.orig/src/qemu/qemu_driver.c +++ libvirt-0.7.2/src/qemu/qemu_driver.c @@ -391,7 +391,8 @@ qemudSecurityInit(struct qemud_driver *q virSecurityDriverPtr security_drv; ret = virSecurityDriverStartup(&security_drv, - qemud_drv->securityDriverName); + qemud_drv->securityDriverName, + qemud_drv->allowDiskFormatProbing); if (ret == -1) { VIR_ERROR0(_("Failed to start security driver")); return -1; Index: libvirt-0.7.2/src/security/security_apparmor.c =================================================================== --- libvirt-0.7.2.orig/src/security/security_apparmor.c +++ libvirt-0.7.2/src/security/security_apparmor.c @@ -159,6 +159,8 @@ load_profile(virConnectPtr conn, char *xml = NULL; int pipefd[2]; pid_t child; + const char *probe = virSecurityDriverGetAllowDiskFormatProbing(drv) + ? "1" : "0"; if (pipe(pipefd) < -1) { virReportSystemError(conn, errno, "%s", _("unable to create pipe")); @@ -174,19 +176,19 @@ load_profile(virConnectPtr conn, if (create) { const char *const argv[] = { - VIRT_AA_HELPER, "-c", "-u", profile, NULL + VIRT_AA_HELPER, "-p", probe, "-c", "-u", profile, NULL }; ret = virExec(conn, argv, NULL, NULL, &child, pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); } else if (disk && disk->src) { const char *const argv[] = { - VIRT_AA_HELPER, "-r", "-u", profile, "-f", disk->src, NULL + VIRT_AA_HELPER, "-p", probe, "-r", "-u", profile, "-f", disk->src, NULL }; ret = virExec(conn, argv, NULL, NULL, &child, pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); } else { const char *const argv[] = { - VIRT_AA_HELPER, "-r", "-u", profile, NULL + VIRT_AA_HELPER, "-p", probe, "-r", "-u", profile, NULL }; ret = virExec(conn, argv, NULL, NULL, &child, pipefd[0], NULL, NULL, VIR_EXEC_CLEAR_CAPS); @@ -310,9 +312,12 @@ AppArmorSecurityDriverProbe(void) * currently not used. */ static int -AppArmorSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) +AppArmorSecurityDriverOpen(virConnectPtr conn, + virSecurityDriverPtr drv, + bool allowDiskFormatProbing) { virSecurityDriverSetDOI(conn, drv, SECURITY_APPARMOR_VOID_DOI); + virSecurityDriverSetAllowDiskFormatProbing(drv, allowDiskFormatProbing); return 0; } Index: libvirt-0.7.2/src/security/security_driver.c =================================================================== --- libvirt-0.7.2.orig/src/security/security_driver.c +++ libvirt-0.7.2/src/security/security_driver.c @@ -56,7 +56,8 @@ virSecurityDriverVerify(virConnectPtr co int virSecurityDriverStartup(virSecurityDriverPtr *drv, - const char *name) + const char *name, + bool allowDiskFormatProbing) { unsigned int i; @@ -72,7 +73,7 @@ virSecurityDriverStartup(virSecurityDriv switch (tmp->probe()) { case SECURITY_DRIVER_ENABLE: virSecurityDriverInit(tmp); - if (tmp->open(NULL, tmp) == -1) { + if (tmp->open(NULL, tmp, allowDiskFormatProbing) == -1) { return -1; } else { *drv = tmp; @@ -144,3 +145,14 @@ virSecurityDriverGetModel(virSecurityDri { return drv->name; } + +void virSecurityDriverSetAllowDiskFormatProbing(virSecurityDriverPtr drv, + bool allowDiskFormatProbing) +{ + drv->_private.allowDiskFormatProbing = allowDiskFormatProbing; +} + +bool virSecurityDriverGetAllowDiskFormatProbing(virSecurityDriverPtr drv) +{ + return drv->_private.allowDiskFormatProbing; +} Index: libvirt-0.7.2/src/security/security_driver.h =================================================================== --- libvirt-0.7.2.orig/src/security/security_driver.h +++ libvirt-0.7.2/src/security/security_driver.h @@ -30,7 +30,8 @@ typedef struct _virSecurityDriver virSec typedef virSecurityDriver *virSecurityDriverPtr; typedef virSecurityDriverStatus (*virSecurityDriverProbe) (void); typedef int (*virSecurityDriverOpen) (virConnectPtr conn, - virSecurityDriverPtr drv); + virSecurityDriverPtr drv, + bool allowDiskFormatProbing); typedef int (*virSecurityDomainRestoreImageLabel) (virConnectPtr conn, virSecurityDriverPtr drv, virDomainObjPtr vm, @@ -85,12 +86,14 @@ struct _virSecurityDriver { */ struct { char doi[VIR_SECURITY_DOI_BUFLEN]; + bool allowDiskFormatProbing; } _private; }; /* Global methods */ int virSecurityDriverStartup(virSecurityDriverPtr *drv, - const char *name); + const char *name, + bool allowDiskFormatProbing); int virSecurityDriverVerify(virConnectPtr conn, virDomainDefPtr def); @@ -104,7 +107,10 @@ void virSecurityDriverInit(virSecurityDr int virSecurityDriverSetDOI(virConnectPtr conn, virSecurityDriverPtr drv, const char *doi); +void virSecurityDriverSetAllowDiskFormatProbing(virSecurityDriverPtr drv, + bool allowDiskFormatProbing); const char *virSecurityDriverGetDOI(virSecurityDriverPtr drv); const char *virSecurityDriverGetModel(virSecurityDriverPtr drv); +bool virSecurityDriverGetAllowDiskFormatProbing(virSecurityDriverPtr drv); #endif /* __VIR_SECURITY_H__ */ Index: libvirt-0.7.2/src/security/security_selinux.c =================================================================== --- libvirt-0.7.2.orig/src/security/security_selinux.c +++ libvirt-0.7.2/src/security/security_selinux.c @@ -264,13 +264,16 @@ SELinuxSecurityDriverProbe(void) } static int -SELinuxSecurityDriverOpen(virConnectPtr conn, virSecurityDriverPtr drv) +SELinuxSecurityDriverOpen(virConnectPtr conn, + virSecurityDriverPtr drv, + bool allowDiskFormatProbing ) { /* * Where will the DOI come from? SELinux configuration, or qemu * configuration? For the moment, we'll just set it to "0". */ virSecurityDriverSetDOI(conn, drv, SECURITY_SELINUX_VOID_DOI); + virSecurityDriverSetAllowDiskFormatProbing(drv, allowDiskFormatProbing); return SELinuxInitialize(conn); } @@ -426,16 +429,17 @@ SELinuxSetSecurityFileLabel(virDomainDis static int SELinuxSetSecurityImageLabel(virConnectPtr conn, - virSecurityDriverPtr drv ATTRIBUTE_UNUSED, + virSecurityDriverPtr drv, virDomainObjPtr vm, virDomainDiskDefPtr disk) { const virSecurityLabelDefPtr secdef = &vm->def->seclabel; + bool allowDiskFormatProbing = virSecurityDriverGetAllowDiskFormatProbing(drv); return virDomainDiskDefForeachPath(conn, disk, - true, + allowDiskFormatProbing, false, SELinuxSetSecurityFileLabel, secdef); Index: libvirt-0.7.2/src/security/virt-aa-helper.c =================================================================== --- libvirt-0.7.2.orig/src/security/virt-aa-helper.c +++ libvirt-0.7.2/src/security/virt-aa-helper.c @@ -40,6 +40,7 @@ static char *progname; typedef struct { + bool allowDiskFormatProbing; char uuid[PROFILE_NAME_SIZE]; /* UUID of vm */ bool dryrun; /* dry run */ char cmd; /* 'c' create @@ -706,7 +707,7 @@ get_files(vahControl * ctl) for (i = 0; i < ctl->def->ndisks; i++) { int ret = virDomainDiskDefForeachPath(NULL, ctl->def->disks[i], - true, + ctl->allowDiskFormatProbing, false, add_file_path, &buf); @@ -805,6 +806,7 @@ vahParseArgv(vahControl * ctl, int argc, { int arg, idx = 0; struct option opt[] = { + {"probing", 1, 0, 'p' }, {"add", 0, 0, 'a'}, {"create", 0, 0, 'c'}, {"dryrun", 0, 0, 'd'}, @@ -867,6 +869,12 @@ vahParseArgv(vahControl * ctl, int argc, PROFILE_NAME_SIZE) == NULL) vah_error(ctl, 1, "error copying UUID"); break; + case 'p': + if (STREQ(optarg, "1")) + ctl->allowDiskFormatProbing = true; + else + ctl->allowDiskFormatProbing = false; + break; default: vah_error(ctl, 1, "unsupported option"); break; Index: libvirt-0.7.2/tests/seclabeltest.c =================================================================== --- libvirt-0.7.2.orig/tests/seclabeltest.c +++ libvirt-0.7.2/tests/seclabeltest.c @@ -15,7 +15,7 @@ main (int argc ATTRIBUTE_UNUSED, char ** const char *doi, *model; virSecurityDriverPtr security_drv; - ret = virSecurityDriverStartup (&security_drv, "selinux"); + ret = virSecurityDriverStartup (&security_drv, "selinux", false); if (ret == -1) { fprintf (stderr, "Failed to start security driver"); Index: libvirt-0.7.2/src/qemu/qemu_conf.h =================================================================== --- libvirt-0.7.2.orig/src/qemu/qemu_conf.h +++ libvirt-0.7.2/src/qemu/qemu_conf.h @@ -112,6 +112,8 @@ struct qemud_driver { char *hugetlbfs_mount; char *hugepage_path; + unsigned int allowDiskFormatProbing : 1; + virCapsPtr caps; /* An array of callbacks */ Index: libvirt-0.7.2/tests/secaatest.c =================================================================== --- libvirt-0.7.2.orig/tests/secaatest.c +++ libvirt-0.7.2/tests/secaatest.c @@ -15,7 +15,7 @@ main (int argc ATTRIBUTE_UNUSED, char ** const char *doi, *model; virSecurityDriverPtr security_drv; - ret = virSecurityDriverStartup (&security_drv, "apparmor"); + ret = virSecurityDriverStartup (&security_drv, "apparmor", false); if (ret == -1) { fprintf (stderr, "Failed to start security driver"); Index: libvirt-0.7.2/src/qemu/libvirtd_qemu.aug =================================================================== --- libvirt-0.7.2.orig/src/qemu/libvirtd_qemu.aug +++ libvirt-0.7.2/src/qemu/libvirtd_qemu.aug @@ -36,6 +36,7 @@ module Libvirtd_qemu = | str_array_entry "cgroup_device_acl" | str_entry "save_image_format" | str_entry "hugetlbfs_mount" + | bool_entry "allow_disk_format_probing" (* Each enty in the config is one of the following three ... *) let entry = vnc_entry
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
