openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity
libvirt/src/vbox
History
Eric Blake f9f5634053 event: filter global events by domain:getattr ACL [CVE-2014-0028] 
Ever since ACL filtering was added in commit 7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends.  We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.

Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration.  But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access.  The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global.  Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.

Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.

* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.

Signed-off-by: Eric Blake <eblake@redhat.com>
 		2014-01-15 13:55:21 -07:00
..
README maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v2_2.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v3_0.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v3_1.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v3_2.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v4_0.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v4_1.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_CAPI_v4_2.h Add support for VirtualBox 4.2 APIs 2013-06-07 14:47:45 +01:00
vbox_CAPI_v4_3.h vbox: import vbox_CAPI_v4_3.h from SDK 2013-11-25 13:25:12 +02:00
vbox_MSCOMGlue.c Adapt to VIR_ALLOC and virAsprintf in src/vbox/* 2013-07-10 11:07:33 +02:00
vbox_MSCOMGlue.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
vbox_V2_2.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V3_0.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V3_1.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V3_2.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V4_0.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V4_1.c maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_V4_2.c Add support for VirtualBox 4.2 APIs 2013-06-07 14:47:45 +01:00
vbox_V4_3.c vbox: add support for 4.3 APIs 2013-11-25 13:25:37 +02:00
vbox_XPCOMCGlue.c Remove all direct use of getenv 2013-10-21 14:03:52 +01:00
vbox_XPCOMCGlue.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_driver.c vbox: add support for 4.3 APIs 2013-11-25 13:25:37 +02:00
vbox_driver.h maint: refer to correct license file 2013-05-20 14:32:11 -06:00
vbox_glue.c maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
vbox_glue.h maint: fix up copyright notice inconsistencies 2012-09-20 16:30:55 -06:00
vbox_tmpl.c event: filter global events by domain:getattr ACL [CVE-2014-0028] 2014-01-15 13:55:21 -07:00

README 

    Licensing

Note that much of the vbox in this directory is LGPLv2-only.  Thus, it
cannot be linked into any software that also wants to use GPLv3+ code.
This readme file is:

Copyright (C) 2009, 2013 Red Hat, Inc.

Copying and distribution of this file, with or without modification,
are permitted in any medium without royalty provided the copyright
notice and this notice are preserved.  This file is offered as-is,
without warranty of any kind.

    Explanation about the how multi-version support
    for VirtualBox libvirt driver is implemented.

Since VirtualBox adds multiple new features for each release, it is but
natural that the C API which VirtualBox exposes is volatile across
versions and thus needs a good mechanism to handle multiple versions
during runtime. The solution was something like this:

Firstly the file structure is as below:

vbox_CAPI_v2_2.h
vbox_XPCOMCGlue.h
vbox_XPCOMCGlue.c
These files are C API/glue code files directly taken from the
VirtualBox OSE source and is needed for C API to work as expected.

vbox_driver.h
vbox_driver.c
These files have the main logic for registering the virtualbox driver
with libvirt.

vbox_V2_2.c
The file which has version dependent changes and includes the template
file for given below for all of its functionality.

vbox_tmpl.c
The file where all the real driver implementation code exists.

Now there would be a vbox_V*.c file (for eg: vbox_V2_2.c for V2.2) for
each major virtualbox version which would do some preprocessor magic
and include the template file (vbox_tmpl.c) in it for the functionality
it offers.