CVE-2020-14339
When building domain's private /dev in a namespace, libdevmapper
is consulted for getting full dependency tree of domain's disks.
The reason is that for a multipath devices all dependent devices
must be created in the namespace and allowed in CGroups.
However, this approach is very fragile as building of namespace
happens in the forked off child process, after mass close of FDs
and just before dropping privileges and execing QEMU. And it so
happens that when calling libdevmapper APIs, one of them opens
/dev/mapper/control and saves the FD into a global variable. The
FD is kept open until the lib is unlinked or dm_lib_release() is
called explicitly. We are doing neither.
However, the virDevMapperGetTargets() function is called also
from libvirtd (when setting up CGroups) and thus has to be thread
safe. Unfortunately, libdevmapper APIs are not thread safe (nor
async signal safe) and thus we can't use them. Reimplement what
libdevmapper would do using plain C (ioctl()-s, /proc/devices
parsing, /dev/mapper dirwalking, and so on).
Fixes: a30078cb832646177defd256e77c632905f1e6d0
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1858260
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
cherry-pick from commit 22494556542c676d1b9e7f1c1f2ea13ac17e1e3e
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
CVE-2020-14339
When introducing virdevmapper.c (in v4.3.0-rc1~427) I didn't
realize there is a function that calls in devmapper. The function
is called virIsDevMapperDevice() and lives in virutil.c. Now that
we have a special file for handling devmapper move it there.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
cherry-pick from commit dfa0e118f745fe3f4fe95975c6100f0fc6d788be
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
Because current firewalld version is too old(< 0.7.0) to support
the rule priority setting in the libvirt zone file, so we should
add --without-firewalld-zone to configure commandline.
More info can be found in the following link:
https://github.com/libvirt/libvirt/commit/3b71f2e4.
Signed-off-by: Alex Chen <alex.chen@huawei.com>
rpc: gendispatch: handle empty flags
rpc: add support for filtering @acls by uint params
rpc: require write acl for guest agent in virDomainInterfaceAddresses
qemu: agent: set ifname to NULL after freeing
Signed-off-by: Jan Tomko <jtomko@redhat.com>
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
CVE-2020-25637
Add a requirement for domain:write if source is set to
VIR_DOMAIN_INTERFACE_ADDRESSES_SRC_AGENT.
Signed-off-by: Jan Tomko <jtomko@redhat.com>
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
cherry-pick from commit e4116eaa44cb366b59f7fe98f4b88d04c04970ad
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
CVE-2020-25637
Add a new field to @acl annotations for filtering by
unsigned int parameters.
Signed-off-by: Jan Tomko <jtomko@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
cherry-pick from commit 50864dcda191eb35732dbd80fb6ca251a6bba923
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
CVE-2020-25637
Prepare for omission of the <flagname> in remote_protocol.x
@acl annotations:
@acl: <object>:<permission>:<flagname>
so that we can add more field after, e.g.:
@acl: <object>:<permission>::<field>
Signed-off-by: Jan Tomko <jtomko@redhat.com>
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
cherry-pick from commit 955029bd0ad7ef96000f529ac38204a8f4a96401
Signed-off-by: Jiajie Li <lijiajie11@huawei.com>
