CVE-2019-10132: Fix vir{lock,log}d socket access
All patches were cherry-picked from upstream's v5.0-maint branch.
Closes: #929334
Guido Günther
4 years ago
+53
-0
0 | From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> | |
1 | Date: Tue, 30 Apr 2019 17:26:13 +0100 | |
2 | Subject: admin: reject clients unless their UID matches the current UID | |
3 | MIME-Version: 1.0 | |
4 | Content-Type: text/plain; charset="utf-8" | |
5 | Content-Transfer-Encoding: 8bit | |
6 | ||
7 | The admin protocol RPC messages are only intended for use by the user | |
8 | running the daemon. As such they should not be allowed for any client | |
9 | UID that does not match the server UID. | |
10 | ||
11 | Fixes CVE-2019-10132 | |
12 | ||
13 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | |
14 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | |
15 | (cherry picked from commit 96f41cd765c9e525fe28ee5abbfbf4a79b3720c7) | |
16 | --- | |
17 | src/admin/admin_server_dispatch.c | 22 ++++++++++++++++++++++ | |
18 | 1 file changed, 22 insertions(+) | |
19 | ||
20 | diff --git a/src/admin/admin_server_dispatch.c b/src/admin/admin_server_dispatch.c | |
21 | index 85e693d..6e3b99f 100644 | |
22 | --- a/src/admin/admin_server_dispatch.c | |
23 | +++ b/src/admin/admin_server_dispatch.c | |
24 | @@ -64,6 +64,28 @@ remoteAdmClientNew(virNetServerClientPtr client ATTRIBUTE_UNUSED, | |
25 | void *opaque) | |
26 | { | |
27 | struct daemonAdmClientPrivate *priv; | |
28 | + uid_t clientuid; | |
29 | + gid_t clientgid; | |
30 | + pid_t clientpid; | |
31 | + unsigned long long timestamp; | |
32 | + | |
33 | + if (virNetServerClientGetUNIXIdentity(client, | |
34 | + &clientuid, | |
35 | + &clientgid, | |
36 | + &clientpid, | |
37 | + ×tamp) < 0) | |
38 | + return NULL; | |
39 | + | |
40 | + VIR_DEBUG("New client pid %lld uid %lld", | |
41 | + (long long)clientpid, | |
42 | + (long long)clientuid); | |
43 | + | |
44 | + if (geteuid() != clientuid) { | |
45 | + virReportRestrictedError(_("Disallowing client %lld with uid %lld"), | |
46 | + (long long)clientpid, | |
47 | + (long long)clientuid); | |
48 | + return NULL; | |
49 | + } | |
50 | ||
51 | if (VIR_ALLOC(priv) < 0) | |
52 | return NULL; |
0 | From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> | |
1 | Date: Tue, 30 Apr 2019 16:51:37 +0100 | |
2 | Subject: locking: restrict sockets to mode 0600 | |
3 | MIME-Version: 1.0 | |
4 | Content-Type: text/plain; charset="utf-8" | |
5 | Content-Transfer-Encoding: 8bit | |
6 | ||
7 | The virtlockd daemon's only intended client is the libvirtd daemon. As | |
8 | such it should never allow clients from other user accounts to connect. | |
9 | The code already enforces this and drops clients from other UIDs, but | |
10 | we can get earlier (and thus stronger) protection against DoS by setting | |
11 | the socket permissions to 0600 | |
12 | ||
13 | Fixes CVE-2019-10132 | |
14 | ||
15 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | |
16 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | |
17 | (cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1) | |
18 | --- | |
19 | src/locking/virtlockd-admin.socket.in | 1 + | |
20 | src/locking/virtlockd.socket.in | 1 + | |
21 | 2 files changed, 2 insertions(+) | |
22 | ||
23 | diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in | |
24 | index 2a7500f..f674c49 100644 | |
25 | --- a/src/locking/virtlockd-admin.socket.in | |
26 | +++ b/src/locking/virtlockd-admin.socket.in | |
27 | @@ -5,6 +5,7 @@ Before=libvirtd.service | |
28 | [Socket] | |
29 | ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock | |
30 | Service=virtlockd.service | |
31 | +SocketMode=0600 | |
32 | ||
33 | [Install] | |
34 | WantedBy=sockets.target | |
35 | diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in | |
36 | index 45e0f20..d701b27 100644 | |
37 | --- a/src/locking/virtlockd.socket.in | |
38 | +++ b/src/locking/virtlockd.socket.in | |
39 | @@ -4,6 +4,7 @@ Before=libvirtd.service | |
40 | ||
41 | [Socket] | |
42 | ListenStream=@localstatedir@/run/libvirt/virtlockd-sock | |
43 | +SocketMode=0600 | |
44 | ||
45 | [Install] | |
46 | WantedBy=sockets.target |
0 | From: =?utf-8?b?IkRhbmllbCBQLiBCZXJyYW5nw6ki?= <berrange@redhat.com> | |
1 | Date: Tue, 30 Apr 2019 17:27:41 +0100 | |
2 | Subject: logging: restrict sockets to mode 0600 | |
3 | MIME-Version: 1.0 | |
4 | Content-Type: text/plain; charset="utf-8" | |
5 | Content-Transfer-Encoding: 8bit | |
6 | ||
7 | The virtlogd daemon's only intended client is the libvirtd daemon. As | |
8 | such it should never allow clients from other user accounts to connect. | |
9 | The code already enforces this and drops clients from other UIDs, but | |
10 | we can get earlier (and thus stronger) protection against DoS by setting | |
11 | the socket permissions to 0600 | |
12 | ||
13 | Fixes CVE-2019-10132 | |
14 | ||
15 | Reviewed-by: Ján Tomko <jtomko@redhat.com> | |
16 | Signed-off-by: Daniel P. Berrangé <berrange@redhat.com> | |
17 | (cherry picked from commit e37bd65f9948c1185456b2cdaa3bd6e875af680f) | |
18 | --- | |
19 | src/logging/virtlogd-admin.socket.in | 1 + | |
20 | src/logging/virtlogd.socket.in | 1 + | |
21 | 2 files changed, 2 insertions(+) | |
22 | ||
23 | diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in | |
24 | index 595e6c4..5c41dfe 100644 | |
25 | --- a/src/logging/virtlogd-admin.socket.in | |
26 | +++ b/src/logging/virtlogd-admin.socket.in | |
27 | @@ -5,6 +5,7 @@ Before=libvirtd.service | |
28 | [Socket] | |
29 | ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock | |
30 | Service=virtlogd.service | |
31 | +SocketMode=0600 | |
32 | ||
33 | [Install] | |
34 | WantedBy=sockets.target | |
35 | diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in | |
36 | index 22b9360..ae48cda 100644 | |
37 | --- a/src/logging/virtlogd.socket.in | |
38 | +++ b/src/logging/virtlogd.socket.in | |
39 | @@ -4,6 +4,7 @@ Before=libvirtd.service | |
40 | ||
41 | [Socket] | |
42 | ListenStream=@localstatedir@/run/libvirt/virtlogd-sock | |
43 | +SocketMode=0600 | |
44 | ||
45 | [Install] | |
46 | WantedBy=sockets.target |
21 | 21 | api-disallow-virDomainGetHostname-for-read-only-connectio.patch |
22 | 22 | remote-enforce-ACL-write-permission-for-getting-guest-tim.patch |
23 | 23 | cpu_map-Define-md-clear-CPUID-bit.patch |
24 | security/admin-reject-clients-unless-their-UID-matches-the-current.patch | |
25 | security/locking-restrict-sockets-to-mode-0600.patch | |
26 | security/logging-restrict-sockets-to-mode-0600.patch |