Don't allow renaming of domains by the backdoor

Several APIs allow for custom XML to be passed in. This is
checked for ABI stability, which will ensure the UUID is
not being changed. There isn't validation that the name
did not change though. This could allow renaming of guests
via the backdoor, which in turn could allow for bypassing
access control restrictions based on names.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/conf/domain_conf.c b/src/conf/domain_conf.c
index 59badf86994ddfe33a05c29d3b56f9aa965cff14..e90d5854f9ce82b156215555b6bd2d572ff5493f 100644 (file)
--- a/src/conf/domain_conf.c
+++ b/src/conf/domain_conf.c
@@ -12558,6 +12558,17 @@ virDomainDefCheckABIStability(virDomainDefPtr src,
         return false;
     }
 
+    /* Not strictly ABI related, but we want to make sure domains
+     * don't get silently re-named through the backdoor when passing
+     * custom XML into various APIs, since this would create havoc
+     */
+    if (STRNEQ(src->name, dst->name)) {
+        virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
+                       _("Target domain name '%s' does not match source '%s'"),
+                       dst->name, src->name);
+        return false;
+    }
+
     if (src->mem.max_balloon != dst->mem.max_balloon) {
         virReportError(VIR_ERR_CONFIG_UNSUPPORTED,
                        _("Target domain max memory %lld does not match source %lld"),

diff --git a/src/qemu/qemu_migration.c b/src/qemu/qemu_migration.c
index 8ed94731b4012dae479ec5fcf85992c73ded940c..db7c4f8580b3691642da720c6d30a80b4af42f84 100644 (file)
--- a/src/qemu/qemu_migration.c
+++ b/src/qemu/qemu_migration.c
@@ -1940,12 +1940,6 @@ char *qemuMigrationBegin(virQEMUDriverPtr driver,
                                             VIR_DOMAIN_XML_INACTIVE)))
             goto cleanup;
 
-        if (STRNEQ(def->name, vm->def->name)) {
-            virReportError(VIR_ERR_INVALID_ARG, "%s",
-                           _("target domain name doesn't match source name"));
-            goto cleanup;
-        }
-
         if (!virDomainDefCheckABIStability(vm->def, def))
             goto cleanup;