]> xenbits.xensource.com Git - libvirt.git/commitdiff
projects / libvirt.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f111e09)
logging: restrict sockets to mode 0600
authorDaniel P. Berrangé <berrange@redhat.com>
Tue, 30 Apr 2019 16:27:41 +0000 (17:27 +0100)
committerDaniel P. Berrangé <berrange@redhat.com>
Tue, 21 May 2019 12:05:00 +0000 (13:05 +0100)
The virtlogd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
src/logging/virtlogd-admin.socket.in patch | blob | blame | history
src/logging/virtlogd.socket.in patch | blob | blame | history

diff --git a/src/logging/virtlogd-admin.socket.in b/src/logging/virtlogd-admin.socket.in
index 595e6c4c4bd27b18b835d178e21e135c92a57c82..5c41dfeb7b4e6265bc2b65793dc70b6b0d130a62 100644 (file)
--- a/src/logging/virtlogd-admin.socket.in
+++ b/src/logging/virtlogd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-admin-sock
 Service=virtlogd.service
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target
diff --git a/src/logging/virtlogd.socket.in b/src/logging/virtlogd.socket.in
index 22b9360c8dcf5f336fd1deee2a43098ded1bceea..ae48cdab9aed119f0a2d6959b0f7581513e8088d 100644 (file)
--- a/src/logging/virtlogd.socket.in
+++ b/src/logging/virtlogd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service
 
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlogd-sock
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target
Unnamed repository; edit this file 'description' to name the repository.