xapi_vm: Implement RBAC checking for keys in VM.other_config and VM.platform#7039
xapi_vm: Implement RBAC checking for keys in VM.other_config and VM.platform#7039robhoes merged 3 commits intoxapi-project:masterfrom
VM.other_config and VM.platform#7039Conversation
|
Best reviewed outside of Github, with colorMoved set to distinguish new lines from moved lines. |
|
Looks good to me. It'd be nice to get an "all clear" on the XenRT suites from Citrix. |
|
my unit test isn't testing exactly what it claims to (it created a role without any permissions at all, not vm-admin). it seems much more complicated to test something related to external auth in unit tests than I'd imagined, plugins are required in particular: So I've dropped the unit test |
|
This introduces a mechanism to match keys against permissions. Would it make sense to subject all keys to a role and some keys to more specific roles? For example, we could have a permission for |
This is already the case, though in a less obvious way. field gets default permissions from its object, thus for vm, and then special keys have particular permissions: These definitions are quite far away from each other in source code and are not obvious... |
|
I've verified this fixes the issue manually |
|
Could/should we include the wildcard |
We could, code already supports it, not sure if we should |
|
I think such an entry would add clarity; or have a comment that tells where the default role is coming from if the key does not match. |
map_keys_roles parameter was RBAC checked for
{add_to,remove_from}_other_config, but set_other_config allowed
circumventing this check.
Since VM is the only object that has a key ("pci") in other_config
with the privilege level required for modification higher than that of the
other_config field generally, this meant that vm-admin could not modify the
"pci" key in other_config through add_to_other_config, but could circumvent the
check with set_other_config.
Implement a checker for VM.other_config setters based on Task's manual RBAC
checker (introduced in a3f2c6e)
This is part of XSA-489 / CVE-2026-23562
Signed-off-by: Andrii Sultanov <andriy.sultanov@vates.tech>
|
Added another commit that a fixes a similar issue for |
last-genius
changed the title
set_other_configVM.other_config and VM.platform
platform:hvm_serial and other_config:hvm_serial are both keys that allow host filesystem write. Limit these to be modifiable only by pool-admin. Implement set_platform with Helpers.set_map_with_rbac, like for set_other_config. This is part of XSA-489 / CVE-2026-42486 Signed-off-by: Andrii Sultanov <andriy.sultanov@vates.tech>
The only difference in the schematest comes from changing the type of the
other_config and platform fields from RW to StaticRO, which is necessary to
provide custom implementations of setters.
With a modified schematest, the diff is:
< "qualifier": "RW",
---
> "qualifier": "StaticRO",
Signed-off-by: Andrii Sultanov <andriy.sultanov@vates.tech>
contificate
left a comment
contificate
left a comment
There was a problem hiding this comment.
Looks good to me, I'm glad the old matching logic for when this was done for task was helpful.
|
Is there room to factor out the trie implementation because |
I've moved the trie implementation from |
|
There are 21 usage and mentioned in the XenServer customer docs about 'other_config |
6 participants
Add per-key RBAC checking for
VM.platformandVM.other_config, to cover a case where a lower-prileged user could circumvent permission checks onother_config:{pci,hvm_serial}andplatform:hvm_serial.Introduces a generic per-key RBAC checker for map setters based on Task's manual RBAC checker (introduced in a3f2c6e). Uses it for the fields above.
This is part of XSA-489 / CVE-2026-23562 and CVE-2026-42486