Bug 1186270 - AUDIT-0: libvirt: new polkit permissions for node device delete
Summary: AUDIT-0: libvirt: new polkit permissions for node device delete
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-05-19 22:57 UTC by James Fehlig
Modified: 2024-03-13 09:21 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description James Fehlig 2021-05-19 22:57:17 UTC 
libvirt 7.3.0 gets a new polkit permission for the node device object via commit bb311cede79, which causes the following lint failure

libvirt-daemon.x86_64: E: polkit-untracked-privilege (Badness: 10) org.libvirt.api.node-device.delete (no:no:no)

Hopefully non-controversial to whitelist with the 'no:no:no' perms. Error can be seen here

https://build.opensuse.org/build/Virtualization/openSUSE_Factory/x86_64/libvirt/_log

First noticed by dimstar in this request

https://build.opensuse.org/request/show/894106
Comment 1 Matthias Gerstner 2021-05-20 07:53:49 UTC 
What libvirt is doing there with its privilege escalation framework is really
strange. Overly complex, sadly.

I will have a quick look and whitelist it if nothing out of the ordinary is to
be found.
Comment 2 Matthias Gerstner 2021-05-20 13:27:24 UTC 
It is ridiculously hard to find where polkit actions are checked in libvirt.
Every time, even though I already documented a couple of hints. Anyway the
upstream commit that introduced this is bb311cede79 [1].

The actual check infrastructure for "NodeDevice" is reused and is found in
virAccessManagerCheckNodeDevice().

To make things even more confusing is that the action is called
"node-device.delete" while in the code it is called "NodeDeviceUndefine()".

So much for documenting the change. Long story short: Should be fine security
wise, I will whitelist it.

[1]: https://libvirt.org/git/?p=libvirt.git;a=commit;h=bb311cede795213f02938f68aaa5504548eccafd
Comment 3 James Fehlig 2021-05-21 05:23:50 UTC 
(In reply to Matthias Gerstner from comment #2)
> It is ridiculously hard to find where polkit actions are checked in libvirt.

Agreed. Luckily you don't have to touch other overly-engineered libvirt code :-). Sometimes I think RH folks have too much free time on their hands...

> Anyway the
> upstream commit that introduced this is bb311cede79

Nod. I mentioned that commit in #0.
Comment 4 Matthias Gerstner 2021-05-21 07:21:22 UTC 
(In reply to jfehlig@suse.com from comment #3)
> > Anyway the
> > upstream commit that introduced this is bb311cede79
> 
> Nod. I mentioned that commit in #0.

Indeed. Should read my bugs more carefully ;-).

The whitelisting is already in our devel project but I want to wait a bit
before submitting to Factory to avoid interrupting an ongoing Staging project
for whitelistings we already submitted a couple of days ago.
Comment 5 OBSbugzilla Bot 2021-05-25 08:40:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1186270) was mentioned in
https://build.opensuse.org/request/show/895291 Factory / polkit-default-privs
Comment 6 Matthias Gerstner 2021-05-26 08:48:21 UTC 
The whitelisting is on its way. Closing this bug as FIXED.