locking: restrict sockets to mode 0600

The virtlockd daemon's only intended client is the libvirtd daemon. As
such it should never allow clients from other user accounts to connect.
The code already enforces this and drops clients from other UIDs, but
we can get earlier (and thus stronger) protection against DoS by setting
the socket permissions to 0600

Fixes CVE-2019-10132

Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
(cherry picked from commit f111e09468693909b1f067aa575efdafd9a262a1)

diff --git a/src/locking/virtlockd-admin.socket.in b/src/locking/virtlockd-admin.socket.in
index 2a7500f3d00782a2ae6372286a0a64ac4f84a586..f674c492f76a4edde786a28ca681682fb17505d5 100644 (file)
--- a/src/locking/virtlockd-admin.socket.in
+++ b/src/locking/virtlockd-admin.socket.in
@@ -5,6 +5,7 @@ Before=libvirtd.service
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-admin-sock
 Service=virtlockd.service
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target

diff --git a/src/locking/virtlockd.socket.in b/src/locking/virtlockd.socket.in
index 45e0f202353b48b9185b7b68a132cab17b70e43d..d701b27516a279ef4c031fcdbf17a450bdabb45a 100644 (file)
--- a/src/locking/virtlockd.socket.in
+++ b/src/locking/virtlockd.socket.in
@@ -4,6 +4,7 @@ Before=libvirtd.service
 
 [Socket]
 ListenStream=@localstatedir@/run/libvirt/virtlockd-sock
+SocketMode=0600
 
 [Install]
 WantedBy=sockets.target