From a0e5e40501a6ab608f85af878f6af9d52e5db0c7 Mon Sep 17 00:00:00 2001
From: "Daniel P. Berrange" <berrange@redhat.com>
Date: Thu, 3 Oct 2013 16:37:57 +0100
Subject: [PATCH] Fix perms for virConnectDomainXML{To,From}Native
 (CVE-2013-4401)

The virConnectDomainXMLToNative API should require 'connect:write'
not 'connect:read', since it will trigger execution of the QEMU
binaries listed in the XML.

Also make virConnectDomainXMLFromNative API require a full
read-write connection and 'connect:write' permission. Although the
current impl doesn't trigger execution of QEMU, we should not
rely on that impl detail from an API permissioning POV.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
(cherry picked from commit 57687fd6bf7f6e1b3662c52f3f26c06ab19dc96c)
---
 src/libvirt.c                | 4 ++++
 src/remote/remote_protocol.x | 4 ++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/libvirt.c b/src/libvirt.c
index bc1694a4cc..982b0be1ca 100644
--- a/src/libvirt.c
+++ b/src/libvirt.c
@@ -4456,6 +4456,10 @@ char *virConnectDomainXMLFromNative(virConnectPtr conn,
         virDispatchError(NULL);
         return NULL;
     }
+    if (conn->flags & VIR_CONNECT_RO) {
+        virLibDomainError(VIR_ERR_OPERATION_DENIED, __FUNCTION__);
+        goto error;
+    }
 
     virCheckNonNullArgGoto(nativeFormat, error);
     virCheckNonNullArgGoto(nativeConfig, error);
diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index cb4fb8f440..8a84424347 100644
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3788,13 +3788,13 @@ enum remote_procedure {
 
     /**
      * @generate: both
-     * @acl: connect:read
+     * @acl: connect:write
      */
     REMOTE_PROC_CONNECT_DOMAIN_XML_FROM_NATIVE = 135,
 
     /**
      * @generate: both
-     * @acl: connect:read
+     * @acl: connect:write
      */
     REMOTE_PROC_CONNECT_DOMAIN_XML_TO_NATIVE = 136,
 
-- 
2.47.3