From: VMware, Inc <>
Date: Thu, 2 Aug 2012 05:21:29 +0000 (-0700)
Subject: VMCI: Restrict access to VMCI_RPC_PRIVILEGED
X-Git-Tag: 2012.10.14-874563~97
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=afda9c9ca50880ff292cef8c57a88f72a0cd95da;p=thirdparty%2Fopen-vm-tools.git

VMCI: Restrict access to VMCI_RPC_PRIVILEGED

As a temporary hack, we had opened up access to the privileged RPC
handler to all users.  This fix locks it down again: on Linux, only
the superuser can access it, while on other platforms, it is denied
completely (until we add seq packet support to the common code).

Signed-off-by: Dmitry Torokhov <dtor@vmware.com>
---

diff --git a/open-vm-tools/modules/linux/vsock/linux/af_vsock.c b/open-vm-tools/modules/linux/vsock/linux/af_vsock.c
index d425330db..1032e3e1e 100644
--- a/open-vm-tools/modules/linux/vsock/linux/af_vsock.c
+++ b/open-vm-tools/modules/linux/vsock/linux/af_vsock.c
@@ -3888,9 +3888,15 @@ VSockVmciSeqConnect(struct socket *sock,   // IN
       goto out;
    }
 
-   if (!VSockAddr_SocketContextDgram(remoteAddr->svm_cid,
-                                     remoteAddr->svm_port)) {
-      err = -EINVAL;
+   /*
+    * No need to call SocketContextDgram() here, we already do specific checks
+    * on the context and port above.  All we have to do here is ensure that
+    * only the superuser gets access to the privileged RPC handler.
+    */
+
+   if (VMCI_RPC_PRIVILEGED == remoteAddr->svm_port &&
+       !capable(CAP_SYS_ADMIN)) {
+      err = -EACCES;
       goto out;
    }
 
diff --git a/open-vm-tools/modules/linux/vsock/linux/vsockAddr.c b/open-vm-tools/modules/linux/vsock/linux/vsockAddr.c
index c3c2abd7d..6d7e09021 100644
--- a/open-vm-tools/modules/linux/vsock/linux/vsockAddr.c
+++ b/open-vm-tools/modules/linux/vsock/linux/vsockAddr.c
@@ -448,14 +448,9 @@ VSockAddr_SocketContextDgram(uint32 cid,  // IN
    if (cid == VMCI_HYPERVISOR_CONTEXT_ID) {
       /*
        * Registrations of PBRPC Servers do not modify VMX/Hypervisor state and
-       * are allowed.  We also allow messages on the two RPC channels.
-       *
-       * XXX, we should disallow messages to the privileged channel for
-       * sockets that are not owned by admin/root.  See PR 794652.
+       * are allowed.
        */
-      if (rid == VMCI_UNITY_PBRPC_REGISTER ||
-          rid == VMCI_RPC_PRIVILEGED ||
-          rid == VMCI_RPC_UNPRIVILEGED) {
+      if (rid == VMCI_UNITY_PBRPC_REGISTER) {
          return TRUE;
       } else {
          return FALSE;