virlog: determine the hostname on startup CVE-2018-6764

At later point it might not be possible or even safe to use getaddrinfo(). It
can in turn result in a load of NSS module.

Notably, on a LXC container startup we may find ourselves with the guest
filesystem already having replaced the host one. Loading a NSS module
from the guest tree would allow a malicous guest to escape the
confinement of its container environment because libvirt will not yet
have locked it down.

Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
(cherry picked from commit 759b4d1b0fe5f4d84d98b99153dfa7ac289dd167)

diff --git a/src/util/virlog.c b/src/util/virlog.c
index d45a451a75bf314308f8c4685b3b9aa9fd5eed85..05e0e199eee6dbeff7672d8442b36c4f773d9ead 100644 (file)
--- a/src/util/virlog.c
+++ b/src/util/virlog.c
@@ -64,6 +64,7 @@
 VIR_LOG_INIT("util.log");
 
 static regex_t *virLogRegex;
+static char *virLogHostname;
 
 
 #define VIR_LOG_DATE_REGEX "[0-9]{4}-[0-9]{2}-[0-9]{2}"
@@ -271,6 +272,12 @@ virLogOnceInit(void)
             VIR_FREE(virLogRegex);
     }
 
+    /* We get and remember the hostname early, because at later time
+     * it might not be possible to load NSS modules via getaddrinfo()
+     * (e.g. at container startup the host filesystem will not be
+     * accessible anymore. */
+    virLogHostname = virGetHostnameQuiet();
+
     virLogUnlock();
     return 0;
 }
@@ -466,17 +473,14 @@ static int
 virLogHostnameString(char **rawmsg,
                      char **msg)
 {
-    char *hostname = virGetHostnameQuiet();
     char *hoststr;
 
-    if (!hostname)
+    if (!virLogHostname)
         return -1;
 
-    if (virAsprintfQuiet(&hoststr, "hostname: %s", hostname) < 0) {
-        VIR_FREE(hostname);
+    if (virAsprintfQuiet(&hoststr, "hostname: %s", virLogHostname) < 0) {
         return -1;
     }
-    VIR_FREE(hostname);
 
     if (virLogFormatString(msg, 0, NULL, VIR_LOG_INFO, hoststr) < 0) {
         VIR_FREE(hoststr);