Improve mechanism for configuring allowed commands

[PATCH 11/14] qga: mark guest-file-* commands with 'unrestricted' flag
Posted by Daniel P. Berrangé 5 months, 3 weeks ago
This blocks use of all the 'guest-file-*' commands unless the QGA is run
with the --unrestricted command line argument.

These commands allow the host admin to read and write arbitrary guest
files and so directly compromise the guest OS.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 qga/qapi-schema.json | 48 ++++++++++++++++++++++++++++++++++++++------
 1 file changed, 42 insertions(+), 6 deletions(-)

diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index de7c1de0b7..2f80d89536 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -283,11 +283,17 @@
 #
 # Returns: Guest file handle
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-open',
   'data':    { 'path': 'str', '*mode': 'str' },
-  'returns': 'int' }
+  'returns': 'int',
+  'features': [ 'unrestricted' ] }
 
 ##
 # @guest-file-close:
@@ -296,10 +302,16 @@
 #
 # @handle: filehandle returned by guest-file-open
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-close',
-  'data': { 'handle': 'int' } }
+  'data': { 'handle': 'int' },
+  'features': [ 'unrestricted' ] }
 
 ##
 # @GuestFileRead:
@@ -332,11 +344,17 @@
 #
 # Returns: @GuestFileRead
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-read',
   'data':    { 'handle': 'int', '*count': 'int' },
-  'returns': 'GuestFileRead' }
+  'returns': 'GuestFileRead',
+  'features': [ 'unrestricted' ] }
 
 ##
 # @GuestFileWrite:
@@ -367,11 +385,17 @@
 #
 # Returns: @GuestFileWrite
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-write',
   'data':    { 'handle': 'int', 'buf-b64': 'str', '*count': 'int' },
-  'returns': 'GuestFileWrite' }
+  'returns': 'GuestFileWrite',
+  'features': [ 'unrestricted' ] }
 
 
 ##
@@ -434,12 +458,18 @@
 #
 # Returns: @GuestFileSeek
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-seek',
   'data':    { 'handle': 'int', 'offset': 'int',
                'whence': 'GuestFileWhence' },
-  'returns': 'GuestFileSeek' }
+  'returns': 'GuestFileSeek',
+  'features': [ 'unrestricted' ] }
 
 ##
 # @guest-file-flush:
@@ -448,10 +478,16 @@
 #
 # @handle: filehandle returned by guest-file-open
 #
+# Features:
+#
+# @unrestricted: not permitted if agent disables unrestricted
+#                resource access mode
+#
 # Since: 0.15.0
 ##
 { 'command': 'guest-file-flush',
-  'data': { 'handle': 'int' } }
+  'data': { 'handle': 'int' },
+  'features': [ 'unrestricted' ] }
 
 ##
 # @GuestFsfreezeStatus:
-- 
2.45.1