libvirt/0001-network-prevent-dnsmasq-from-listening-on-localhost.patch

From 9eb2b573253626c8c9329140d4ce2043863e417b Mon Sep 17 00:00:00 2001
Message-Id: <9eb2b573253626c8c9329140d4ce2043863e417b.1355686333.git.crobinso@redhat.com>
From: Laine Stump <laine@laine.org>
Date: Thu, 13 Dec 2012 01:46:40 -0500
Subject: [PATCH] network: prevent dnsmasq from listening on localhost

This patch resolves the problem reported in:

   https://bugzilla.redhat.com/show_bug.cgi?id=886663

The source of the problem was the fix for CVE 2011-3411:

   https://bugzilla.redhat.com/show_bug.cgi?id=833033

which was originally committed upstream in commit
753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
removed the "--except-interface lo" from dnsmasq commandlines when
--bind-dynamic was used (based on comments in the latter bug).

It turns out that the problem reported in the CVE could be eliminated
without removing "--except-interface lo", and removing it actually
caused each instance of dnsmasq to listen on localhost on port 53,
which created a new problem:

If another instance of dnsmasq using "bind-interfaces" (instead of
"bind-dynamic") had already been started (or if another instance
started later used "bind-dynamic"), this wouldn't have any immediately
visible ill effects, but if you tried to start another dnsmasq
instance using "bind-interfaces" *after* starting any libvirt
networks, the new dnsmasq would fail to start, because there was
already another process listening on port 53.

This patch changes the network driver to *always* add
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
are listening on localhost (and the CVE is still fixed).

The actual code change is miniscule, but must be propogated through all
of the test files as well.

(This is *not* a cherry-pick of the upstream commit that fixes the bug
(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent
to the CVE fix, another patch changed the network driver to put
dnsmasq options in a conf file rather than directly on the dnsmasq
commandline preserving the same options), so a cherry-pick is just one
very large conflict.)

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index 8010797..6053770 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -510,6 +510,9 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
     /* *no* conf file */
     virCommandAddArg(cmd, "--conf-file=");
 
+    /* dnsmasq will *always* listen on localhost unless told otherwise */
+    virCommandAddArgList(cmd, "--except-interface", "lo", NULL);
+
     if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
         /* using --bind-dynamic with only --interface (no
          * --listen-address) prevents dnsmasq from responding to dns
@@ -523,10 +526,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
                              "--interface", network->def->bridge,
                              NULL);
     } else {
-        virCommandAddArgList(cmd,
-                             "--bind-interfaces",
-                             "--except-interface", "lo",
-                             NULL);
+        virCommandAddArg(cmd, "--bind-interfaces");
         /*
          * --interface does not actually work with dnsmasq < 2.47,
          * due to DAD for ipv6 addresses on the interface.
diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
index d629192..d91c730 100644
--- a/tests/networkxml2argvdata/isolated-network.argv
+++ b/tests/networkxml2argvdata/isolated-network.argv
@@ -1,6 +1,6 @@
 @DNSMASQ@ --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-interfaces --except-interface lo \
+--except-interface lo --bind-interfaces \
 --listen-address 192.168.152.1 \
 --dhcp-option=3 --no-resolv \
 --dhcp-range 192.168.152.2,192.168.152.254 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
index e5143ac..431e987 100644
--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
@@ -1,5 +1,5 @@
 @DNSMASQ@ --strict-order --domain=example.com \
 --local=/example.com/ --domain-needed \
 --conf-file= \
---bind-dynamic --interface virbr0 \
+--except-interface lo --bind-dynamic --interface virbr0 \
 --expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
index c38b954..9c26f32 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
@@ -1,7 +1,7 @@
 @DNSMASQ@ \
 --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-interfaces --except-interface lo \
+--except-interface lo --bind-interfaces \
 --listen-address 192.168.122.1 \
 --listen-address 192.168.123.1 \
 --listen-address fc00:db8:ac10:fe01::1 \
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
index 311b0d7..ff9c223 100644
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
@@ -1,7 +1,7 @@
 @DNSMASQ@ \
 --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-dynamic --interface virbr0 \
+--except-interface lo --bind-dynamic --interface virbr0 \
 --srv-host=name.tcp.test-domain-name,.,1024,10,10 \
 --dhcp-range 192.168.122.2,192.168.122.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
index cbdf50d..2b133ff 100644
--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
+++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
@@ -1,6 +1,6 @@
 @DNSMASQ@ --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-dynamic --interface virbr0 \
+--except-interface lo --bind-dynamic --interface virbr0 \
 --txt-record=example,example value \
 --dhcp-range 192.168.122.2,192.168.122.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv
index 967ca94..1a771d0 100644
--- a/tests/networkxml2argvdata/nat-network.argv
+++ b/tests/networkxml2argvdata/nat-network.argv
@@ -1,6 +1,6 @@
 @DNSMASQ@ --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-dynamic --interface virbr0 \
+--except-interface lo --bind-dynamic --interface virbr0 \
 --dhcp-range 192.168.122.2,192.168.122.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
 --dhcp-lease-max=253 --dhcp-no-override \
diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv
index bcd6fad..9f8d114 100644
--- a/tests/networkxml2argvdata/netboot-network.argv
+++ b/tests/networkxml2argvdata/netboot-network.argv
@@ -1,6 +1,6 @@
 @DNSMASQ@ --strict-order --domain=example.com \
 --local=/example.com/ --domain-needed --conf-file= \
---bind-interfaces --except-interface lo --listen-address 192.168.122.1 \
+--except-interface lo --bind-interfaces --listen-address 192.168.122.1 \
 --dhcp-range 192.168.122.2,192.168.122.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
 --dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \
diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv
index 8c5ef9b..90a31e2 100644
--- a/tests/networkxml2argvdata/netboot-proxy-network.argv
+++ b/tests/networkxml2argvdata/netboot-proxy-network.argv
@@ -1,6 +1,6 @@
 @DNSMASQ@ --strict-order --domain=example.com \
 --local=/example.com/ --domain-needed --conf-file= \
---bind-interfaces --except-interface lo \
+--except-interface lo --bind-interfaces \
 --listen-address 192.168.122.1 \
 --dhcp-range 192.168.122.2,192.168.122.254 \
 --dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv
index eacdf2d..862013e 100644
--- a/tests/networkxml2argvdata/routed-network.argv
+++ b/tests/networkxml2argvdata/routed-network.argv
@@ -1,3 +1,3 @@
 @DNSMASQ@ --strict-order \
 --local=// --domain-needed --conf-file= \
---bind-dynamic --interface virbr1\
+--except-interface lo --bind-dynamic --interface virbr1\
-- 
1.8.0.2