Fix conflict with NM launched dnsmasq (bz #886663)
This commit is contained in:
parent
1821e087f2
commit
d4e5211296
|
@ -0,0 +1,182 @@
|
|||
From 9eb2b573253626c8c9329140d4ce2043863e417b Mon Sep 17 00:00:00 2001
|
||||
Message-Id: <9eb2b573253626c8c9329140d4ce2043863e417b.1355686333.git.crobinso@redhat.com>
|
||||
From: Laine Stump <laine@laine.org>
|
||||
Date: Thu, 13 Dec 2012 01:46:40 -0500
|
||||
Subject: [PATCH] network: prevent dnsmasq from listening on localhost
|
||||
|
||||
This patch resolves the problem reported in:
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=886663
|
||||
|
||||
The source of the problem was the fix for CVE 2011-3411:
|
||||
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=833033
|
||||
|
||||
which was originally committed upstream in commit
|
||||
753ff83a50263d6975f88d6605d4b5ddfcc97560. That commit improperly
|
||||
removed the "--except-interface lo" from dnsmasq commandlines when
|
||||
--bind-dynamic was used (based on comments in the latter bug).
|
||||
|
||||
It turns out that the problem reported in the CVE could be eliminated
|
||||
without removing "--except-interface lo", and removing it actually
|
||||
caused each instance of dnsmasq to listen on localhost on port 53,
|
||||
which created a new problem:
|
||||
|
||||
If another instance of dnsmasq using "bind-interfaces" (instead of
|
||||
"bind-dynamic") had already been started (or if another instance
|
||||
started later used "bind-dynamic"), this wouldn't have any immediately
|
||||
visible ill effects, but if you tried to start another dnsmasq
|
||||
instance using "bind-interfaces" *after* starting any libvirt
|
||||
networks, the new dnsmasq would fail to start, because there was
|
||||
already another process listening on port 53.
|
||||
|
||||
This patch changes the network driver to *always* add
|
||||
"except-interface=lo" to dnsmasq conf files, regardless of whether we use
|
||||
bind-dynamic or bind-interfaces. This way no libvirt dnsmasq instances
|
||||
are listening on localhost (and the CVE is still fixed).
|
||||
|
||||
The actual code change is miniscule, but must be propogated through all
|
||||
of the test files as well.
|
||||
|
||||
(This is *not* a cherry-pick of the upstream commit that fixes the bug
|
||||
(commit d66eb7866757dd371560c288dc6201fb9348792a), because subsequent
|
||||
to the CVE fix, another patch changed the network driver to put
|
||||
dnsmasq options in a conf file rather than directly on the dnsmasq
|
||||
commandline preserving the same options), so a cherry-pick is just one
|
||||
very large conflict.)
|
||||
|
||||
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
|
||||
index 8010797..6053770 100644
|
||||
--- a/src/network/bridge_driver.c
|
||||
+++ b/src/network/bridge_driver.c
|
||||
@@ -510,6 +510,9 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
|
||||
/* *no* conf file */
|
||||
virCommandAddArg(cmd, "--conf-file=");
|
||||
|
||||
+ /* dnsmasq will *always* listen on localhost unless told otherwise */
|
||||
+ virCommandAddArgList(cmd, "--except-interface", "lo", NULL);
|
||||
+
|
||||
if (dnsmasqCapsGet(caps, DNSMASQ_CAPS_BIND_DYNAMIC)) {
|
||||
/* using --bind-dynamic with only --interface (no
|
||||
* --listen-address) prevents dnsmasq from responding to dns
|
||||
@@ -523,10 +526,7 @@ networkBuildDnsmasqArgv(virNetworkObjPtr network,
|
||||
"--interface", network->def->bridge,
|
||||
NULL);
|
||||
} else {
|
||||
- virCommandAddArgList(cmd,
|
||||
- "--bind-interfaces",
|
||||
- "--except-interface", "lo",
|
||||
- NULL);
|
||||
+ virCommandAddArg(cmd, "--bind-interfaces");
|
||||
/*
|
||||
* --interface does not actually work with dnsmasq < 2.47,
|
||||
* due to DAD for ipv6 addresses on the interface.
|
||||
diff --git a/tests/networkxml2argvdata/isolated-network.argv b/tests/networkxml2argvdata/isolated-network.argv
|
||||
index d629192..d91c730 100644
|
||||
--- a/tests/networkxml2argvdata/isolated-network.argv
|
||||
+++ b/tests/networkxml2argvdata/isolated-network.argv
|
||||
@@ -1,6 +1,6 @@
|
||||
@DNSMASQ@ --strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-interfaces --except-interface lo \
|
||||
+--except-interface lo --bind-interfaces \
|
||||
--listen-address 192.168.152.1 \
|
||||
--dhcp-option=3 --no-resolv \
|
||||
--dhcp-range 192.168.152.2,192.168.152.254 \
|
||||
diff --git a/tests/networkxml2argvdata/nat-network-dns-hosts.argv b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
|
||||
index e5143ac..431e987 100644
|
||||
--- a/tests/networkxml2argvdata/nat-network-dns-hosts.argv
|
||||
+++ b/tests/networkxml2argvdata/nat-network-dns-hosts.argv
|
||||
@@ -1,5 +1,5 @@
|
||||
@DNSMASQ@ --strict-order --domain=example.com \
|
||||
--local=/example.com/ --domain-needed \
|
||||
--conf-file= \
|
||||
---bind-dynamic --interface virbr0 \
|
||||
+--except-interface lo --bind-dynamic --interface virbr0 \
|
||||
--expand-hosts --addn-hosts=/var/lib/libvirt/dnsmasq/default.addnhosts\
|
||||
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
|
||||
index c38b954..9c26f32 100644
|
||||
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
|
||||
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record-minimal.argv
|
||||
@@ -1,7 +1,7 @@
|
||||
@DNSMASQ@ \
|
||||
--strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-interfaces --except-interface lo \
|
||||
+--except-interface lo --bind-interfaces \
|
||||
--listen-address 192.168.122.1 \
|
||||
--listen-address 192.168.123.1 \
|
||||
--listen-address fc00:db8:ac10:fe01::1 \
|
||||
diff --git a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
|
||||
index 311b0d7..ff9c223 100644
|
||||
--- a/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
|
||||
+++ b/tests/networkxml2argvdata/nat-network-dns-srv-record.argv
|
||||
@@ -1,7 +1,7 @@
|
||||
@DNSMASQ@ \
|
||||
--strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-dynamic --interface virbr0 \
|
||||
+--except-interface lo --bind-dynamic --interface virbr0 \
|
||||
--srv-host=name.tcp.test-domain-name,.,1024,10,10 \
|
||||
--dhcp-range 192.168.122.2,192.168.122.254 \
|
||||
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
|
||||
diff --git a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
|
||||
index cbdf50d..2b133ff 100644
|
||||
--- a/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
|
||||
+++ b/tests/networkxml2argvdata/nat-network-dns-txt-record.argv
|
||||
@@ -1,6 +1,6 @@
|
||||
@DNSMASQ@ --strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-dynamic --interface virbr0 \
|
||||
+--except-interface lo --bind-dynamic --interface virbr0 \
|
||||
--txt-record=example,example value \
|
||||
--dhcp-range 192.168.122.2,192.168.122.254 \
|
||||
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
|
||||
diff --git a/tests/networkxml2argvdata/nat-network.argv b/tests/networkxml2argvdata/nat-network.argv
|
||||
index 967ca94..1a771d0 100644
|
||||
--- a/tests/networkxml2argvdata/nat-network.argv
|
||||
+++ b/tests/networkxml2argvdata/nat-network.argv
|
||||
@@ -1,6 +1,6 @@
|
||||
@DNSMASQ@ --strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-dynamic --interface virbr0 \
|
||||
+--except-interface lo --bind-dynamic --interface virbr0 \
|
||||
--dhcp-range 192.168.122.2,192.168.122.254 \
|
||||
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/default.leases \
|
||||
--dhcp-lease-max=253 --dhcp-no-override \
|
||||
diff --git a/tests/networkxml2argvdata/netboot-network.argv b/tests/networkxml2argvdata/netboot-network.argv
|
||||
index bcd6fad..9f8d114 100644
|
||||
--- a/tests/networkxml2argvdata/netboot-network.argv
|
||||
+++ b/tests/networkxml2argvdata/netboot-network.argv
|
||||
@@ -1,6 +1,6 @@
|
||||
@DNSMASQ@ --strict-order --domain=example.com \
|
||||
--local=/example.com/ --domain-needed --conf-file= \
|
||||
---bind-interfaces --except-interface lo --listen-address 192.168.122.1 \
|
||||
+--except-interface lo --bind-interfaces --listen-address 192.168.122.1 \
|
||||
--dhcp-range 192.168.122.2,192.168.122.254 \
|
||||
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
|
||||
--dhcp-lease-max=253 --dhcp-no-override --expand-hosts --enable-tftp \
|
||||
diff --git a/tests/networkxml2argvdata/netboot-proxy-network.argv b/tests/networkxml2argvdata/netboot-proxy-network.argv
|
||||
index 8c5ef9b..90a31e2 100644
|
||||
--- a/tests/networkxml2argvdata/netboot-proxy-network.argv
|
||||
+++ b/tests/networkxml2argvdata/netboot-proxy-network.argv
|
||||
@@ -1,6 +1,6 @@
|
||||
@DNSMASQ@ --strict-order --domain=example.com \
|
||||
--local=/example.com/ --domain-needed --conf-file= \
|
||||
---bind-interfaces --except-interface lo \
|
||||
+--except-interface lo --bind-interfaces \
|
||||
--listen-address 192.168.122.1 \
|
||||
--dhcp-range 192.168.122.2,192.168.122.254 \
|
||||
--dhcp-leasefile=/var/lib/libvirt/dnsmasq/netboot.leases \
|
||||
diff --git a/tests/networkxml2argvdata/routed-network.argv b/tests/networkxml2argvdata/routed-network.argv
|
||||
index eacdf2d..862013e 100644
|
||||
--- a/tests/networkxml2argvdata/routed-network.argv
|
||||
+++ b/tests/networkxml2argvdata/routed-network.argv
|
||||
@@ -1,3 +1,3 @@
|
||||
@DNSMASQ@ --strict-order \
|
||||
--local=// --domain-needed --conf-file= \
|
||||
---bind-dynamic --interface virbr1\
|
||||
+--except-interface lo --bind-dynamic --interface virbr1\
|
||||
--
|
||||
1.8.0.2
|
||||
|
|
@ -274,7 +274,7 @@
|
|||
Summary: Library providing a simple virtualization API
|
||||
Name: libvirt
|
||||
Version: 0.9.11.8
|
||||
Release: 1%{?dist}%{?extra_release}
|
||||
Release: 2%{?dist}%{?extra_release}
|
||||
License: LGPLv2+
|
||||
Group: Development/Libraries
|
||||
|
||||
|
@ -297,6 +297,8 @@ Patch4: libvirt-sanlock-readonly-option.patch
|
|||
# Fix LXC domain startup with selinux=disabled (bz 858104)
|
||||
# keep: non upstream fix that doesn't apply to git head
|
||||
Patch5: libvirt-lxc-selinux-context-error.patch
|
||||
# Fix conflict with NM launched dnsmasq (bz 886663)
|
||||
Patch6: 0001-network-prevent-dnsmasq-from-listening-on-localhost.patch
|
||||
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
|
||||
|
@ -769,6 +771,7 @@ of recent versions of Linux (and other OSes).
|
|||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
|
||||
%build
|
||||
%if ! %{with_xen}
|
||||
|
@ -1500,6 +1503,9 @@ rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sysctl.d/libvirtd
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Sun Dec 16 2012 Cole Robinson <crobinso@redhat.com> - 0.9.11.8-2
|
||||
- Fix conflict with NM launched dnsmasq (bz #886663)
|
||||
|
||||
* Sun Dec 09 2012 Cole Robinson <crobinso@redhat.com> - 0.9.11.8-1
|
||||
- Rebased to version 0.9.11.8
|
||||
- CVE-2012-3411: avoid open DNS proxy with dnsmasq (bz #874702, bz #882309)
|
||||
|
|
Loading…
Reference in New Issue