[PATCH 14/14] qga: mark guest-ssh-* / guest-*-password commands with 'unrestricted' flag

Tue, 04 Jun 2024 08:34:18 -0700 

This blocks use of all the 'guest-ssh-*' / 'guest-password' commands
unless the QGA is runwith the --unrestricted command line argument.

These commands allow the host admin to takeover user accounts and so
directly compromise the guest OS.

Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
---
 qga/qapi-schema.json | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

diff --git a/qga/qapi-schema.json b/qga/qapi-schema.json
index 25068b8110..e7ce80a479 100644
--- a/qga/qapi-schema.json
+++ b/qga/qapi-schema.json
@@ -1251,10 +1251,15 @@
 # transmission, even if already crypt()d, to ensure it is 8-bit safe
 # when passed as JSON.
 #
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
 # Since: 2.3
 ##
 { 'command': 'guest-set-user-password',
   'data': { 'username': 'str', 'password': 'str', 'crypted': 'bool' },
+  'features': [ 'user-auth' ],
   'if': { 'any': [ 'CONFIG_WIN32', 'CONFIG_LINUX', 'CONFIG_FREEBSD'] } }
 
 ##
@@ -1810,11 +1815,16 @@
 #
 # Returns: @GuestAuthorizedKeys
 #
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
 # Since: 5.2
 ##
 { 'command': 'guest-ssh-get-authorized-keys',
   'data': { 'username': 'str' },
-  'returns': 'GuestAuthorizedKeys'
+  'returns': 'GuestAuthorizedKeys',
+  'features': [ 'user-auth' ]
 }
 
 ##
@@ -1830,10 +1840,15 @@
 #
 # @reset: ignore the existing content, set it with the given keys only
 #
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
 # Since: 5.2
 ##
 { 'command': 'guest-ssh-add-authorized-keys',
-  'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' }
+  'data': { 'username': 'str', 'keys': ['str'], '*reset': 'bool' },
+  'features': [ 'user-auth' ]
 }
 
 ##
@@ -1848,10 +1863,15 @@
 # @keys: the public keys to remove (in OpenSSH/sshd(8) authorized_keys
 #     format)
 #
+# Features:
+#
+# @user-auth: not permitted if agent is limiting user auth
+#
 # Since: 5.2
 ##
 { 'command': 'guest-ssh-remove-authorized-keys',
-  'data': { 'username': 'str', 'keys': ['str'] }
+  'data': { 'username': 'str', 'keys': ['str'] },
+  'features': [ 'user-auth' ]
 }
 
 ##
-- 
2.45.1

Reply via email to