[packages/libvirt.git] / libvirt-qemu-acl.patch

From: Neil Wilson <neil@brightbox.co.uk>
To: libvir-list@redhat.com
Date: Mon, 10 Jan 2011 09:52:56 +0000
Message-ID: <1294653176.3013.16.camel@lenovo-3000-n100>

Hi,

Here's the patch to add basic ACL support to QEMU within libvirt. Like
SASL it's ignored by RHEL5's default qemu. Newer qemu picks it up as
expected and you can manipulate the acls using 'virsh'. 


diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index ba41f80..7ab5eee 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -71,6 +71,15 @@
 # vnc_sasl = 1
 
 
+# Enable the VNC access control lists. When switched on this will
+# initially block all vnc users from accessing the vnc server. To
+# add and remove ids from the ACLs you will need to send the appropriate
+# commands to the qemu monitor as required by your particular version of
+# QEMU. See the QEMU documentation for more details.
+# 
+# vnc_acl = 1
+
+
 # The default SASL configuration file is located in /etc/sasl/
 # When running libvirtd unprivileged, it may be desirable to
 # override the configs in this location. Set this parameter to
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 7dd8e03..0ffeaab 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -3542,8 +3542,11 @@ qemuBuildCommandLine(virConnectPtr conn,
                     virCommandAddEnvPair(cmd, "SASL_CONF_DIR",
                                          driver->vncSASLdir);
 
-                /* TODO: Support ACLs later */
             }
+
+	    if (driver->vncACL) 
+	        virBufferAddLit(&opt, ",acl");
+	    
         }
 
         virCommandAddArg(cmd, "-vnc");
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index e1502dc..806432d 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -204,6 +204,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
         }
     }
 
+    p = virConfGetValue (conf, "vnc_acl");
+    CHECK_TYPE ("vnc_acl", VIR_CONF_LONG);
+    if (p) driver->vncACL = p->l;
+
     p = virConfGetValue (conf, "spice_tls");
     CHECK_TYPE ("spice_tls", VIR_CONF_LONG);
     if (p) driver->spiceTLS = p->l;
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 83ddedd..3e7506d 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -85,6 +85,7 @@ struct qemud_driver {
     unsigned int vncTLS : 1;
     unsigned int vncTLSx509verify : 1;
     unsigned int vncSASL : 1;
+    unsigned int vncACL : 1;
     char *vncTLSx509certdir;
     char *vncListen;
     char *vncPassword;
Commit	Line	Data
3f6c4997 JR	1	From: Neil Wilson <neil@brightbox.co.uk>
	2	To: libvir-list@redhat.com
	3	Date: Mon, 10 Jan 2011 09:52:56 +0000
	4	Message-ID: <1294653176.3013.16.camel@lenovo-3000-n100>
	5
	6	Hi,
	7
	8	Here's the patch to add basic ACL support to QEMU within libvirt. Like
	9	SASL it's ignored by RHEL5's default qemu. Newer qemu picks it up as
	10	expected and you can manipulate the acls using 'virsh'.
	11
	12
	13	diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
	14	index ba41f80..7ab5eee 100644
	15	--- a/src/qemu/qemu.conf
	16	+++ b/src/qemu/qemu.conf
	17	@@ -71,6 +71,15 @@
	18	# vnc_sasl = 1
	19
	20
	21	+# Enable the VNC access control lists. When switched on this will
	22	+# initially block all vnc users from accessing the vnc server. To
	23	+# add and remove ids from the ACLs you will need to send the appropriate
	24	+# commands to the qemu monitor as required by your particular version of
	25	+# QEMU. See the QEMU documentation for more details.
	26	+#
	27	+# vnc_acl = 1
	28	+
	29	+
	30	# The default SASL configuration file is located in /etc/sasl/
	31	# When running libvirtd unprivileged, it may be desirable to
	32	# override the configs in this location. Set this parameter to
	33	diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
	34	index 7dd8e03..0ffeaab 100644
	35	--- a/src/qemu/qemu_command.c
	36	+++ b/src/qemu/qemu_command.c
	37	@@ -3542,8 +3542,11 @@ qemuBuildCommandLine(virConnectPtr conn,
	38	virCommandAddEnvPair(cmd, "SASL_CONF_DIR",
	39	driver->vncSASLdir);
	40
	41	- /* TODO: Support ACLs later */
	42	}
	43	+
	44	+ if (driver->vncACL)
	45	+ virBufferAddLit(&opt, ",acl");
	46	+
	47	}
	48
	49	virCommandAddArg(cmd, "-vnc");
	50	diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
	51	index e1502dc..806432d 100644
	52	--- a/src/qemu/qemu_conf.c
	53	+++ b/src/qemu/qemu_conf.c
	54	@@ -204,6 +204,10 @@ int qemudLoadDriverConfig(struct qemud_driver *driver,
	55	}
	56	}
	57
	58	+ p = virConfGetValue (conf, "vnc_acl");
	59	+ CHECK_TYPE ("vnc_acl", VIR_CONF_LONG);
	60	+ if (p) driver->vncACL = p->l;
	61	+
	62	p = virConfGetValue (conf, "spice_tls");
	63	CHECK_TYPE ("spice_tls", VIR_CONF_LONG);
	64	if (p) driver->spiceTLS = p->l;
65	diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
66	index 83ddedd..3e7506d 100644
67	--- a/src/qemu/qemu_conf.h
68	+++ b/src/qemu/qemu_conf.h
69	@@ -85,6 +85,7 @@ struct qemud_driver {
70	unsigned int vncTLS : 1;
71	unsigned int vncTLSx509verify : 1;
72	unsigned int vncSASL : 1;
73	+ unsigned int vncACL : 1;
74	char *vncTLSx509certdir;
75	char *vncListen;
76	char *vncPassword;
77