[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 11/15] Add configuration options for permissions on daemon's admin socket



This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.

Signed-off-by: Martin Kletzander <mkletzan redhat com>
---
 daemon/libvirtd-config.c     | 5 ++++-
 daemon/libvirtd-config.h     | 1 +
 daemon/libvirtd.aug          | 1 +
 daemon/libvirtd.conf         | 8 ++++++++
 daemon/test_libvirtd.aug.in  | 1 +
 tests/confdata/libvirtd.conf | 6 ++++++
 tests/confdata/libvirtd.out  | 5 +++++
 7 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 3694455..bce2d70 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)

     if (VIR_STRDUP(data->unix_sock_rw_perms,
                    data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 ||
-        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0)
+        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
+        VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
         goto error;

 #if WITH_SASL
@@ -337,6 +338,7 @@ daemonConfigFree(struct daemonConfig *data)
     }
     VIR_FREE(data->access_drivers);

+    VIR_FREE(data->unix_sock_admin_perms);
     VIR_FREE(data->unix_sock_ro_perms);
     VIR_FREE(data->unix_sock_rw_perms);
     VIR_FREE(data->unix_sock_group);
@@ -404,6 +406,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
         goto error;

     GET_CONF_STR(conf, filename, unix_sock_group);
+    GET_CONF_STR(conf, filename, unix_sock_admin_perms);
     GET_CONF_STR(conf, filename, unix_sock_ro_perms);
     GET_CONF_STR(conf, filename, unix_sock_rw_perms);

diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index c996995..b8d2bc0 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -35,6 +35,7 @@ struct daemonConfig {
     char *tls_port;
     char *tcp_port;

+    char *unix_sock_admin_perms;
     char *unix_sock_ro_perms;
     char *unix_sock_rw_perms;
     char *unix_sock_group;
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 5a0807c..b20ceca 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -35,6 +35,7 @@ module Libvirtd =
    let sock_acl_entry = str_entry "unix_sock_group"
                       | str_entry "unix_sock_ro_perms"
                       | str_entry "unix_sock_rw_perms"
+                      | str_entry "unix_sock_admin_perms"
                       | str_entry "unix_sock_dir"

    let authentication_entry = str_entry "auth_unix_ro"
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 069ef3a..6ef38fa 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -106,9 +106,17 @@
 # control, then you may want to relax this too.
 #unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
 # Set the name of the directory in which sockets will be found/created.
 #unix_sock_dir = "/var/run/libvirt"

+
+
 #################################################################
 #
 # Authentication.
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d..a87df5f 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -12,6 +12,7 @@ module Test_libvirtd =
         { "unix_sock_group" = "libvirt" }
         { "unix_sock_ro_perms" = "0777" }
         { "unix_sock_rw_perms" = "0770" }
+        { "unix_sock_admin_perms" = "0700" }
         { "unix_sock_dir" = "/var/run/libvirt" }
         { "auth_unix_ro" = "none" }
         { "auth_unix_rw" = "none" }
diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf
index 2f2ba4b..5029c4c 100644
--- a/tests/confdata/libvirtd.conf
+++ b/tests/confdata/libvirtd.conf
@@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+


 #################################################################
diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out
index 171945d..4d7ed47 100644
--- a/tests/confdata/libvirtd.out
+++ b/tests/confdata/libvirtd.out
@@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
 # If not using PolicyKit and setting group ownership for access
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
 #################################################################
 #
 # Authentication.
-- 
2.3.5


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]