qemu-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access

From: Anthony Liguori
Subject: Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access
Date: Thu, 26 Feb 2009 16:05:18 -0600
User-agent: Thunderbird 2.0.0.19 (X11/20090105) 
Daniel P. Berrange wrote:

This patch introduces a generic internal API for access control lists
to be used by network servers in QEMU. It adds support for checking
these ACL in the VNC server, in two places. The first ACL is for the
SASL authentication mechanism, checking the SASL username. This ACL
is called 'vnc.username'. The second is for the TLS authentication
mechanism, when x509 client certificates are turned on, checking against
the Distinguished Name of the client. This ACL is called 'vnc.x509dname'

The internal API provides for an ACL with the following characteristics

 - A unique name, eg  vnc.username, and vnc.x509dname.
 - A default policy, allow or deny
 - An ordered series of match rules, with allow or deny policy

If none of the match rules apply, then the default policy is
used.

There is a monitor API to manipulate the ACLs, which I'll describe via
examples

  (qemu) acl show vnc.username
  policy: allow
  (qemu) acl policy vnc.username denya
  acl: policy set to 'deny'
  (qemu) acl allow vnc.username fred
  acl: added rule at position 1
  (qemu) acl allow vnc.username bob
  acl: added rule at position 2
  (qemu) acl allow vnc.username joe 1
  acl: added rule at position 1
  (qemu) acl show vnc.username
  policy: deny
  0: allow fred
  1: allow joe
  2: allow bob


  (qemu) acl show vnc.x509dname
  policy: allow
  (qemu) acl policy vnc.x509dname deny
  acl: policy set to 'deny'
  (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
  acl: added rule at position 1
  (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
  acl: added rule at position 2
  (qemu) acl show vnc.x509dname
  policy: deny
  0: allow C=GB,O=ACME,L=London,CN=*
  1: allow C=GB,O=ACME,L=Boston,CN=bob

At startup the ACLs currently default to an allow policy. The
next patch will provide a way to load a pre-defined ACL when
starting up


 Makefile        |    6 +-
 b/acl.c         |  168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 b/acl.h         |   74 ++++++++++++++++++++++++
 monitor.c       |   95 +++++++++++++++++++++++++++++++
 vnc-auth-sasl.c |   16 ++++-
 vnc-auth-sasl.h |    7 ++
 vnc-tls.c       |   19 ++++++
 vnc-tls.h       |    3 +
 vnc.c           |   14 ++++
 vnc.h           |    3 +
 10 files changed, 398 insertions(+), 7 deletions(-)

   Signed-off-by: Daniel P. Berrange <address@hidden>


This breaks the build on win32.  Attached are the build log and config info.

Regards,

Anthony Liguori

# Automatically generated by configure - do not modify
# Configured with: '/home/anthony/git/qemu/configure' 
'--cross-prefix=i686-pc-mingw32-' '--target-list=x86_64-softmmu'
prefix=c:\\Program Files\\Qemu
bindir=${prefix}
mandir=${prefix}
datadir=${prefix}
docdir=${prefix}
MAKE=make
INSTALL=install
CC=i686-pc-mingw32-gcc
HOST_CC=gcc
AR=i686-pc-mingw32-ar
STRIP=i686-pc-mingw32-strip -s -R .comment -R .note
OS_CFLAGS=
OS_LDFLAGS=
ARCH_CFLAGS=-m32
ARCH_LDFLAGS=-m32
CFLAGS= -O2 -g -fno-strict-aliasing -Wall -Wundef -Wendif-labels 
-Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls
LDFLAGS= -g -Wl,--warn-common
EXESUF=.exe
AIOLIBS=
ARCH=i386
CONFIG_WIN32=yes
CONFIG_GDBSTUB=yes
CONFIG_SLIRP=yes
CONFIG_AC97=yes
CONFIG_ES1370=yes
CONFIG_SB16=yes
CONFIG_VNC_TLS=yes
CONFIG_VNC_TLS_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include  
CONFIG_VNC_TLS_LIBS=-L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls  
VERSION=0.9.1
SRC_PATH=/home/anthony/git/qemu
VPATH=/home/anthony/git/qemu
TARGET_DIRS=x86_64-softmmu
CONFIG_SDL=yes
SDL_LIBS=-lmingw32 -lSDLmain -lSDL -mwindows
SDL_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include/SDL -D_GNU_SOURCE=1 
-Dmain=SDL_main
INSTALL_BLOBS=yes
HOST_USB=stub
TOOLS=qemu-img$(EXESUF) 

Install prefix    c:\\Program Files\\Qemu
BIOS directory    c:\\Program Files\\Qemu
binary directory  c:\\Program Files\\Qemu
Source path       /home/anthony/git/qemu
C compiler        i686-pc-mingw32-gcc
Host C compiler   gcc
ARCH_CFLAGS       -m32
make              make
install           install
host CPU          i386
host big endian   no
target list       x86_64-softmmu
gprof enabled     no
sparse enabled    no
profiler          no
static build      no
-Werror enabled   no
SDL support       yes
SDL static link   yes
curses support    no
mingw32 support   yes
Audio drivers     
Extra audio cards ac97 es1370 sb16
Mixer emulation   no
VNC TLS support   yes
    TLS CFLAGS    -I/usr/i686-pc-mingw32/sys-root/mingw/include  
    TLS LIBS      -L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls  
VNC SASL support  no
kqemu support     yes
brlapi support    no
Documentation     no
NPTL support      no
vde support       no
AIO support       no
Install blobs     yes
KVM support       no - (linux/kvm.h: No such file or directory, #error Invalid 
KVM version, #error Missing KVM capability KVM_CAP_USER_MEMORY, #error Missing 
KVM capability KVM_CAP_SET_TSS_ADDR, #error Missing KVM capability 
KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
fdt support       no
reply via email to
[Prev in Thread] Current Thread [Next in Thread]