[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access
From: |
Anthony Liguori |
Subject: |
Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access |
Date: |
Thu, 26 Feb 2009 16:07:45 -0600 |
User-agent: |
Thunderbird 2.0.0.19 (X11/20090105) |
Daniel P. Berrange wrote:
This patch introduces a generic internal API for access control lists
to be used by network servers in QEMU. It adds support for checking
these ACL in the VNC server, in two places. The first ACL is for the
SASL authentication mechanism, checking the SASL username. This ACL
is called 'vnc.username'. The second is for the TLS authentication
mechanism, when x509 client certificates are turned on, checking against
the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
The internal API provides for an ACL with the following characteristics
- A unique name, eg vnc.username, and vnc.x509dname.
- A default policy, allow or deny
- An ordered series of match rules, with allow or deny policy
If none of the match rules apply, then the default policy is
used.
There is a monitor API to manipulate the ACLs, which I'll describe via
examples
(qemu) acl show vnc.username
policy: allow
(qemu) acl policy vnc.username denya
acl: policy set to 'deny'
(qemu) acl allow vnc.username fred
acl: added rule at position 1
(qemu) acl allow vnc.username bob
acl: added rule at position 2
(qemu) acl allow vnc.username joe 1
acl: added rule at position 1
(qemu) acl show vnc.username
policy: deny
0: allow fred
1: allow joe
2: allow bob
(qemu) acl show vnc.x509dname
policy: allow
(qemu) acl policy vnc.x509dname deny
acl: policy set to 'deny'
(qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
acl: added rule at position 1
(qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
acl: added rule at position 2
(qemu) acl show vnc.x509dname
policy: deny
0: allow C=GB,O=ACME,L=London,CN=*
1: allow C=GB,O=ACME,L=Boston,CN=bob
At startup the ACLs currently default to an allow policy. The
next patch will provide a way to load a pre-defined ACL when
starting up
Makefile | 6 +-
b/acl.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
b/acl.h | 74 ++++++++++++++++++++++++
monitor.c | 95 +++++++++++++++++++++++++++++++
vnc-auth-sasl.c | 16 ++++-
vnc-auth-sasl.h | 7 ++
vnc-tls.c | 19 ++++++
vnc-tls.h | 3 +
vnc.c | 14 ++++
vnc.h | 3 +
10 files changed, 398 insertions(+), 7 deletions(-)
Signed-off-by: Daniel P. Berrange <address@hidden>
This breaks the win32 build. Attached are the make and config logs.
I'm using the F10 mingw packages fwiw.
Regards,
Anthony Liguori
# Automatically generated by configure - do not modify
# Configured with: '/home/anthony/git/qemu/configure'
'--cross-prefix=i686-pc-mingw32-' '--target-list=x86_64-softmmu'
prefix=c:\\Program Files\\Qemu
bindir=${prefix}
mandir=${prefix}
datadir=${prefix}
docdir=${prefix}
MAKE=make
INSTALL=install
CC=i686-pc-mingw32-gcc
HOST_CC=gcc
AR=i686-pc-mingw32-ar
STRIP=i686-pc-mingw32-strip -s -R .comment -R .note
OS_CFLAGS=
OS_LDFLAGS=
ARCH_CFLAGS=-m32
ARCH_LDFLAGS=-m32
CFLAGS= -O2 -g -fno-strict-aliasing -Wall -Wundef -Wendif-labels
-Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls
LDFLAGS= -g -Wl,--warn-common
EXESUF=.exe
AIOLIBS=
ARCH=i386
CONFIG_WIN32=yes
CONFIG_GDBSTUB=yes
CONFIG_SLIRP=yes
CONFIG_AC97=yes
CONFIG_ES1370=yes
CONFIG_SB16=yes
CONFIG_VNC_TLS=yes
CONFIG_VNC_TLS_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include
CONFIG_VNC_TLS_LIBS=-L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls
VERSION=0.9.1
SRC_PATH=/home/anthony/git/qemu
VPATH=/home/anthony/git/qemu
TARGET_DIRS=x86_64-softmmu
CONFIG_SDL=yes
SDL_LIBS=-lmingw32 -lSDLmain -lSDL -mwindows
SDL_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include/SDL -D_GNU_SOURCE=1
-Dmain=SDL_main
INSTALL_BLOBS=yes
HOST_USB=stub
TOOLS=qemu-img$(EXESUF)
Install prefix c:\\Program Files\\Qemu
BIOS directory c:\\Program Files\\Qemu
binary directory c:\\Program Files\\Qemu
Source path /home/anthony/git/qemu
C compiler i686-pc-mingw32-gcc
Host C compiler gcc
ARCH_CFLAGS -m32
make make
install install
host CPU i386
host big endian no
target list x86_64-softmmu
gprof enabled no
sparse enabled no
profiler no
static build no
-Werror enabled no
SDL support yes
SDL static link yes
curses support no
mingw32 support yes
Audio drivers
Extra audio cards ac97 es1370 sb16
Mixer emulation no
VNC TLS support yes
TLS CFLAGS -I/usr/i686-pc-mingw32/sys-root/mingw/include
TLS LIBS -L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls
VNC SASL support no
kqemu support yes
brlapi support no
Documentation no
NPTL support no
vde support no
AIO support no
Install blobs yes
KVM support no - (linux/kvm.h: No such file or directory, #error Invalid
KVM version, #error Missing KVM capability KVM_CAP_USER_MEMORY, #error Missing
KVM capability KVM_CAP_SET_TSS_ADDR, #error Missing KVM capability
KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
fdt support no
CC qemu-img.o
CC qemu-tool.o
CC osdep.o
CC cutils.o
CC qemu-malloc.o
CC block-cow.o
CC block-qcow.o
CC aes.o
CC block-vmdk.o
/home/anthony/git/qemu/block-vmdk.c: In function 'vmdk_create':
/home/anthony/git/qemu/block-vmdk.c:787: warning: format '%I64d' expects type
'int', but argument 5 has type 'int64_t'
/home/anthony/git/qemu/block-vmdk.c:787: warning: format '%I64d' expects type
'int', but argument 8 has type 'long long int'
CC block-cloop.o
CC block-dmg.o
CC block-bochs.o
CC block-vpc.o
CC block-vvfat.o
CC block-qcow2.o
CC block-parallels.o
CC block-nbd.o
CC nbd.o
/home/anthony/git/qemu/nbd.c: In function 'tcp_socket_incoming':
/home/anthony/git/qemu/nbd.c:172: warning: passing argument 4 of 'setsockopt'
from incompatible pointer type
CC block.o
/home/anthony/git/qemu/block.c: In function 'bdrv_info_stats':
/home/anthony/git/qemu/block.c:1087: warning: format '%I64u' expects type
'unsigned int', but argument 3 has type 'uint64_t'
/home/anthony/git/qemu/block.c:1087: warning: format '%I64u' expects type
'unsigned int', but argument 4 has type 'uint64_t'
/home/anthony/git/qemu/block.c:1087: warning: format '%I64u' expects type
'unsigned int', but argument 5 has type 'uint64_t'
/home/anthony/git/qemu/block.c:1087: warning: format '%I64u' expects type
'unsigned int', but argument 6 has type 'uint64_t'
/home/anthony/git/qemu/block.c:1091: warning: format '%I64d' expects type
'int', but argument 2 has type 'int64_t'
/home/anthony/git/qemu/block.c:1091: warning: format '%I64d' expects type
'int', but argument 3 has type 'int64_t'
/home/anthony/git/qemu/block.c: In function 'get_human_readable_size':
/home/anthony/git/qemu/block.c:1183: warning: format '%I64d' expects type
'int', but argument 4 has type 'int64_t'
/home/anthony/git/qemu/block.c:1195: warning: format '%I64d' expects type
'int', but argument 4 has type 'int64_t'
CC aio.o
CC block-raw-win32.o
/home/anthony/git/qemu/block-raw-win32.c: In function 'raw_truncate':
/home/anthony/git/qemu/block-raw-win32.c:286: warning: pointer targets in
passing argument 3 of 'SetFilePointer' differ in signedness
/home/anthony/git/qemu/block-raw-win32.c: In function 'raw_getlength':
/home/anthony/git/qemu/block-raw-win32.c:304: warning: pointer targets in
passing argument 2 of 'GetFileSize' differ in signedness
LINK qemu-img.exe
CC readline.o
CC console.o
CC irq.o
CC i2c.o
CC smbus.o
CC smbus_eeprom.o
CC max7310.o
CC max111x.o
CC wm8750.o
CC ssd0303.o
CC ssd0323.o
CC ads7846.o
CC stellaris_input.o
CC twl92230.o
CC tmp105.o
CC lm832x.o
CC scsi-disk.o
CC cdrom.o
CC scsi-generic.o
CC usb.o
CC usb-hub.o
CC usb-stub.o
CC usb-hid.o
CC usb-msd.o
CC usb-wacom.o
CC usb-serial.o
CC usb-net.o
CC sd.o
CC ssi-sd.o
CC bt.o
CC bt-host.o
/home/anthony/git/qemu/bt-host.c:200: warning: no previous prototype for
'bt_host_hci'
CC bt-vhci.o
CC bt-l2cap.o
CC bt-sdp.o
/home/anthony/git/qemu/hw/bt-sdp.c:790:1: warning: "TRUE" redefined
In file included from /usr/i686-pc-mingw32/sys-root/mingw/include/windows.h:48,
from /home/anthony/git/qemu/qemu-common.h:8,
from /home/anthony/git/qemu/hw/bt-sdp.c:21:
/usr/i686-pc-mingw32/sys-root/mingw/include/windef.h:55:1: warning: this is the
location of the previous definition
/home/anthony/git/qemu/hw/bt-sdp.c:794:1: warning: "FALSE" redefined
/usr/i686-pc-mingw32/sys-root/mingw/include/windef.h:52:1: warning: this is the
location of the previous definition
CC bt-hci.o
CC bt-hid.o
CC usb-bt.o
CC buffered_file.o
CC migration.o
CC migration-tcp.o
/home/anthony/git/qemu/migration-tcp.c: In function 'tcp_wait_for_connect':
/home/anthony/git/qemu/migration-tcp.c:62: warning: passing argument 4 of
'getsockopt' from incompatible pointer type
CC net.o
/home/anthony/git/qemu/net.c: In function 'net_socket_receive_dgram':
/home/anthony/git/qemu/net.c:1124: warning: pointer targets in passing argument
2 of 'sendto' differ in signedness
/home/anthony/git/qemu/net.c: In function 'net_socket_send':
/home/anthony/git/qemu/net.c:1134: warning: pointer targets in passing argument
2 of 'recv' differ in signedness
/home/anthony/git/qemu/net.c: In function 'net_socket_send_dgram':
/home/anthony/git/qemu/net.c:1188: warning: pointer targets in passing argument
2 of 'recv' differ in signedness
/home/anthony/git/qemu/net.c: In function 'net_cleanup':
/home/anthony/git/qemu/net.c:1898: warning: unused variable 'vlan'
CC qemu-sockets.o
CC qemu-char.o
/home/anthony/git/qemu/qemu-char.c: In function 'udp_chr_write':
/home/anthony/git/qemu/qemu-char.c:1679: warning: pointer targets in passing
argument 2 of 'sendto' differ in signedness
/home/anthony/git/qemu/qemu-char.c: In function 'udp_chr_read':
/home/anthony/git/qemu/qemu-char.c:1707: warning: pointer targets in passing
argument 2 of 'recv' differ in signedness
/home/anthony/git/qemu/qemu-char.c: In function 'tcp_chr_read':
/home/anthony/git/qemu/qemu-char.c:1872: warning: pointer targets in passing
argument 2 of 'recv' differ in signedness
CC net-checksum.o
CC savevm.o
/home/anthony/git/qemu/savevm.c: In function 'socket_get_buffer':
/home/anthony/git/qemu/savevm.c:171: warning: pointer targets in passing
argument 2 of 'recv' differ in signedness
CC cache-utils.o
CC tap-win32.o
/home/anthony/git/qemu/tap-win32.c: In function 'is_tap_win32_dev':
/home/anthony/git/qemu/tap-win32.c:259: warning: pointer targets in passing
argument 5 of 'RegQueryValueExA' differ in signedness
/home/anthony/git/qemu/tap-win32.c:269: warning: pointer targets in passing
argument 5 of 'RegQueryValueExA' differ in signedness
/home/anthony/git/qemu/tap-win32.c: In function 'get_device_guid':
/home/anthony/git/qemu/tap-win32.c:358: warning: pointer targets in passing
argument 5 of 'RegQueryValueExA' differ in signedness
/home/anthony/git/qemu/tap-win32.c: In function 'tap_win32_open':
/home/anthony/git/qemu/tap-win32.c:615: warning: pointer targets in passing
argument 7 of 'DeviceIoControl' differ in signedness
/home/anthony/git/qemu/tap-win32.c: In function 'tap_win32_send':
/home/anthony/git/qemu/tap-win32.c:659: warning: pointer targets in passing
argument 2 of 'tap_win32_free_buffer' differ in signedness
CC audio/audio.o
/home/anthony/git/qemu/audio/audio.c: In function 'audio_get_avail':
/home/anthony/git/qemu/audio/audio.c:1225: warning: format '%I64d' expects type
'int', but argument 4 has type 'long long int'
CC audio/noaudio.o
CC audio/wavaudio.o
CC audio/mixeng.o
CC audio/sdlaudio.o
CC audio/wavcapture.o
CC keymaps.o
CC sdl.o
CC x_keymap.o
CC vnc.o
In file included from /home/anthony/git/qemu/vnc-tls.h:34,
from /home/anthony/git/qemu/vnc.h:79,
from /home/anthony/git/qemu/vnc.c:27:
/home/anthony/git/qemu/acl.h:31: error: conflicting types for 'ACL'
/usr/i686-pc-mingw32/sys-root/mingw/include/winnt.h:1834: error: previous
declaration of 'ACL' was here
/home/anthony/git/qemu/vnc.c: In function 'addr_to_string':
/home/anthony/git/qemu/vnc.c:66: warning: implicit declaration of function
'asprintf'
/home/anthony/git/qemu/vnc.c: In function 'vnc_client_write_buf':
/home/anthony/git/qemu/vnc.c:939: warning: pointer targets in passing argument
2 of 'send' differ in signedness
/home/anthony/git/qemu/vnc.c: In function 'vnc_client_read_buf':
/home/anthony/git/qemu/vnc.c:1044: warning: pointer targets in passing argument
2 of 'recv' differ in signedness
make: *** [vnc.o] Error 1
- Re: [Qemu-devel] PATCH: 5/9: Move TLS auth into separate file, (continued)
- Re: [Qemu-devel] PATCH: 5/9: Move TLS auth into separate file, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 6/9: Add SASL authentication support, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 7/9: Include auth credentials in 'info vnc', Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access, Daniel P. Berrange, 2009/02/26
- Re: [Qemu-devel] PATCH: 9/9: Persist ACLs in external files, Daniel P. Berrange, 2009/02/26