From nobody Sun Feb 8 13:09:49 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620150263; cv=none; d=zohomail.com; s=zohoarc; b=eQlb2FQuDjcj125y2G12uWFz1ncisD/7qrmqcbZ/6AMxsXaPqSraIcX7o/wV/M6Vi7go6WRyEgDGqQIS8UK/L1/ffIUlJSIsvYULTBFRlameF0ZwMTMpruwCwQaoGlkAom7Hpr8PmGfgdgDd3Ufkm2YZYcUSwCEaqZR0TNizJdg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620150263; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Xhy9iowtnSAld6hoAlzN3Q8TA+LMllrIJ1weRuQpHmE=; b=VgUEcvUTstVUZcFYP9z7VrUR69yLsGfHe/8ZLcx+D84rn6dBTqlsT+r9BarS4hGFgL1JB4kDW5ItbTWOUWYFdOqyA6NFsapQhPe4H8/3RX8Ke3YpIOBFwywsYqBME1aRqRxXwnx0Qf5hgvTMTOeQ7zWWtNoNk89IjqL8PyNcDhs= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620150263450872.0165935595969; Tue, 4 May 2021 10:44:23 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-570-wF75kpWIOxyfwhUEra0tkg-1; Tue, 04 May 2021 13:44:19 -0400 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E97FC1020C21; Tue, 4 May 2021 17:44:14 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CC0565D735; Tue, 4 May 2021 17:44:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 9315B55352; Tue, 4 May 2021 17:44:14 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 144HhweO003892 for ; Tue, 4 May 2021 13:43:58 -0400 Received: by smtp.corp.redhat.com (Postfix) id D51872C01B; Tue, 4 May 2021 17:43:58 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-113-37.ams2.redhat.com [10.36.113.37]) by smtp.corp.redhat.com (Postfix) with ESMTP id 21FA6421F; Tue, 4 May 2021 17:43:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620150262; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Xhy9iowtnSAld6hoAlzN3Q8TA+LMllrIJ1weRuQpHmE=; b=KcvNiyjRX75XrggcBVoUKb/GU+a9qxD7JeRbhn+smW6AVfwKMClHqCf9uGxL/9j8keqks5 q1YzzX5++O7Hqy60pVDbt1RO8chWzuWkHHbtFxHQsoTVK3xbfXusBSrzVyNb4eg8BmTQTX UlTyy8wmGSxNvg81fN0XQfZsWZQ9b7Y= X-MC-Unique: wF75kpWIOxyfwhUEra0tkg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH 3/9] util: generate a persistent system token Date: Tue, 4 May 2021 18:43:44 +0100 Message-Id: <20210504174350.488942-4-berrange@redhat.com> In-Reply-To: <20210504174350.488942-1-berrange@redhat.com> References: <20210504174350.488942-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When creating the system identity set the system token. The system token is currently stored in a local path /var/run/libvirt/common/system.token Obviously with only traditional UNIX DAC in effect, this is largely security through obscurity, if the client is running at the same privilege level as the daemon. It does, however, reliably distinguish an unprivilegd client from the system daemons. With a MAC system like SELinux though, or possible use of containers, access can be further restricted. A possible future improvement for Linux would be to populate the kernel keyring with a secret for libvirt daemons to share. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viridentity.c | 107 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 107 insertions(+) diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 7da4ea12f5..065db06e49 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -22,6 +22,7 @@ #include =20 #include +#include #if WITH_SELINUX # include #endif @@ -32,11 +33,14 @@ #include "viridentity.h" #include "virlog.h" #include "virobject.h" +#include "virrandom.h" #include "virthread.h" #include "virutil.h" #include "virstring.h" #include "virprocess.h" #include "virtypedparam.h" +#include "virfile.h" +#include "configmake.h" =20 #define VIR_FROM_THIS VIR_FROM_IDENTITY =20 @@ -54,7 +58,10 @@ struct _virIdentity { =20 G_DEFINE_TYPE(virIdentity, vir_identity, G_TYPE_OBJECT) =20 +static char *virIdentityEnsureSystemToken(void); + static virThreadLocal virIdentityCurrent; +static char *systemToken; =20 static void virIdentityFinalize(GObject *obj); =20 @@ -73,6 +80,9 @@ static int virIdentityOnceInit(void) return -1; } =20 + if (!(systemToken =3D virIdentityEnsureSystemToken())) + return -1; + return 0; } =20 @@ -144,6 +154,103 @@ int virIdentitySetCurrent(virIdentity *ident) } =20 =20 +#define TOKEN_BYTES 16 +#define TOKEN_STRLEN (TOKEN_BYTES * 2) + +static char * +virIdentityConstructSystemTokenPath(void) +{ + g_autofree char *commondir =3D NULL; + if (geteuid() =3D=3D 0) { + commondir =3D g_strdup(RUNSTATEDIR "/libvirt/common"); + } else { + g_autofree char *rundir =3D virGetUserRuntimeDirectory(); + commondir =3D g_strdup_printf("%s/common", rundir); + } + + if (g_mkdir_with_parents(commondir, 0700) < 0) { + virReportSystemError(errno, + _("Cannot create daemon common directory '%s'= "), + commondir); + return NULL; + } + + return g_strdup_printf("%s/system.token", commondir); +} + + +static char * +virIdentityEnsureSystemToken(void) +{ + g_autofree char *tokenfile =3D virIdentityConstructSystemTokenPath(); + g_autofree char *token =3D NULL; + int fd =3D -1; + struct stat st; + + fd =3D open(tokenfile, O_RDWR|O_APPEND|O_CREAT, 0600); + if (fd < 0) { + virReportSystemError(errno, + _("Unable to open system token %s"), + tokenfile); + goto error; + } + + if (virSetCloseExec(fd) < 0) { + virReportSystemError(errno, + _("Failed to set close-on-exec flag '%s'"), + tokenfile); + goto error; + } + + if (virFileLock(fd, false, 0, 1, true) < 0) { + virReportSystemError(errno, + _("Failed to lock system token '%s'"), + tokenfile); + goto error; + } + + if (fstat(fd, &st) < 0) { + virReportSystemError(errno, + _("Failed to check system token '%s'"), + tokenfile); + goto error; + } + + /* Ok, we're the first one here, so we must populate it */ + if (st.st_size =3D=3D 0) { + if (!(token =3D virRandomToken(TOKEN_BYTES))) { + goto error; + } + if (safewrite(fd, token, TOKEN_STRLEN) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + goto error; + } + } else { + if (virFileReadLimFD(fd, TOKEN_STRLEN, &token) < 0) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + goto error; + } + if (strlen(token) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("System token in %s was corrupt"), + tokenfile); + goto error; + } + } + + VIR_FORCE_CLOSE(fd); + return g_steal_pointer(&token); + + error: + VIR_FORCE_CLOSE(fd); + return NULL; +} + + /** * virIdentityGetSystem: * --=20 2.31.1