1. Patchew
  2. Libvirt
  3. [libvirt PATCH v2 00/10] make internal only secrets work with split daemons
  4. View patch

[libvirt PATCH v2 02/10] util: introduce concept of a system token into identities

Daniel P. Berrangé posted 10 patches 4 years, 9 months ago
There is a newer version of this series
[libvirt PATCH v2 02/10] util: introduce concept of a system token into identities
Posted by Daniel P. Berrangé 4 years, 9 months ago 
We want a way to distinguish between calls from a libvirt daemon, and a
regular client application when both are running as the same user
account. This is not possible with the current set of attributes
recorded against an identity, as there is nothing that is common to all
of the modular libvirt daemons, while distinct to all other processes.

We thus introduce the idea of a system token, which is simply a random
hex string that is only known by the libvirt daemons, to be recored
against the system identity.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/libvirt_private.syms |  2 ++
 src/util/viridentity.c   | 34 ++++++++++++++++++++++++++++++++++
 src/util/viridentity.h   |  4 ++++
 3 files changed, 40 insertions(+)

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 23621fcfd0..aaae1c8002 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2404,6 +2404,7 @@ virIdentityGetProcessTime;
 virIdentityGetSASLUserName;
 virIdentityGetSELinuxContext;
 virIdentityGetSystem;
+virIdentityGetSystemToken;
 virIdentityGetUNIXGroupID;
 virIdentityGetUNIXUserID;
 virIdentityGetUserName;
@@ -2416,6 +2417,7 @@ virIdentitySetProcessID;
 virIdentitySetProcessTime;
 virIdentitySetSASLUserName;
 virIdentitySetSELinuxContext;
+virIdentitySetSystemToken;
 virIdentitySetUNIXGroupID;
 virIdentitySetUNIXUserID;
 virIdentitySetUserName;
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 7edb6a171a..7da4ea12f5 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -40,6 +40,8 @@
 
 #define VIR_FROM_THIS VIR_FROM_IDENTITY
 
+#define VIR_CONNECT_IDENTITY_SYSTEM_TOKEN "system.token"
+
 VIR_LOG_INIT("util.identity");
 
 struct _virIdentity {
@@ -382,6 +384,17 @@ int virIdentityGetSELinuxContext(virIdentity *ident,
 }
 
 
+int virIdentityGetSystemToken(virIdentity *ident,
+                              const char **token)
+{
+    *token = NULL;
+    return virTypedParamsGetString(ident->params,
+                                   ident->nparams,
+                                   VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                                   token);
+}
+
+
 int virIdentitySetUserName(virIdentity *ident,
                            const char *username)
 {
@@ -554,6 +567,25 @@ int virIdentitySetSELinuxContext(virIdentity *ident,
 }
 
 
+int virIdentitySetSystemToken(virIdentity *ident,
+                              const char *token)
+{
+    if (virTypedParamsGet(ident->params,
+                          ident->nparams,
+                          VIR_CONNECT_IDENTITY_SYSTEM_TOKEN)) {
+        virReportError(VIR_ERR_OPERATION_DENIED, "%s",
+                       _("Identity attribute is already set"));
+        return -1;
+    }
+
+    return virTypedParamsAddString(&ident->params,
+                                   &ident->nparams,
+                                   &ident->maxparams,
+                                   VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                                   token);
+}
+
+
 int virIdentitySetParameters(virIdentity *ident,
                              virTypedParameterPtr params,
                              int nparams)
@@ -577,6 +609,8 @@ int virIdentitySetParameters(virIdentity *ident,
                                VIR_TYPED_PARAM_STRING,
                                VIR_CONNECT_IDENTITY_SELINUX_CONTEXT,
                                VIR_TYPED_PARAM_STRING,
+                               VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
+                               VIR_TYPED_PARAM_STRING,
                                NULL) < 0)
         return -1;
 
diff --git a/src/util/viridentity.h b/src/util/viridentity.h
index fa3f46788c..640a7ba2e4 100644
--- a/src/util/viridentity.h
+++ b/src/util/viridentity.h
@@ -52,6 +52,8 @@ int virIdentityGetX509DName(virIdentity *ident,
                             const char **dname);
 int virIdentityGetSELinuxContext(virIdentity *ident,
                                  const char **context);
+int virIdentityGetSystemToken(virIdentity *ident,
+                              const char **token);
 
 
 int virIdentitySetUserName(virIdentity *ident,
@@ -72,6 +74,8 @@ int virIdentitySetX509DName(virIdentity *ident,
                             const char *dname);
 int virIdentitySetSELinuxContext(virIdentity *ident,
                                  const char *context);
+int virIdentitySetSystemToken(virIdentity *ident,
+                              const char *token);
 
 int virIdentitySetParameters(virIdentity *ident,
                              virTypedParameterPtr params,
-- 
2.31.1
Re: [libvirt PATCH v2 02/10] util: introduce concept of a system token into identities
Posted by Eric Blake 4 years, 9 months ago 
On 5/7/21 11:24 AM, Daniel P. Berrangé wrote:
> We want a way to distinguish between calls from a libvirt daemon, and a
> regular client application when both are running as the same user
> account. This is not possible with the current set of attributes
> recorded against an identity, as there is nothing that is common to all
> of the modular libvirt daemons, while distinct to all other processes.
> 
> We thus introduce the idea of a system token, which is simply a random
> hex string that is only known by the libvirt daemons, to be recored

recorded

> against the system identity.
> 
> Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

Patchew 2.1-devel-b67e4c2

© 2016 - 2026 Red Hat, Inc.