From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404707; cv=none; d=zohomail.com; s=zohoarc; b=oALFSkd+xxOZh1IybBsN2//pEkTHt3d/y+yywTc5oju6AlR/jk93bDygTQF+hFIry4b4XYLjpahbSN7Rfk0CyN9o16dyOExNEg+lB162U3Zjvla0RuxmQ952ULlj4IGjy3aLq92iPA0tDDWIaDVhsKavtFFyWsfFyjW2Z5f10yY= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404707; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=YiKb+y371mNU6ngLCWNId09CEultisUOluzBj6IGhy0=; b=T44h6BNLDj0JEcXThlepK/5qkFRYLxSDHG2ewmNGK4X/2nKhkd3s1hh27Tu0Let4Z+1wmETCamazpBA6Xkya/1kIDvWOEF3oswJRN6AMglc0tcNpJtCsHH3DRJvUgJRn0dmBWZSV/scSBPfnotRuarO2ORAVQHaKCjhQs3KExgk= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404707983564.7453335688272; Fri, 7 May 2021 09:25:07 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-27-pxdLifTYOxmtqYXNJL1a7g-1; Fri, 07 May 2021 12:25:04 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AC80E1008060; Fri, 7 May 2021 16:24:57 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 93CD060D01; Fri, 7 May 2021 16:24:56 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 513D35534E; Fri, 7 May 2021 16:24:56 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GOt8o003338 for ; Fri, 7 May 2021 12:24:55 -0400 Received: by smtp.corp.redhat.com (Postfix) id 087B0189A5; Fri, 7 May 2021 16:24:55 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id ED01E60636; Fri, 7 May 2021 16:24:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404706; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=YiKb+y371mNU6ngLCWNId09CEultisUOluzBj6IGhy0=; b=BkSSsGeMXIFO4Jh9ZlJiKpKxOH5p2hBe3GcrS1HEie3e28XQDci4o9E/NKAyiEorKK9e5G Pq7jt0VV2rsJ9WaxEdSDQRMaZm4fomjoKWGIAguMhvIxqN4kknUl/2sy/83zogLyDcnK7z s77/jUO761nolMFYPiaZ6pxSar/uXnU= X-MC-Unique: pxdLifTYOxmtqYXNJL1a7g-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 01/10] util: add virRandomToken API Date: Fri, 7 May 2021 17:24:39 +0100 Message-Id: <20210507162448.660074-2-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) A random token is simply a string of random bytes formatted in hexidecimal. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/virrandom.c | 18 ++++++++++++++++++ src/util/virrandom.h | 1 + 3 files changed, 20 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 1b12c49018..23621fcfd0 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -3081,6 +3081,7 @@ virRandomBits; virRandomBytes; virRandomGenerateWWN; virRandomInt; +virRandomToken; =20 =20 # util/virresctrl.h diff --git a/src/util/virrandom.c b/src/util/virrandom.c index 3ae1297e6b..c3f3aa1fa6 100644 --- a/src/util/virrandom.c +++ b/src/util/virrandom.c @@ -161,3 +161,21 @@ virRandomGenerateWWN(char **wwn, (unsigned long long)virRandomBits(36)); return 0; } + +char *virRandomToken(size_t len) +{ + g_autofree unsigned char *data =3D g_new0(unsigned char, len); + g_autofree char *token =3D g_new0(char, (len * 2) + 1); + static const char hex[] =3D "0123456789abcdef"; + size_t i; + + if (virRandomBytes(data, len) < 0) + return NULL; + + for (i =3D 0; i < len; i++) { + token[(i*2)] =3D hex[data[i] & 0xf]; + token[(i*2)+1] =3D hex[(data[i] >> 4) & 0xf]; + } + + return g_steal_pointer(&token); +} diff --git a/src/util/virrandom.h b/src/util/virrandom.h index 297721f912..aac684ada9 100644 --- a/src/util/virrandom.h +++ b/src/util/virrandom.h @@ -26,3 +26,4 @@ uint32_t virRandomInt(uint32_t max); int virRandomBytes(unsigned char *buf, size_t buflen) ATTRIBUTE_NONNULL(1) G_GNUC_WARN_UNUSED_RESULT G_GNUC_NO_INLINE; int virRandomGenerateWWN(char **wwn, const char *virt_type) G_GNUC_NO_INLI= NE; +char *virRandomToken(size_t len); --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404713; cv=none; d=zohomail.com; s=zohoarc; b=negtwYYPcDuqKnt5t1N/eov6CoYEfs+txPtJq7wgDdI984qEBNRM8QpPxm2res8OXogds+qG7nBAQjLxPh2ySSe+Nu/Y6JZjv2QP1F5mh3Fr/Al+E6adCEoBAFGupmbsGx4UPGUMrLh0DkOIojZUGU5soXp2C2k2hRKvz5UqAPI= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404713; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Q/DEYFR9i6SP3iySMAubmUr8G9+F2sV5b2gJQIJKmm8=; b=B0HixxEvGe+FhcELB1R7xVKxNzceYygkLi2gdFsQjCIdWYfhJiGihFPhp5Im5IWJKw6s09A12nicYMxa0ETo2866CrxvJYPOPeE75UgOtjp4qhqQqys71X4U59QgPsGB/pfvOaQLu/cg5VZNz8SVuxL3U95TYMGgbMc/7ohZuP0= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620404713136778.7398867182851; Fri, 7 May 2021 09:25:13 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-510-YoX5b92FOe6VdsXzWe0SXg-1; Fri, 07 May 2021 12:25:08 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 06C74A40C3; Fri, 7 May 2021 16:25:03 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D0A6C1037F28; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 8BCC455355; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GOuSZ003347 for ; Fri, 7 May 2021 12:24:56 -0400 Received: by smtp.corp.redhat.com (Postfix) id 5965D60636; Fri, 7 May 2021 16:24:56 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 601AD63B8C; Fri, 7 May 2021 16:24:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404712; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Q/DEYFR9i6SP3iySMAubmUr8G9+F2sV5b2gJQIJKmm8=; b=BUK1s3tlt1T3DutNOSO+C6Fi4U9bfTPMA7DU3MEaDa3qfsKgovPFyye16iRQrz/izuTo2i FkRy+GXT+LXaiGCTpqfXKT4NKD06TCCXb6tt5+7qBA0Ez4wAXB+M0NuicLiW61zilo9wQ2 bS4sumYe+52otkpf5Fdzpjmb1YD6vfs= X-MC-Unique: YoX5b92FOe6VdsXzWe0SXg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 02/10] util: introduce concept of a system token into identities Date: Fri, 7 May 2021 17:24:40 +0100 Message-Id: <20210507162448.660074-3-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) We want a way to distinguish between calls from a libvirt daemon, and a regular client application when both are running as the same user account. This is not possible with the current set of attributes recorded against an identity, as there is nothing that is common to all of the modular libvirt daemons, while distinct to all other processes. We thus introduce the idea of a system token, which is simply a random hex string that is only known by the libvirt daemons, to be recored against the system identity. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 2 ++ src/util/viridentity.c | 34 ++++++++++++++++++++++++++++++++++ src/util/viridentity.h | 4 ++++ 3 files changed, 40 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 23621fcfd0..aaae1c8002 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2404,6 +2404,7 @@ virIdentityGetProcessTime; virIdentityGetSASLUserName; virIdentityGetSELinuxContext; virIdentityGetSystem; +virIdentityGetSystemToken; virIdentityGetUNIXGroupID; virIdentityGetUNIXUserID; virIdentityGetUserName; @@ -2416,6 +2417,7 @@ virIdentitySetProcessID; virIdentitySetProcessTime; virIdentitySetSASLUserName; virIdentitySetSELinuxContext; +virIdentitySetSystemToken; virIdentitySetUNIXGroupID; virIdentitySetUNIXUserID; virIdentitySetUserName; diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 7edb6a171a..7da4ea12f5 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -40,6 +40,8 @@ =20 #define VIR_FROM_THIS VIR_FROM_IDENTITY =20 +#define VIR_CONNECT_IDENTITY_SYSTEM_TOKEN "system.token" + VIR_LOG_INIT("util.identity"); =20 struct _virIdentity { @@ -382,6 +384,17 @@ int virIdentityGetSELinuxContext(virIdentity *ident, } =20 =20 +int virIdentityGetSystemToken(virIdentity *ident, + const char **token) +{ + *token =3D NULL; + return virTypedParamsGetString(ident->params, + ident->nparams, + VIR_CONNECT_IDENTITY_SYSTEM_TOKEN, + token); +} + + int virIdentitySetUserName(virIdentity *ident, const char *username) { @@ -554,6 +567,25 @@ int virIdentitySetSELinuxContext(virIdentity *ident, } =20 =20 +int virIdentitySetSystemToken(virIdentity *ident, + const char *token) +{ + if (virTypedParamsGet(ident->params, + ident->nparams, + VIR_CONNECT_IDENTITY_SYSTEM_TOKEN)) { + virReportError(VIR_ERR_OPERATION_DENIED, "%s", + _("Identity attribute is already set")); + return -1; + } + + return virTypedParamsAddString(&ident->params, + &ident->nparams, + &ident->maxparams, + VIR_CONNECT_IDENTITY_SYSTEM_TOKEN, + token); +} + + int virIdentitySetParameters(virIdentity *ident, virTypedParameterPtr params, int nparams) @@ -577,6 +609,8 @@ int virIdentitySetParameters(virIdentity *ident, VIR_TYPED_PARAM_STRING, VIR_CONNECT_IDENTITY_SELINUX_CONTEXT, VIR_TYPED_PARAM_STRING, + VIR_CONNECT_IDENTITY_SYSTEM_TOKEN, + VIR_TYPED_PARAM_STRING, NULL) < 0) return -1; =20 diff --git a/src/util/viridentity.h b/src/util/viridentity.h index fa3f46788c..640a7ba2e4 100644 --- a/src/util/viridentity.h +++ b/src/util/viridentity.h @@ -52,6 +52,8 @@ int virIdentityGetX509DName(virIdentity *ident, const char **dname); int virIdentityGetSELinuxContext(virIdentity *ident, const char **context); +int virIdentityGetSystemToken(virIdentity *ident, + const char **token); =20 =20 int virIdentitySetUserName(virIdentity *ident, @@ -72,6 +74,8 @@ int virIdentitySetX509DName(virIdentity *ident, const char *dname); int virIdentitySetSELinuxContext(virIdentity *ident, const char *context); +int virIdentitySetSystemToken(virIdentity *ident, + const char *token); =20 int virIdentitySetParameters(virIdentity *ident, virTypedParameterPtr params, --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404713; cv=none; d=zohomail.com; s=zohoarc; b=lCfsSHYTGT3ZXiHBzvCGxAahJYx0/auW/8jE98Va4GAxFaTmbse8St5UFTOEo8tR0hg+7l1t+avpzmUl2Pjee0liXAfYszH83CnBcxqNGq5K4kogrFJjhsvfgmQPqXvPoqqjj8p0c1kt13CYxwQmFoxcx3FtGKZqBlSC2/A/BXk= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404713; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=hWRwHFjbFV/1cmQ455LmVJXIZ/hmonWMKM1ywICMeKU=; b=ZOlR6hqHCPKQ6COi5h6ieTAy/PhB/qq8g7ePCOC3TRHV2z4///Oy8Dn7H7vgoGrCmpwz1hN8reM1XxW5zUlMz7inlWbatb/DiDHvA+v4YdSvxyvmHeXc5lEplVqeakgr/V6aTfWNS6i8oGmI+X9/KJ1HMCmkOOyzyZ9lewAxyhE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404713177632.9968843561031; Fri, 7 May 2021 09:25:13 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-9-huyKbNf7Mwa1Ls-bKUrrog-1; Fri, 07 May 2021 12:25:09 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id EF60B107ACE6; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CAD6660916; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 88C45180B463; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GOvfQ003357 for ; Fri, 7 May 2021 12:24:57 -0400 Received: by smtp.corp.redhat.com (Postfix) id B2F4160636; Fri, 7 May 2021 16:24:57 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id BBDF059447; Fri, 7 May 2021 16:24:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404712; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=hWRwHFjbFV/1cmQ455LmVJXIZ/hmonWMKM1ywICMeKU=; b=ORgciqUDI+tkheSQ/Pw4t7GDSIlhMsIw/ALFPoaySTy5swa3PVlvmoq9pWgC4EVEKSv29+ AupSlScTBiH60OnyKCzTIi/XHcKmJZyc0y1shmv+2QIqwz6aKEoRb7EMbrd6PoDblx6uvg c+pwGkwpu33tqyIN0DQv/Nq1aEvPIpY= X-MC-Unique: huyKbNf7Mwa1Ls-bKUrrog-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 03/10] util: generate a persistent system token Date: Fri, 7 May 2021 17:24:41 +0100 Message-Id: <20210507162448.660074-4-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When creating the system identity set the system token. The system token is currently stored in a local path /var/run/libvirt/common/system.token Obviously with only traditional UNIX DAC in effect, this is largely security through obscurity, if the client is running at the same privilege level as the daemon. It does, however, reliably distinguish an unprivilegd client from the system daemons. With a MAC system like SELinux though, or possible use of containers, access can be further restricted. A possible future improvement for Linux would be to populate the kernel keyring with a secret for libvirt daemons to share. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viridentity.c | 102 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 7da4ea12f5..8c939a507e 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -22,6 +22,7 @@ #include =20 #include +#include #if WITH_SELINUX # include #endif @@ -32,11 +33,14 @@ #include "viridentity.h" #include "virlog.h" #include "virobject.h" +#include "virrandom.h" #include "virthread.h" #include "virutil.h" #include "virstring.h" #include "virprocess.h" #include "virtypedparam.h" +#include "virfile.h" +#include "configmake.h" =20 #define VIR_FROM_THIS VIR_FROM_IDENTITY =20 @@ -54,7 +58,10 @@ struct _virIdentity { =20 G_DEFINE_TYPE(virIdentity, vir_identity, G_TYPE_OBJECT) =20 +static char *virIdentityEnsureSystemToken(void); + static virThreadLocal virIdentityCurrent; +static char *systemToken; =20 static void virIdentityFinalize(GObject *obj); =20 @@ -73,6 +80,9 @@ static int virIdentityOnceInit(void) return -1; } =20 + if (!(systemToken =3D virIdentityEnsureSystemToken())) + return -1; + return 0; } =20 @@ -144,6 +154,98 @@ int virIdentitySetCurrent(virIdentity *ident) } =20 =20 +#define TOKEN_BYTES 16 +#define TOKEN_STRLEN (TOKEN_BYTES * 2) + +static char * +virIdentityConstructSystemTokenPath(void) +{ + g_autofree char *commondir =3D NULL; + if (geteuid() =3D=3D 0) { + commondir =3D g_strdup(RUNSTATEDIR "/libvirt/common"); + } else { + g_autofree char *rundir =3D virGetUserRuntimeDirectory(); + commondir =3D g_strdup_printf("%s/common", rundir); + } + + if (g_mkdir_with_parents(commondir, 0700) < 0) { + virReportSystemError(errno, + _("Cannot create daemon common directory '%s'= "), + commondir); + return NULL; + } + + return g_strdup_printf("%s/system.token", commondir); +} + + +static char * +virIdentityEnsureSystemToken(void) +{ + g_autofree char *tokenfile =3D virIdentityConstructSystemTokenPath(); + g_autofree char *token =3D NULL; + VIR_AUTOCLOSE fd =3D -1; + struct stat st; + + fd =3D open(tokenfile, O_RDWR|O_APPEND|O_CREAT, 0600); + if (fd < 0) { + virReportSystemError(errno, + _("Unable to open system token %s"), + tokenfile); + return NULL; + } + + if (virSetCloseExec(fd) < 0) { + virReportSystemError(errno, + _("Failed to set close-on-exec flag '%s'"), + tokenfile); + return NULL; + } + + if (virFileLock(fd, false, 0, 1, true) < 0) { + virReportSystemError(errno, + _("Failed to lock system token '%s'"), + tokenfile); + return NULL; + } + + if (fstat(fd, &st) < 0) { + virReportSystemError(errno, + _("Failed to check system token '%s'"), + tokenfile); + return NULL; + } + + /* Ok, we're the first one here, so we must populate it */ + if (st.st_size =3D=3D 0) { + if (!(token =3D virRandomToken(TOKEN_BYTES))) { + return NULL; + } + if (safewrite(fd, token, TOKEN_STRLEN) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + return NULL; + } + } else { + if (virFileReadLimFD(fd, TOKEN_STRLEN, &token) < 0) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + return NULL; + } + if (strlen(token) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("System token in %s was corrupt"), + tokenfile); + return NULL; + } + } + + return g_steal_pointer(&token); +} + + /** * virIdentityGetSystem: * --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404716; cv=none; d=zohomail.com; s=zohoarc; b=gpnF5O92WvPYqV5R9pgXNF8uH9UwQctjzl1StLKpRN9cXe0wLrWCZuLnqwHZ+PDPglq9fF5erAOSAsuqsG14EyEjd6S2sh7M3EYiHNxfbpeUbTi7Dn+dpg6lWDfdtN2regEQPMYqTPIMaxDxz2PWgShgOdDUPB+Zxxden7Cxkbg= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404716; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=2o5/Ga+HHVN/iMP9g76GwL+Pz9+zNRGlkIoJndvAdNA=; b=VuxpCNa9bDnnB8Kdqm4ledwtVn7wLLcvv7WZlHOhuT8yZrrWYrOH0eIxSFLT7d4g/v77e74ISyMx34ZTJe1KGs8Nf59ZjSsMwoOSbHTsvBs0wWUlYE7gsHhfhOJ+Fdw0kwimwWTro1SWOHwVmTTvepQI9z2DBP1WJ8CIBV+ERbo= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404716704542.7757228318545; Fri, 7 May 2021 09:25:16 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-601-XjJCOD72MlisoROHa8F-Og-1; Fri, 07 May 2021 12:25:12 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 708B31008060; Fri, 7 May 2021 16:25:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 44F7D100164A; Fri, 7 May 2021 16:25:06 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CC0A155357; Fri, 7 May 2021 16:25:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GOxB3003368 for ; Fri, 7 May 2021 12:24:59 -0400 Received: by smtp.corp.redhat.com (Postfix) id 13CD0189A5; Fri, 7 May 2021 16:24:59 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0CFB263B8C; Fri, 7 May 2021 16:24:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404715; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=2o5/Ga+HHVN/iMP9g76GwL+Pz9+zNRGlkIoJndvAdNA=; b=JcuaIG7jn5iCwsHJMUMBmL8y/wKtcCl86YxXOzD6/GWRFCdqVkI7RBpyM5e01UFm9JJ9+z vBPCtlbTlt/5iFwdHuPhpSdhO5vFNfZ1lt71R7mPUgoBkZHtwqc8HyL+FSBJWyQSUUi9gG pLHn1ynrr2g8bKKH9msvJ354L+vNr5I= X-MC-Unique: XjJCOD72MlisoROHa8F-Og-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 04/10] util: set system token for system identity Date: Fri, 7 May 2021 17:24:42 +0100 Message-Id: <20210507162448.660074-5-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/util/viridentity.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 8c939a507e..dabe416037 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -263,6 +263,7 @@ virIdentity *virIdentityGetSystem(void) #if WITH_SELINUX char *con; #endif + g_autofree char *token =3D NULL; =20 if (!(ret =3D virIdentityNew())) return NULL; @@ -305,6 +306,12 @@ virIdentity *virIdentityGetSystem(void) } #endif =20 + if (!(token =3D virIdentityEnsureSystemToken())) + return NULL; + + if (virIdentitySetSystemToken(ret, token) < 0) + return NULL; + return g_steal_pointer(&ret); } =20 --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404717; cv=none; d=zohomail.com; s=zohoarc; b=kXzAXAt5kb0FnGw2MgKRHo9yaDztC2oS09hnoV2Zzeh/IgTckV6k7A08LbTuyndt4AiBfVjdXa9dMXidtrLxopcZmHHFwOmKVBDdiY2zxeNBtjvxcxGnHaWXmCOnIDR2Q0h4NVjGBdKaLaKBebFTx8+cdPh84lPjB6XYBHee33I= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404717; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=ORjZaEsf9nrJftq53e4oFgxODHxy4SYAV5TpCCcqA6E=; b=hTB/Ha3j67RtSjV5+SVTVb1aS0JOEgWvOfX+yRHuJ+CkrYYdmpC7N4Qq4dVgKziaqgFjrbcqNJTP/Fb++QV2aRSM5S2sjInoXI4ktr+iMFMUCgPJAZQyEl1wSZNWPa0xubRB8CRe1J4ZBBoCkuOkevm3wEMyw+nN5QjERt2Ib2I= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620404717326519.4343110305415; Fri, 7 May 2021 09:25:17 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-560-Gt4KCZb-N2-eRWKf-ZM05Q-1; Fri, 07 May 2021 12:25:14 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 88AF58014D8; Fri, 7 May 2021 16:25:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3F1FE59460; Fri, 7 May 2021 16:25:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 0512B180B763; Fri, 7 May 2021 16:25:09 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GP1ac003388 for ; Fri, 7 May 2021 12:25:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id 94A3663B8C; Fri, 7 May 2021 16:25:01 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8306E5B826; Fri, 7 May 2021 16:24:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404716; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=ORjZaEsf9nrJftq53e4oFgxODHxy4SYAV5TpCCcqA6E=; b=QzD9/XJXxNsjRI/fB7m3C9RcSHcvID/oGU7DX8KKbQb2HHPj2n6JNHOLELzExL3Q87xEtq gqbhmQy0f71aWchJvgFveJ81J0fP9Z1LevAAowm4XfxM1wF1UHENmRoiDH106qwndaJBA4 3Gp/1NRpCXPcVj0AiAjmrTfJBS0t+F0= X-MC-Unique: Gt4KCZb-N2-eRWKf-ZM05Q-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 05/10] util: add API for copying identity objects Date: Fri, 7 May 2021 17:24:43 +0100 Message-Id: <20210507162448.660074-6-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/viridentity.c | 21 +++++++++++++++++++++ src/util/viridentity.h | 1 + 3 files changed, 23 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index aaae1c8002..de5123aaa9 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2410,6 +2410,7 @@ virIdentityGetUNIXUserID; virIdentityGetUserName; virIdentityGetX509DName; virIdentityNew; +virIdentityNewCopy; virIdentitySetCurrent; virIdentitySetGroupName; virIdentitySetParameters; diff --git a/src/util/viridentity.c b/src/util/viridentity.c index dabe416037..9ffaf57da9 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -330,6 +330,27 @@ virIdentity *virIdentityNew(void) } =20 =20 +/** + * virIdentityNewCopy: + * + * Creates a new identity object that is a deep copy of an + * existing identity. + * + * Returns: a copy of the source identity + */ +virIdentity *virIdentityNewCopy(virIdentity *src) +{ + g_autoptr(virIdentity) ident =3D virIdentityNew(); + + if (virTypedParamsCopy(&ident->params, src->params, src->nparams) < 0) + return NULL; + ident->nparams =3D src->nparams; + ident->maxparams =3D src->nparams; + + return g_steal_pointer(&ident); +} + + static void virIdentityFinalize(GObject *object) { virIdentity *ident =3D VIR_IDENTITY(object); diff --git a/src/util/viridentity.h b/src/util/viridentity.h index 640a7ba2e4..512bca286d 100644 --- a/src/util/viridentity.h +++ b/src/util/viridentity.h @@ -33,6 +33,7 @@ int virIdentitySetCurrent(virIdentity *ident); virIdentity *virIdentityGetSystem(void); =20 virIdentity *virIdentityNew(void); +virIdentity *virIdentityNewCopy(virIdentity *src); =20 int virIdentityGetUserName(virIdentity *ident, const char **username); --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404772; cv=none; d=zohomail.com; s=zohoarc; b=FYgkV26DFdCkQdvWa87xtow3nFta67lLd9k3lXjecyO5q+WzmMpuNjxkjmbdLL0TwbXd7JlyTfnoqd7SlrsXWvhj6yK0b9uay/kYDth0BGo1huk2LwMNTUTLN2ih8TIuSMp7pv40gjWqpHgIdhFXtO8YS9uAeOVaS8FDVu6VYXc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404772; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=BN5FtQl/I+5mwYzkE2m8wAitI7G7u/fAqOVUS2funwQ=; b=ThZfb4FTKRomLlVNlg6c41BngjiOUK6mGUEUZBrZ9llG/eMlaal2sc/SsfT5ZnXsHkoViVKjDVGqnKHTH/Vn/d2PUkyz7wM5atvzPKXAD+BC/HIulWnwsTQPmpQrc3ultKIAmDn+Y6CXi4CjY0EPmIaFWQZCkMp7koutLMgN/YE= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620404772975421.4709201992695; Fri, 7 May 2021 09:26:12 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-156-M43d3fGFMDyz6CsmKzMyFA-1; Fri, 07 May 2021 12:25:18 -0400 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 60E3780DE1E; Fri, 7 May 2021 16:25:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 38902100164A; Fri, 7 May 2021 16:25:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id EF3C65535C; Fri, 7 May 2021 16:25:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GP2nv003413 for ; Fri, 7 May 2021 12:25:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id BD54C60636; Fri, 7 May 2021 16:25:02 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id F236559447; Fri, 7 May 2021 16:25:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404771; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=BN5FtQl/I+5mwYzkE2m8wAitI7G7u/fAqOVUS2funwQ=; b=fgckee3mYuzRIDXA+o6BtOdkOfk/18ESg5zH/ytMDU2kAVvQtcWNW4ZN/PndRc1phuqsFc XCtWQDK6HJsNBKaRCbO6z5MphC8sU2THyuZqnjpSHDkT1OZyqbGg4o5FHiLzkzryKZ4zta LCNyjFoCMl7q8fVQVOrjRVE46yV47rU= X-MC-Unique: M43d3fGFMDyz6CsmKzMyFA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 06/10] util: helper to temporary elevate privileges of the current identity Date: Fri, 7 May 2021 17:24:44 +0100 Message-Id: <20210507162448.660074-7-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When talking to the secret driver, the callers inside libvirt daemons need to be able to run with an elevated privileges that prove the API calls are made by a libvirt daemon, not an end user application. The virIdentityElevateCurrent method will take the current identity and, if not already present, add the system token. The old current identity is returned to the caller. With the VIR_IDENTITY_AUTORESTORE annotation, the old current identity will be restored upon leaving the codeblock scope. ... early work with regular privileges ... if (something needing elevated privs) { VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateCurrent(); if (!oldident) return -1; ... do something with elevated privileges ... } ... later work with regular privileges ... Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 2 ++ src/util/viridentity.c | 47 ++++++++++++++++++++++++++++++++++++++++ src/util/viridentity.h | 5 +++++ 3 files changed, 54 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index de5123aaa9..7db04d3d3b 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2396,6 +2396,7 @@ virHostGetBootTime; =20 =20 # util/viridentity.h +virIdentityElevateCurrent; virIdentityGetCurrent; virIdentityGetGroupName; virIdentityGetParameters; @@ -2411,6 +2412,7 @@ virIdentityGetUserName; virIdentityGetX509DName; virIdentityNew; virIdentityNewCopy; +virIdentityRestoreHelper; virIdentitySetCurrent; virIdentitySetGroupName; virIdentitySetParameters; diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 9ffaf57da9..a9f54232b9 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -154,6 +154,53 @@ int virIdentitySetCurrent(virIdentity *ident) } =20 =20 +/** + * virIdentityElevateCurrent: + * + * Set the new identity to be associated with this thread, + * to an elevated copy of the current identity. The old + * current identity is returned and should be released by + * the caller when no longer required. + * + * Returns the previous identity, or NULL on error + */ +virIdentity *virIdentityElevateCurrent(void) +{ + g_autoptr(virIdentity) ident =3D virIdentityGetCurrent(); + const char *token; + int rc; + + if (!ident) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No current identity to elevate")); + return NULL; + } + + if ((rc =3D virIdentityGetSystemToken(ident, &token)) < 0) + return NULL; + + if (rc =3D=3D 0) { + g_autoptr(virIdentity) identel =3D virIdentityNewCopy(ident); + + if (virIdentitySetSystemToken(identel, systemToken) < 0) + return NULL; + + if (virIdentitySetCurrent(identel) < 0) + return NULL; + } + + return g_steal_pointer(&ident); +} + + +void virIdentityRestoreHelper(virIdentity **identptr) +{ + virIdentity *ident =3D *identptr; + + if (ident !=3D NULL) + virIdentitySetCurrent(ident); +} + #define TOKEN_BYTES 16 #define TOKEN_STRLEN (TOKEN_BYTES * 2) =20 diff --git a/src/util/viridentity.h b/src/util/viridentity.h index 512bca286d..848e5b2056 100644 --- a/src/util/viridentity.h +++ b/src/util/viridentity.h @@ -27,8 +27,13 @@ #define VIR_TYPE_IDENTITY vir_identity_get_type() G_DECLARE_FINAL_TYPE(virIdentity, vir_identity, VIR, IDENTITY, GObject); =20 +#define VIR_IDENTITY_AUTORESTORE __attribute__((cleanup(virIdentityRestore= Helper))) + virIdentity *virIdentityGetCurrent(void); int virIdentitySetCurrent(virIdentity *ident); +virIdentity *virIdentityElevateCurrent(void); + +void virIdentityRestoreHelper(virIdentity **identptr); =20 virIdentity *virIdentityGetSystem(void); =20 --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404768; cv=none; d=zohomail.com; s=zohoarc; b=istrLi886ts6CbKwwmV6sCZ7r2wESs3XLSQgK4fjuQ8ouT+7H9NVZixiBdvdIyAIMAAx2a0fi7MOmmYzEDv8l1zxBQghWohsiRNaclVqBaNmeqyaxfZOySc48vnebRDkdyon87KpSyyEmhD+WdQO4FUhzlyABhus9EB67oIfBE4= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404768; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=3tzG1OCDAkChl34jhe2aGe7twoHXnLQtN2VWLzJtfs0=; b=EQn1PXRBQLrNy6ae2KdnChQ4M3PLYMYEnpZU8PhWYXM+XiQV2b+sUvUMMdm8Q0Nm6KcFdJcZGUHVsqEcNOAVLePSsJvPo50czGg2D/nf8MTBlEJR4kuUCcvmTUbsgGsuxuJhnNLTRb5MLdbrAbEn2pbPtKo1WfHKL7oX+NEVtrA= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620404768051344.920279151395; Fri, 7 May 2021 09:26:08 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-353-fs8nJTqwPCW5fHk12ZtYRg-1; Fri, 07 May 2021 12:25:12 -0400 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 43D62A40C4; Fri, 7 May 2021 16:25:06 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E62475D9DE; Fri, 7 May 2021 16:25:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id AA93E55356; Fri, 7 May 2021 16:25:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GP4cP003421 for ; Fri, 7 May 2021 12:25:04 -0400 Received: by smtp.corp.redhat.com (Postfix) id 3D3B463B8C; Fri, 7 May 2021 16:25:04 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 39A8F59447; Fri, 7 May 2021 16:25:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404766; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=3tzG1OCDAkChl34jhe2aGe7twoHXnLQtN2VWLzJtfs0=; b=f/Z89/Retf3RCiBnICw2BlP5Vk1g0sd0GhRuLoL0cr7VN2tGvi5/JJFbSUyh+K57IVbdqD aT4cviXfh8WgRWw929KfHq9qIJuojY4xty+EXgdrD6pfTiSCDeYI8/qZ/v3XJjpUG1qVUH GGug/x9GFrfHJw1JFxPscTdc4mwwt7E= X-MC-Unique: fs8nJTqwPCW5fHk12ZtYRg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 07/10] src: add API to determine if current identity is a system identity Date: Fri, 7 May 2021 17:24:45 +0100 Message-Id: <20210507162448.660074-8-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) This is essentially a way to determine if the current identity is that of another libvirt daemon. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/viridentity.c | 28 ++++++++++++++++++++++++++++ src/util/viridentity.h | 1 + 3 files changed, 30 insertions(+) diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 7db04d3d3b..aecb803369 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2410,6 +2410,7 @@ virIdentityGetUNIXGroupID; virIdentityGetUNIXUserID; virIdentityGetUserName; virIdentityGetX509DName; +virIdentityIsCurrentElevated; virIdentityNew; virIdentityNewCopy; virIdentityRestoreHelper; diff --git a/src/util/viridentity.c b/src/util/viridentity.c index a9f54232b9..d98a7d77d1 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -363,6 +363,34 @@ virIdentity *virIdentityGetSystem(void) } =20 =20 +/** + * virIdentityIsCurrentElevated: + * + * Determine if the current identity has elevated privileges. + * This indicates that it was invoked on behalf of the + * user by a libvirt daemon. + * + * Returns: true if elevated + */ +int virIdentityIsCurrentElevated(void) +{ + g_autoptr(virIdentity) current =3D virIdentityGetCurrent(); + const char *currentToken =3D NULL; + int rv; + + if (!current) { + virReportError(VIR_ERR_INTERNAL_ERROR, "%s", + _("No current identity")); + return -1; + } + + rv =3D virIdentityGetSystemToken(current, ¤tToken); + if (rv <=3D 0) + return rv; + + return STREQ_NULLABLE(currentToken, systemToken); +} + /** * virIdentityNew: * diff --git a/src/util/viridentity.h b/src/util/viridentity.h index 848e5b2056..6da6d0c557 100644 --- a/src/util/viridentity.h +++ b/src/util/viridentity.h @@ -35,6 +35,7 @@ virIdentity *virIdentityElevateCurrent(void); =20 void virIdentityRestoreHelper(virIdentity **identptr); =20 +int virIdentityIsCurrentElevated(void); virIdentity *virIdentityGetSystem(void); =20 virIdentity *virIdentityNew(void); --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404720; cv=none; d=zohomail.com; s=zohoarc; b=TFXngfBFTO8pCb78ywCLAiVhvRkm9iDYOdo0F3cDlxc1dEJLMdGgAFAOF5Zik/KrS2l5x86bZROF2+EZ8oTlUDTzw4USpbWrYLjMox869iT6UqdmEDqoPnwDQJ5UzC7lPLdze0eRJi4247NEZcQdHKbL6B1qWEyFSJxe/8AjmcU= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404720; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=alj+4zcf3dbREy5J+cFawK6Z9p8hdQJhz/G4h8bAD1k=; b=FZFvCc2dGXkOCDMt4fAVkl7hLysgQH8Fp4jdmGxB2m8SyK0OXPOAGqd8GyWuk9ZDqzc4pSWbbAhFDiaBqQU9jpEirQsHzNyOBFc1TpG9+r6cn044VkGlnciQ+1AaxVMwZ43H8WTflvsKKaJaj9rLBdgk6x7LqQxg8q3zEElKhu4= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404720236235.2832799397927; Fri, 7 May 2021 09:25:20 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-251-mPSEYnCBOwi-s43uHdJ4hg-1; Fri, 07 May 2021 12:25:15 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 395841008068; Fri, 7 May 2021 16:25:09 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 1931859457; Fri, 7 May 2021 16:25:09 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id D0A18180B463; Fri, 7 May 2021 16:25:08 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GP5fu003436 for ; Fri, 7 May 2021 12:25:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id A6FE663B8C; Fri, 7 May 2021 16:25:05 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id A106259447; Fri, 7 May 2021 16:25:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404719; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=alj+4zcf3dbREy5J+cFawK6Z9p8hdQJhz/G4h8bAD1k=; b=ChAoGPLlzyrxVbhTJjMGoz0tH3KAnMoeQagRBshASwLfAYxC2IoDKN2v9HowTN0rvEEzG0 SWqGAVQz7bDM5ho7cad+MXZhZBuVHYPwAVkSxJ/oS3jffp8Yrf0eEYXZLVfOs7oyttOXM6 zLnN9MRhk3Ynu5UnYm5kSpGMW4S4J1k= X-MC-Unique: mPSEYnCBOwi-s43uHdJ4hg-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 08/10] src: set identity when opening secondary drivers Date: Fri, 7 May 2021 17:24:46 +0100 Message-Id: <20210507162448.660074-9-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) The drivers can all call virGetConnectXXX to open a connection to a secondary driver. For example, when creating a encrypted storage volume, the storage driver has to open a secret driver connection, or when starting a guest, the QEMU driver has to open the network driver to lookup a virtual network. When using monolithic libvirtd, the connection has the same effective identity as the client, since everything is still in the same process. When using the modular daemons, however, the remote daemon sees the identity of the calling daemon. This is a mistake as it results in the modular daemons seeing the client with elevated privileges. We need to pass on the current identity explicitly when opening the secondary drivers. This is the same thing that is done by daemon RPC dispatcher code when it is directly forwarding top level API calls from virtproxyd and other daemons. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/driver.c | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/driver.c b/src/driver.c index f8022d2522..227bb56e48 100644 --- a/src/driver.c +++ b/src/driver.c @@ -33,6 +33,8 @@ #include "virstring.h" #include "virthread.h" #include "virutil.h" +#include "viridentity.h" +#include "datatypes.h" #include "configmake.h" =20 VIR_LOG_INIT("driver"); @@ -136,6 +138,7 @@ static virConnectPtr virGetConnectGeneric(virThreadLocal *threadPtr, const char *name) { virConnectPtr conn; + virErrorPtr saved; =20 if (virConnectCacheInitialize() < 0) return NULL; @@ -153,8 +156,32 @@ virGetConnectGeneric(virThreadLocal *threadPtr, const = char *name) =20 conn =3D virConnectOpen(uri); VIR_DEBUG("Opened new %s connection %p", name, conn); + if (!conn) + return NULL; + + if (conn->driver->connectSetIdentity !=3D NULL) { + g_autoptr(virIdentity) ident =3D NULL; + virTypedParameterPtr identparams =3D NULL; + int nidentparams =3D 0; + + VIR_DEBUG("Attempting to delegate current identity"); + if (!(ident =3D virIdentityGetCurrent())) + goto error; + + if (virIdentityGetParameters(ident, &identparams, &nidentparam= s) < 0) + goto error; + + if (virConnectSetIdentity(conn, identparams, nidentparams, 0) = < 0) + goto error; + } } return conn; + + error: + saved =3D virSaveLastError(); + virConnectClose(conn); + virSetError(saved); + return NULL; } =20 =20 --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404731; cv=none; d=zohomail.com; s=zohoarc; b=LJkvsLSoJpLDH6lse0Zbsnb0eL/KA27/mEPhKmGmzUW9B26Z3r8Ga3Q6MABU/MiNg3lJUZGc+cdAOL6oc6qgs/jznWttbP8SJOI404TdHoF/atTBdtDEWDeqgf8kl2+WEdGJFHDEA3WOKZkf/X5fFieZGQgy4VNPcOqSyZljGq0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404731; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=5ST+Uf/Cz3cHIVoy86uxjZauGHzlY/6dfQhtWTXV404=; b=R5B6LZPH9DUCZz64cW9nXUFhgxHykVVrjN/HbxJl+z5m304ZaR94f7BlqJj5/ARXXtS9Q4dKKT65fE5ScxNiXOwzph5En8WbFyS2aTirU1ZnADga5MCci5oxjgqVv9eZQJHYdsBFs+6oQHe6ES1B75Kc+Radu01o42STij3OCCI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404731647759.9752391623352; Fri, 7 May 2021 09:25:31 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-99-fGiTVYPVOOC3efKVwkC8PA-1; Fri, 07 May 2021 12:25:27 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2864AA40C5; Fri, 7 May 2021 16:25:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0A629189A5; Fri, 7 May 2021 16:25:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CD0A11801263; Fri, 7 May 2021 16:25:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GPJXq003541 for ; Fri, 7 May 2021 12:25:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 18BFC60636; Fri, 7 May 2021 16:25:19 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4367A189A5; Fri, 7 May 2021 16:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404730; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5ST+Uf/Cz3cHIVoy86uxjZauGHzlY/6dfQhtWTXV404=; b=DALYGJ11+Mlq+mvCkoLl4fydYRdJJ6adQR0WVwiOafC38qS+ZFkw1duNZvBOxiIDRQxaV1 9F7wD9dqjCX8vMVigwRaEBwqPacxOh5ABQGqwECU45fhJjYEQcqaddgEPKAmIgic27/W1N 1lJ4GLne8L432dJFQcGrOa7MxBixKK4= X-MC-Unique: fGiTVYPVOOC3efKVwkC8PA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 09/10] src: elevate current identity privilege when fetching secret Date: Fri, 7 May 2021 17:24:47 +0100 Message-Id: <20210507162448.660074-10-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When fetching the value of a private secret, we need to use an elevated identity otherwise the secret driver will deny access. When using the modular daemons, the elevated identity needs to be active before the secret driver connection is opened, and it will apply to all APIs calls made on that conncetion. When using the monolithic daemon, the identity at time of opening the connection is ignored, and the elevated identity needs to be active precisely at the time the virSecretGetValue API call is made. After acquiring the secret value, the elevated identity should be cleared. This sounds complex, but is fairly straightfoward with the automatic cleanup callbacks. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libxl/libxl_conf.c | 5 +++++ src/qemu/qemu_domain.c | 11 ++++++++++- src/qemu/qemu_tpm.c | 5 +++++ src/storage/storage_backend_iscsi.c | 5 +++++ src/storage/storage_backend_iscsi_direct.c | 5 +++++ src/storage/storage_backend_rbd.c | 5 +++++ src/storage/storage_util.c | 5 +++++ 7 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 4de2158bea..e33297a9ba 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -31,6 +31,7 @@ #include "datatypes.h" #include "virconf.h" #include "virfile.h" +#include "viridentity.h" #include "virstring.h" #include "viralloc.h" #include "viruuid.h" @@ -1001,6 +1002,10 @@ libxlMakeNetworkDiskSrc(virStorageSource *src, char = **srcstr) if (src->auth && src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_RBD) { g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElev= ateCurrent(); + + if (!oldident) + goto cleanup; =20 username =3D src->auth->username; if (!(conn =3D virConnectOpen("xen:///system"))) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index fe56d17486..10641846b3 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -41,6 +41,7 @@ #include "viralloc.h" #include "virlog.h" #include "virerror.h" +#include "viridentity.h" #include "cpu/cpu.h" #include "viruuid.h" #include "virfile.h" @@ -1116,9 +1117,13 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfo *sec= info, const char *username, virSecretLookupTypeDef *seclookupdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); g_autoptr(virConnect) conn =3D virGetConnectSecret(); int ret =3D -1; =20 + if (!oldident) + return -1; + if (!conn) return -1; =20 @@ -1213,11 +1218,15 @@ qemuDomainSecretAESSetupFromSecret(qemuDomainObjPri= vate *priv, const char *username, virSecretLookupTypeDef *seclookupdef) { - g_autoptr(virConnect) conn =3D virGetConnectSecret(); qemuDomainSecretInfo *secinfo; g_autofree char *alias =3D qemuAliasForSecret(srcalias, secretuse); g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + g_autoptr(virConnect) conn =3D virGetConnectSecret(); + + if (!oldident) + return NULL; =20 if (!conn) return NULL; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 9ae7e5f94b..477a26dc69 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -33,6 +33,7 @@ #include "vircommand.h" #include "viralloc.h" #include "virkmod.h" +#include "viridentity.h" #include "virlog.h" #include "virutil.h" #include "viruuid.h" @@ -366,6 +367,10 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid, virSecretLookupTypeDef seclookupdef =3D { .type =3D VIR_SECRET_LOOKUP_TYPE_UUID, }; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + + if (!oldident) + return -1; =20 conn =3D virGetConnectSecret(); if (!conn) diff --git a/src/storage/storage_backend_iscsi.c b/src/storage/storage_back= end_iscsi.c index 67e59e856c..ed17ed11a6 100644 --- a/src/storage/storage_backend_iscsi.c +++ b/src/storage/storage_backend_iscsi.c @@ -34,6 +34,7 @@ #include "virerror.h" #include "virfile.h" #include "viriscsi.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -263,6 +264,7 @@ virStorageBackendISCSISetAuth(const char *portal, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -275,6 +277,9 @@ virStorageBackendISCSISetAuth(const char *portal, return -1; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_backend_iscsi_direct.c b/src/storage/stora= ge_backend_iscsi_direct.c index cb5b39baf4..0bff1882b9 100644 --- a/src/storage/storage_backend_iscsi_direct.c +++ b/src/storage/storage_backend_iscsi_direct.c @@ -29,6 +29,7 @@ #include "storage_util.h" #include "viralloc.h" #include "virerror.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -94,6 +95,7 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_context = *iscsi, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -107,6 +109,9 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_contex= t *iscsi, return ret; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + if (!(conn =3D virGetConnectSecret())) return ret; =20 diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backen= d_rbd.c index 9fbb2464d1..ce3ab11dd6 100644 --- a/src/storage/storage_backend_rbd.c +++ b/src/storage/storage_backend_rbd.c @@ -27,6 +27,7 @@ #include "storage_backend_rbd.h" #include "storage_conf.h" #include "viralloc.h" +#include "viridentity.h" #include "virlog.h" #include "viruuid.h" #include "virstring.h" @@ -196,6 +197,7 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, g_autofree char *mon_buff =3D NULL; =20 if (authdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; g_autofree char *rados_key =3D NULL; int rc; =20 @@ -206,6 +208,9 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, goto cleanup; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + goto cleanup; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c index 7efadc2197..2b0d08c65d 100644 --- a/src/storage/storage_util.c +++ b/src/storage/storage_util.c @@ -68,6 +68,7 @@ #include "storage_source_conf.h" #include "virlog.h" #include "virfile.h" +#include "viridentity.h" #include "virjson.h" #include "virqemu.h" #include "virstring.h" @@ -1265,6 +1266,7 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, size_t secretlen =3D 0; virConnectPtr conn =3D NULL; VIR_AUTOCLOSE fd =3D -1; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!enc) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1279,6 +1281,9 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, return NULL; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return NULL; + conn =3D virGetConnectSecret(); if (!conn) return NULL; --=20 2.31.1 From nobody Sat May 18 12:05:16 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404767; cv=none; d=zohomail.com; s=zohoarc; b=Fjdnx1w/NjFK6Sn884hPdqFigTNjmQsCaC/X8mtuNFXi1lwXALkYG9V6xwb3hUHHKuTbtvFcpdXw0hrGfLV4wKix+LVCuyq0ZcTQRMxagw4S2N0vsc49bb/Z5hVUp9btvf/iH9mpqtOsxgXvYUMisxoSrQ6mZArUMyRVsg0fc2Y= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404767; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=Vb5VW6dUTSHeVSzD9p8Zazr9deAwUfiVP0Sw0NvAOKU=; b=F4rxG4mjQy50bN2q1qEAcEpr43KNBpex1CziuUmx02413v268HDCy7KXvBe8ty1kZs61e33pHDNLPG5bCcZc/LCCGha4JyEO4XHmDFJN2nWZcD+mxWmVCr6Ktw5KxmkfsRtPBXXq39Y8DXugwJpM9oBkYbNFJq/obo+x2KW3a2k= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 1620404767678790.224522497908; Fri, 7 May 2021 09:26:07 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-391-1e01mOwaMjyff3p5TDY6ig-1; Fri, 07 May 2021 12:25:29 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id AF3BAA40C2; Fri, 7 May 2021 16:25:23 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8670459460; Fri, 7 May 2021 16:25:23 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 50AA5180102A; Fri, 7 May 2021 16:25:23 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GPKax003578 for ; Fri, 7 May 2021 12:25:20 -0400 Received: by smtp.corp.redhat.com (Postfix) id 8289C189A5; Fri, 7 May 2021 16:25:20 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6412160636; Fri, 7 May 2021 16:25:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404766; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=Vb5VW6dUTSHeVSzD9p8Zazr9deAwUfiVP0Sw0NvAOKU=; b=alIa4F/UjAFfyGzG13B1sZum8TnibgRVXIL3ThPo28SsIhn0+H2ks8iqlkYJ3GrqsyJO+n BjyfxQuELmq6RmLJBrblo7I3XxLrJIM8WLyhpk+154H5wak0K/9z/UpUGCcms2hQf2s9ew 3oFk7E34656br4cja/j2hAlH+kBjrBA= X-MC-Unique: 1e01mOwaMjyff3p5TDY6ig-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 10/10] secret: rework handling of private secrets Date: Fri, 7 May 2021 17:24:48 +0100 Message-Id: <20210507162448.660074-11-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Michal Privoznik X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) A secret can be marked with the "private" attribute. The intent was that it is not possible for any libvirt client to be able to read the secret value, it would only be accesible from within libvirtd. eg the QEMU driver can read the value to launch a guest. With the modular daemons, the QEMU, storage and secret drivers are all running in separate daemons. The QEMU and storage drivers thus appear to be normal libvirt client's from the POV of the secret driver, and thus they are not able to read a private secret. This is unhelpful. With the previous patches that introduced a "system token" to the identity object, we can now distinguish APIs invoked by libvirt daemons from those invoked by client applications. Reviewed-by: Michal Privoznik Signed-off-by: Daniel P. Berrang=C3=A9 --- src/driver-secret.h | 9 +-------- src/libvirt-secret.c | 2 +- src/remote/remote_driver.c | 8 +------- src/secret/secret_driver.c | 34 +++++++++++++++++++++++++++------- src/util/virsecret.c | 3 +-- tests/qemuxml2argvtest.c | 3 +-- 6 files changed, 32 insertions(+), 27 deletions(-) diff --git a/src/driver-secret.h b/src/driver-secret.h index eb6e82478c..1d21f62bb3 100644 --- a/src/driver-secret.h +++ b/src/driver-secret.h @@ -24,12 +24,6 @@ # error "Don't include this file directly, only use driver.h" #endif =20 -enum { - /* This getValue call is inside libvirt, override the "private" flag. - This flag cannot be set by outside callers. */ - VIR_SECRET_GET_VALUE_INTERNAL_CALL =3D 1 << 0, -}; - typedef virSecretPtr (*virDrvSecretLookupByUUID)(virConnectPtr conn, const unsigned char *uuid); @@ -57,8 +51,7 @@ typedef int typedef unsigned char * (*virDrvSecretGetValue)(virSecretPtr secret, size_t *value_size, - unsigned int flags, - unsigned int internalFlags); + unsigned int flags); =20 typedef int (*virDrvSecretUndefine)(virSecretPtr secret); diff --git a/src/libvirt-secret.c b/src/libvirt-secret.c index 75d40f53dc..a427805c7a 100644 --- a/src/libvirt-secret.c +++ b/src/libvirt-secret.c @@ -585,7 +585,7 @@ virSecretGetValue(virSecretPtr secret, size_t *value_si= ze, unsigned int flags) if (conn->secretDriver !=3D NULL && conn->secretDriver->secretGetValue= !=3D NULL) { unsigned char *ret; =20 - ret =3D conn->secretDriver->secretGetValue(secret, value_size, fla= gs, 0); + ret =3D conn->secretDriver->secretGetValue(secret, value_size, fla= gs); if (ret =3D=3D NULL) goto error; return ret; diff --git a/src/remote/remote_driver.c b/src/remote/remote_driver.c index 0c72d69933..eed99af127 100644 --- a/src/remote/remote_driver.c +++ b/src/remote/remote_driver.c @@ -5382,7 +5382,7 @@ remoteDomainBuildQemuMonitorEvent(virNetClientProgram= *prog G_GNUC_UNUSED, =20 static unsigned char * remoteSecretGetValue(virSecretPtr secret, size_t *value_size, - unsigned int flags, unsigned int internalFlags) + unsigned int flags) { unsigned char *rv =3D NULL; remote_secret_get_value_args args; @@ -5391,12 +5391,6 @@ remoteSecretGetValue(virSecretPtr secret, size_t *va= lue_size, =20 remoteDriverLock(priv); =20 - /* internalFlags intentionally do not go over the wire */ - if (internalFlags) { - virReportError(VIR_ERR_INTERNAL_ERROR, "%s", _("no internalFlags s= upport")); - goto done; - } - make_nonnull_secret(&args.secret, secret); args.flags =3D flags; =20 diff --git a/src/secret/secret_driver.c b/src/secret/secret_driver.c index 6ea8cc8ce9..d2175de8ed 100644 --- a/src/secret/secret_driver.c +++ b/src/secret/secret_driver.c @@ -36,6 +36,7 @@ #include "viruuid.h" #include "virerror.h" #include "virfile.h" +#include "viridentity.h" #include "virpidfile.h" #include "configmake.h" #include "virstring.h" @@ -352,8 +353,7 @@ secretSetValue(virSecretPtr secret, static unsigned char * secretGetValue(virSecretPtr secret, size_t *value_size, - unsigned int flags, - unsigned int internalFlags) + unsigned int flags) { unsigned char *ret =3D NULL; virSecretObj *obj; @@ -368,11 +368,31 @@ secretGetValue(virSecretPtr secret, if (virSecretGetValueEnsureACL(secret->conn, def) < 0) goto cleanup; =20 - if ((internalFlags & VIR_SECRET_GET_VALUE_INTERNAL_CALL) =3D=3D 0 && - def->isprivate) { - virReportError(VIR_ERR_INVALID_SECRET, "%s", - _("secret is private")); - goto cleanup; + /* + * For historical compat we want to deny access to + * private secrets, even if no ACL driver is + * present. + * + * We need to validate the identity requesting + * the secret value is running as the same user + * credentials as this driver. + * + * ie a non-root libvirt client should not be + * able to request the value from privileged + * libvirt driver. + * + * To apply restrictions to processes running under + * the same user account is out of scope. + */ + if (def->isprivate) { + int rv =3D virIdentityIsCurrentElevated(); + if (rv < 0) + goto cleanup; + if (rv =3D=3D 0) { + virReportError(VIR_ERR_INVALID_SECRET, "%s", + _("secret is private")); + goto cleanup; + } } =20 if (!(ret =3D virSecretObjGetValue(obj))) diff --git a/src/util/virsecret.c b/src/util/virsecret.c index 0695288229..604d900f77 100644 --- a/src/util/virsecret.c +++ b/src/util/virsecret.c @@ -174,8 +174,7 @@ virSecretGetSecretString(virConnectPtr conn, goto cleanup; } =20 - *secret =3D conn->secretDriver->secretGetValue(sec, secret_size, 0, - VIR_SECRET_GET_VALUE_INTE= RNAL_CALL); + *secret =3D conn->secretDriver->secretGetValue(sec, secret_size, 0); =20 if (!*secret) goto cleanup; diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index a9dafe226e..3591b7b9f0 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -42,8 +42,7 @@ static virQEMUDriver driver; static unsigned char * fakeSecretGetValue(virSecretPtr obj G_GNUC_UNUSED, size_t *value_size, - unsigned int fakeflags G_GNUC_UNUSED, - unsigned int internalFlags G_GNUC_UNUSED) + unsigned int fakeflags G_GNUC_UNUSED) { char *secret; secret =3D g_strdup("AQCVn5hO6HzFAhAAq0NCv8jtJcIcE+HOBlMQ1A"); --=20 2.31.1