From nobody Sun Feb 8 19:40:06 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620404731; cv=none; d=zohomail.com; s=zohoarc; b=LJkvsLSoJpLDH6lse0Zbsnb0eL/KA27/mEPhKmGmzUW9B26Z3r8Ga3Q6MABU/MiNg3lJUZGc+cdAOL6oc6qgs/jznWttbP8SJOI404TdHoF/atTBdtDEWDeqgf8kl2+WEdGJFHDEA3WOKZkf/X5fFieZGQgy4VNPcOqSyZljGq0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620404731; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=5ST+Uf/Cz3cHIVoy86uxjZauGHzlY/6dfQhtWTXV404=; b=R5B6LZPH9DUCZz64cW9nXUFhgxHykVVrjN/HbxJl+z5m304ZaR94f7BlqJj5/ARXXtS9Q4dKKT65fE5ScxNiXOwzph5En8WbFyS2aTirU1ZnADga5MCci5oxjgqVv9eZQJHYdsBFs+6oQHe6ES1B75Kc+Radu01o42STij3OCCI= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 1620404731647759.9752391623352; Fri, 7 May 2021 09:25:31 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-99-fGiTVYPVOOC3efKVwkC8PA-1; Fri, 07 May 2021 12:25:27 -0400 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2864AA40C5; Fri, 7 May 2021 16:25:21 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0A629189A5; Fri, 7 May 2021 16:25:21 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CD0A11801263; Fri, 7 May 2021 16:25:20 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 147GPJXq003541 for ; Fri, 7 May 2021 12:25:19 -0400 Received: by smtp.corp.redhat.com (Postfix) id 18BFC60636; Fri, 7 May 2021 16:25:19 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-155.ams2.redhat.com [10.36.114.155]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4367A189A5; Fri, 7 May 2021 16:25:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620404730; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=5ST+Uf/Cz3cHIVoy86uxjZauGHzlY/6dfQhtWTXV404=; b=DALYGJ11+Mlq+mvCkoLl4fydYRdJJ6adQR0WVwiOafC38qS+ZFkw1duNZvBOxiIDRQxaV1 9F7wD9dqjCX8vMVigwRaEBwqPacxOh5ABQGqwECU45fhJjYEQcqaddgEPKAmIgic27/W1N 1lJ4GLne8L432dJFQcGrOa7MxBixKK4= X-MC-Unique: fGiTVYPVOOC3efKVwkC8PA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v2 09/10] src: elevate current identity privilege when fetching secret Date: Fri, 7 May 2021 17:24:47 +0100 Message-Id: <20210507162448.660074-10-berrange@redhat.com> In-Reply-To: <20210507162448.660074-1-berrange@redhat.com> References: <20210507162448.660074-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When fetching the value of a private secret, we need to use an elevated identity otherwise the secret driver will deny access. When using the modular daemons, the elevated identity needs to be active before the secret driver connection is opened, and it will apply to all APIs calls made on that conncetion. When using the monolithic daemon, the identity at time of opening the connection is ignored, and the elevated identity needs to be active precisely at the time the virSecretGetValue API call is made. After acquiring the secret value, the elevated identity should be cleared. This sounds complex, but is fairly straightfoward with the automatic cleanup callbacks. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libxl/libxl_conf.c | 5 +++++ src/qemu/qemu_domain.c | 11 ++++++++++- src/qemu/qemu_tpm.c | 5 +++++ src/storage/storage_backend_iscsi.c | 5 +++++ src/storage/storage_backend_iscsi_direct.c | 5 +++++ src/storage/storage_backend_rbd.c | 5 +++++ src/storage/storage_util.c | 5 +++++ 7 files changed, 40 insertions(+), 1 deletion(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 4de2158bea..e33297a9ba 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -31,6 +31,7 @@ #include "datatypes.h" #include "virconf.h" #include "virfile.h" +#include "viridentity.h" #include "virstring.h" #include "viralloc.h" #include "viruuid.h" @@ -1001,6 +1002,10 @@ libxlMakeNetworkDiskSrc(virStorageSource *src, char = **srcstr) if (src->auth && src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_RBD) { g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElev= ateCurrent(); + + if (!oldident) + goto cleanup; =20 username =3D src->auth->username; if (!(conn =3D virConnectOpen("xen:///system"))) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index fe56d17486..10641846b3 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -41,6 +41,7 @@ #include "viralloc.h" #include "virlog.h" #include "virerror.h" +#include "viridentity.h" #include "cpu/cpu.h" #include "viruuid.h" #include "virfile.h" @@ -1116,9 +1117,13 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfo *sec= info, const char *username, virSecretLookupTypeDef *seclookupdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); g_autoptr(virConnect) conn =3D virGetConnectSecret(); int ret =3D -1; =20 + if (!oldident) + return -1; + if (!conn) return -1; =20 @@ -1213,11 +1218,15 @@ qemuDomainSecretAESSetupFromSecret(qemuDomainObjPri= vate *priv, const char *username, virSecretLookupTypeDef *seclookupdef) { - g_autoptr(virConnect) conn =3D virGetConnectSecret(); qemuDomainSecretInfo *secinfo; g_autofree char *alias =3D qemuAliasForSecret(srcalias, secretuse); g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + g_autoptr(virConnect) conn =3D virGetConnectSecret(); + + if (!oldident) + return NULL; =20 if (!conn) return NULL; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 9ae7e5f94b..477a26dc69 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -33,6 +33,7 @@ #include "vircommand.h" #include "viralloc.h" #include "virkmod.h" +#include "viridentity.h" #include "virlog.h" #include "virutil.h" #include "viruuid.h" @@ -366,6 +367,10 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid, virSecretLookupTypeDef seclookupdef =3D { .type =3D VIR_SECRET_LOOKUP_TYPE_UUID, }; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + + if (!oldident) + return -1; =20 conn =3D virGetConnectSecret(); if (!conn) diff --git a/src/storage/storage_backend_iscsi.c b/src/storage/storage_back= end_iscsi.c index 67e59e856c..ed17ed11a6 100644 --- a/src/storage/storage_backend_iscsi.c +++ b/src/storage/storage_backend_iscsi.c @@ -34,6 +34,7 @@ #include "virerror.h" #include "virfile.h" #include "viriscsi.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -263,6 +264,7 @@ virStorageBackendISCSISetAuth(const char *portal, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -275,6 +277,9 @@ virStorageBackendISCSISetAuth(const char *portal, return -1; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_backend_iscsi_direct.c b/src/storage/stora= ge_backend_iscsi_direct.c index cb5b39baf4..0bff1882b9 100644 --- a/src/storage/storage_backend_iscsi_direct.c +++ b/src/storage/storage_backend_iscsi_direct.c @@ -29,6 +29,7 @@ #include "storage_util.h" #include "viralloc.h" #include "virerror.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -94,6 +95,7 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_context = *iscsi, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -107,6 +109,9 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_contex= t *iscsi, return ret; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + if (!(conn =3D virGetConnectSecret())) return ret; =20 diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backen= d_rbd.c index 9fbb2464d1..ce3ab11dd6 100644 --- a/src/storage/storage_backend_rbd.c +++ b/src/storage/storage_backend_rbd.c @@ -27,6 +27,7 @@ #include "storage_backend_rbd.h" #include "storage_conf.h" #include "viralloc.h" +#include "viridentity.h" #include "virlog.h" #include "viruuid.h" #include "virstring.h" @@ -196,6 +197,7 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, g_autofree char *mon_buff =3D NULL; =20 if (authdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; g_autofree char *rados_key =3D NULL; int rc; =20 @@ -206,6 +208,9 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, goto cleanup; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + goto cleanup; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c index 7efadc2197..2b0d08c65d 100644 --- a/src/storage/storage_util.c +++ b/src/storage/storage_util.c @@ -68,6 +68,7 @@ #include "storage_source_conf.h" #include "virlog.h" #include "virfile.h" +#include "viridentity.h" #include "virjson.h" #include "virqemu.h" #include "virstring.h" @@ -1265,6 +1266,7 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, size_t secretlen =3D 0; virConnectPtr conn =3D NULL; VIR_AUTOCLOSE fd =3D -1; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!enc) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1279,6 +1281,9 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, return NULL; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return NULL; + conn =3D virGetConnectSecret(); if (!conn) return NULL; --=20 2.31.1