From nobody Mon Feb 9 00:31:09 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) client-ip=170.10.133.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620826476; cv=none; d=zohomail.com; s=zohoarc; b=XP1ziwAzkShGh4LHNtxYus0oFNBAq0850feSc5DDiOZ/5DFrEPkjw10Ig4OhIKKS2qhSOKB+v2eRAbK809ot87OhJO3YtSv0Ms9OHfPQSy/kYvCa7CvAAisPuP7RlXufgD5fXVWM750EZDaFwqE0FgiHR+3p/s3RNXbImk8Hqtc= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620826476; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=3srJDFYzeetdJ6lN4I4UMKlXuMJVw8eCgJSedeKZnTM=; b=I6ua01loC9hu22wSYjW/urUwRmAZYpcG0eyoLr5H6nh89wWrGxaFNVWa03U9deKaykfUT3ZiKMuSYGfw5CZDg+WjL2OhuWm5UuVDPQWjQEydAUZJYd9KkNhNfBtcCW/F6oDsuwWDrzNeFmE/N94zauyQ0lZ3VhC6Wbb9WNkoSuM= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 170.10.133.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mx.zohomail.com with SMTPS id 162082647638160.54950843998222; Wed, 12 May 2021 06:34:36 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-206-QKWluWIMOkanDTH9vUttSA-1; Wed, 12 May 2021 09:34:32 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B868E180486D; Wed, 12 May 2021 13:34:26 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 964362CFB2; Wed, 12 May 2021 13:34:26 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 60362180102B; Wed, 12 May 2021 13:34:26 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14CDYD5U031381 for ; Wed, 12 May 2021 09:34:13 -0400 Received: by smtp.corp.redhat.com (Postfix) id 22B6E2C01F; Wed, 12 May 2021 13:34:13 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-167.ams2.redhat.com [10.36.114.167]) by smtp.corp.redhat.com (Postfix) with ESMTP id 462D160657; Wed, 12 May 2021 13:34:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620826474; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=3srJDFYzeetdJ6lN4I4UMKlXuMJVw8eCgJSedeKZnTM=; b=ZMad+FJXXpfa12Jb6yQ4YDe/v3oicLb3eImHz1HbLr/Vt4qWApUbMuVFcqs3226w1GgHFl uC8MygDuwvlIlcehLXisWMxBTNfu9gletYdW0r4DrDh/Es6pooLZzyCjBNIV1dgEwOf10+ 47Dl9JHy+vgn59Lpz6RQ9+y9w1BFhiM= X-MC-Unique: QKWluWIMOkanDTH9vUttSA-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v3 09/10] src: elevate current identity privilege when fetching secret Date: Wed, 12 May 2021 14:33:55 +0100 Message-Id: <20210512133356.1162418-10-berrange@redhat.com> In-Reply-To: <20210512133356.1162418-1-berrange@redhat.com> References: <20210512133356.1162418-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When fetching the value of a private secret, we need to use an elevated identity otherwise the secret driver will deny access. When using the modular daemons, the elevated identity needs to be active before the secret driver connection is opened, and it will apply to all APIs calls made on that conncetion. When using the monolithic daemon, the identity at time of opening the connection is ignored, and the elevated identity needs to be active precisely at the time the virSecretGetValue API call is made. After acquiring the secret value, the elevated identity should be cleared. This sounds complex, but is fairly straightfoward with the automatic cleanup callbacks. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libxl/libxl_conf.c | 5 +++++ src/qemu/qemu_domain.c | 11 ++++++++++- src/qemu/qemu_tpm.c | 5 +++++ src/storage/storage_backend_iscsi.c | 5 +++++ src/storage/storage_backend_iscsi_direct.c | 5 +++++ src/storage/storage_backend_rbd.c | 5 +++++ src/storage/storage_util.c | 5 +++++ tests/qemuxml2argvmock.c | 9 +++++++++ tests/qemuxml2argvtest.c | 6 ++++++ 9 files changed, 55 insertions(+), 1 deletion(-) diff --git a/src/libxl/libxl_conf.c b/src/libxl/libxl_conf.c index 4de2158bea..e33297a9ba 100644 --- a/src/libxl/libxl_conf.c +++ b/src/libxl/libxl_conf.c @@ -31,6 +31,7 @@ #include "datatypes.h" #include "virconf.h" #include "virfile.h" +#include "viridentity.h" #include "virstring.h" #include "viralloc.h" #include "viruuid.h" @@ -1001,6 +1002,10 @@ libxlMakeNetworkDiskSrc(virStorageSource *src, char = **srcstr) if (src->auth && src->protocol =3D=3D VIR_STORAGE_NET_PROTOCOL_RBD) { g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElev= ateCurrent(); + + if (!oldident) + goto cleanup; =20 username =3D src->auth->username; if (!(conn =3D virConnectOpen("xen:///system"))) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index fe56d17486..10641846b3 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -41,6 +41,7 @@ #include "viralloc.h" #include "virlog.h" #include "virerror.h" +#include "viridentity.h" #include "cpu/cpu.h" #include "viruuid.h" #include "virfile.h" @@ -1116,9 +1117,13 @@ qemuDomainSecretPlainSetup(qemuDomainSecretInfo *sec= info, const char *username, virSecretLookupTypeDef *seclookupdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); g_autoptr(virConnect) conn =3D virGetConnectSecret(); int ret =3D -1; =20 + if (!oldident) + return -1; + if (!conn) return -1; =20 @@ -1213,11 +1218,15 @@ qemuDomainSecretAESSetupFromSecret(qemuDomainObjPri= vate *priv, const char *username, virSecretLookupTypeDef *seclookupdef) { - g_autoptr(virConnect) conn =3D virGetConnectSecret(); qemuDomainSecretInfo *secinfo; g_autofree char *alias =3D qemuAliasForSecret(srcalias, secretuse); g_autofree uint8_t *secret =3D NULL; size_t secretlen =3D 0; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + g_autoptr(virConnect) conn =3D virGetConnectSecret(); + + if (!oldident) + return NULL; =20 if (!conn) return NULL; diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 9ae7e5f94b..477a26dc69 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -33,6 +33,7 @@ #include "vircommand.h" #include "viralloc.h" #include "virkmod.h" +#include "viridentity.h" #include "virlog.h" #include "virutil.h" #include "viruuid.h" @@ -366,6 +367,10 @@ qemuTPMSetupEncryption(const unsigned char *secretuuid, virSecretLookupTypeDef seclookupdef =3D { .type =3D VIR_SECRET_LOOKUP_TYPE_UUID, }; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D virIdentityElevateC= urrent(); + + if (!oldident) + return -1; =20 conn =3D virGetConnectSecret(); if (!conn) diff --git a/src/storage/storage_backend_iscsi.c b/src/storage/storage_back= end_iscsi.c index 67e59e856c..ed17ed11a6 100644 --- a/src/storage/storage_backend_iscsi.c +++ b/src/storage/storage_backend_iscsi.c @@ -34,6 +34,7 @@ #include "virerror.h" #include "virfile.h" #include "viriscsi.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -263,6 +264,7 @@ virStorageBackendISCSISetAuth(const char *portal, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -275,6 +277,9 @@ virStorageBackendISCSISetAuth(const char *portal, return -1; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_backend_iscsi_direct.c b/src/storage/stora= ge_backend_iscsi_direct.c index cb5b39baf4..0bff1882b9 100644 --- a/src/storage/storage_backend_iscsi_direct.c +++ b/src/storage/storage_backend_iscsi_direct.c @@ -29,6 +29,7 @@ #include "storage_util.h" #include "viralloc.h" #include "virerror.h" +#include "viridentity.h" #include "virlog.h" #include "virobject.h" #include "virstring.h" @@ -94,6 +95,7 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_context = *iscsi, virStorageAuthDef *authdef =3D source->auth; int ret =3D -1; virConnectPtr conn =3D NULL; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!authdef || authdef->authType =3D=3D VIR_STORAGE_AUTH_TYPE_NONE) return 0; @@ -107,6 +109,9 @@ virStorageBackendISCSIDirectSetAuth(struct iscsi_contex= t *iscsi, return ret; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return -1; + if (!(conn =3D virGetConnectSecret())) return ret; =20 diff --git a/src/storage/storage_backend_rbd.c b/src/storage/storage_backen= d_rbd.c index 9fbb2464d1..ce3ab11dd6 100644 --- a/src/storage/storage_backend_rbd.c +++ b/src/storage/storage_backend_rbd.c @@ -27,6 +27,7 @@ #include "storage_backend_rbd.h" #include "storage_conf.h" #include "viralloc.h" +#include "viridentity.h" #include "virlog.h" #include "viruuid.h" #include "virstring.h" @@ -196,6 +197,7 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, g_autofree char *mon_buff =3D NULL; =20 if (authdef) { + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; g_autofree char *rados_key =3D NULL; int rc; =20 @@ -206,6 +208,9 @@ virStorageBackendRBDOpenRADOSConn(virStorageBackendRBDS= tate *ptr, goto cleanup; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + goto cleanup; + conn =3D virGetConnectSecret(); if (!conn) return -1; diff --git a/src/storage/storage_util.c b/src/storage/storage_util.c index 7efadc2197..2b0d08c65d 100644 --- a/src/storage/storage_util.c +++ b/src/storage/storage_util.c @@ -68,6 +68,7 @@ #include "storage_source_conf.h" #include "virlog.h" #include "virfile.h" +#include "viridentity.h" #include "virjson.h" #include "virqemu.h" #include "virstring.h" @@ -1265,6 +1266,7 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, size_t secretlen =3D 0; virConnectPtr conn =3D NULL; VIR_AUTOCLOSE fd =3D -1; + VIR_IDENTITY_AUTORESTORE virIdentity *oldident =3D NULL; =20 if (!enc) { virReportError(VIR_ERR_INTERNAL_ERROR, "%s", @@ -1279,6 +1281,9 @@ storageBackendCreateQemuImgSecretPath(virStoragePoolO= bj *pool, return NULL; } =20 + if (!(oldident =3D virIdentityElevateCurrent())) + return NULL; + conn =3D virGetConnectSecret(); if (!conn) return NULL; diff --git a/tests/qemuxml2argvmock.c b/tests/qemuxml2argvmock.c index 77a0814c08..2265492f1e 100644 --- a/tests/qemuxml2argvmock.c +++ b/tests/qemuxml2argvmock.c @@ -18,10 +18,13 @@ =20 #include =20 +#define LIBVIRT_VIRIDENTITYPRIV_H_ALLOW + #include "internal.h" #include "viralloc.h" #include "vircommand.h" #include "vircrypto.h" +#include "viridentitypriv.h" #include "virmock.h" #include "virlog.h" #include "virnetdev.h" @@ -292,3 +295,9 @@ qemuInterfaceVDPAConnect(virDomainNetDef *net G_GNUC_UN= USED) abort(); return 1732; } + +char * +virIdentityEnsureSystemToken(void) +{ + return g_strdup("3de80bcbf22d4833897f1638e01be9b2"); +} diff --git a/tests/qemuxml2argvtest.c b/tests/qemuxml2argvtest.c index a9dafe226e..a93d21d61a 100644 --- a/tests/qemuxml2argvtest.c +++ b/tests/qemuxml2argvtest.c @@ -11,6 +11,7 @@ =20 # include "internal.h" # include "viralloc.h" +# include "viridentity.h" # include "qemu/qemu_alias.h" # include "qemu/qemu_capabilities.h" # include "qemu/qemu_command.h" @@ -650,6 +651,7 @@ testCompareXMLToArgv(const void *data) xmlNodePtr root; g_autofree char *archstr =3D NULL; virArch arch =3D VIR_ARCH_NONE; + g_autoptr(virIdentity) sysident =3D virIdentityGetSystem(); =20 if (info->arch !=3D VIR_ARCH_NONE && info->arch !=3D VIR_ARCH_X86_64) qemuTestSetHostArch(&driver, info->arch); @@ -670,6 +672,9 @@ testCompareXMLToArgv(const void *data) virSetConnectSecret(conn); virSetConnectStorage(conn); =20 + if (virIdentitySetCurrent(sysident) < 0) + goto cleanup; + if (testCheckExclusiveFlags(info->flags) < 0) goto cleanup; =20 @@ -809,6 +814,7 @@ testCompareXMLToArgv(const void *data) VIR_FREE(log); virDomainChrSourceDefClear(&monitor_chr); virObjectUnref(vm); + virIdentitySetCurrent(NULL); virSetConnectSecret(NULL); virSetConnectStorage(NULL); if (info->arch !=3D VIR_ARCH_NONE && info->arch !=3D VIR_ARCH_X86_64) --=20 2.31.1