From nobody Sun Feb 8 19:39:50 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) client-ip=216.205.24.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1620826473; cv=none; d=zohomail.com; s=zohoarc; b=Ze+jD1j6OXTb0DmtA53c+E34+7cBkxiEWYxCBc8r4KQ9NFlO3RLycZWao3r/dFJA7I+7mkQhvRb8GU2dXMPdGdGeBvKYTzkbksfvAbMxYGgukCCi4YuchCpFDO63cbRiBTJf2jy+bc9yOwaANYgTMnEGmwHYkkXF8yymFWdLgL0= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail.com; s=zohoarc; t=1620826473; h=Content-Type:Content-Transfer-Encoding:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To; bh=i/86EE3g598rOpkfNt39k12afV7gEySvgt175NYDpt8=; b=i7+374+R//VApMlmQYaqyy3oZxh3UA8NulJwLZmsFstTDQoFQ33bjzIoodFQH8qejWuS8z3RDlQfLbxtyo3hoT7cPvfa8DXBGhVVUedd35aBRUmTExZE5kOcQLTTmfTFWDs9W9/qJ5C81alq4ETZ37+9p8jaR7yKQqr6PZygoVQ= ARC-Authentication-Results: i=1; mx.zohomail.com; dkim=pass; spf=pass (zohomail.com: domain of redhat.com designates 216.205.24.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) by mx.zohomail.com with SMTPS id 16208264738951020.580272937107; Wed, 12 May 2021 06:34:33 -0700 (PDT) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-541-M86HtN-SPaecJVroj-4J3Q-1; Wed, 12 May 2021 09:34:27 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com [10.5.11.13]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B5C36107ACED; Wed, 12 May 2021 13:34:16 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 97A5A6091A; Wed, 12 May 2021 13:34:16 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5C3D95535C; Wed, 12 May 2021 13:34:16 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14CDY5qO031319 for ; Wed, 12 May 2021 09:34:05 -0400 Received: by smtp.corp.redhat.com (Postfix) id BC53160657; Wed, 12 May 2021 13:34:05 +0000 (UTC) Received: from foo.redhat.com (ovpn-114-167.ams2.redhat.com [10.36.114.167]) by smtp.corp.redhat.com (Postfix) with ESMTP id C031B2BFC7; Wed, 12 May 2021 13:34:04 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1620826472; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=i/86EE3g598rOpkfNt39k12afV7gEySvgt175NYDpt8=; b=Vd2eUbrM6fG0/Jo5IzWSUXa8fctEqp9Brnv8GhYHFcdF0c4dsE58SIc6RzQDubQVbxaDXB S4knc2MgHqRaYjGOJ4ruINmrTomFUi1y7qwYYdDrohKsThMitHZdHbBTZqiDQ+lRw7OMeU qxe+QGBxJhJpo8yYB8ZmrDS0PuaJSh4= X-MC-Unique: M86HtN-SPaecJVroj-4J3Q-1 From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Subject: [libvirt PATCH v3 03/10] util: generate a persistent system token Date: Wed, 12 May 2021 14:33:49 +0100 Message-Id: <20210512133356.1162418-4-berrange@redhat.com> In-Reply-To: <20210512133356.1162418-1-berrange@redhat.com> References: <20210512133356.1162418-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-ZohoMail-DKIM: pass (identity @redhat.com) When creating the system identity set the system token. The system token is currently stored in a local path /var/run/libvirt/common/system.token Obviously with only traditional UNIX DAC in effect, this is largely security through obscurity, if the client is running at the same privilege level as the daemon. It does, however, reliably distinguish an unprivileged client from the system daemons. With a MAC system like SELinux though, or possible use of containers, access can be further restricted. A possible future improvement for Linux would be to populate the kernel keyring with a secret for libvirt daemons to share. Signed-off-by: Daniel P. Berrang=C3=A9 --- src/libvirt_private.syms | 1 + src/util/viridentity.c | 107 ++++++++++++++++++++++++++++++++++++- src/util/viridentitypriv.h | 30 +++++++++++ tests/viridentitytest.c | 11 +++- 4 files changed, 147 insertions(+), 2 deletions(-) create mode 100644 src/util/viridentitypriv.h diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index aaae1c8002..9c3c473c1c 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -2396,6 +2396,7 @@ virHostGetBootTime; =20 =20 # util/viridentity.h +virIdentityEnsureSystemToken; virIdentityGetCurrent; virIdentityGetGroupName; virIdentityGetParameters; diff --git a/src/util/viridentity.c b/src/util/viridentity.c index 7da4ea12f5..5174f5a2d3 100644 --- a/src/util/viridentity.c +++ b/src/util/viridentity.c @@ -22,21 +22,27 @@ #include =20 #include +#include #if WITH_SELINUX # include #endif =20 +#define LIBVIRT_VIRIDENTITYPRIV_H_ALLOW + #include "internal.h" #include "viralloc.h" #include "virerror.h" -#include "viridentity.h" +#include "viridentitypriv.h" #include "virlog.h" #include "virobject.h" +#include "virrandom.h" #include "virthread.h" #include "virutil.h" #include "virstring.h" #include "virprocess.h" #include "virtypedparam.h" +#include "virfile.h" +#include "configmake.h" =20 #define VIR_FROM_THIS VIR_FROM_IDENTITY =20 @@ -55,6 +61,7 @@ struct _virIdentity { G_DEFINE_TYPE(virIdentity, vir_identity, G_TYPE_OBJECT) =20 static virThreadLocal virIdentityCurrent; +static char *systemToken; =20 static void virIdentityFinalize(GObject *obj); =20 @@ -73,6 +80,9 @@ static int virIdentityOnceInit(void) return -1; } =20 + if (!(systemToken =3D virIdentityEnsureSystemToken())) + return -1; + return 0; } =20 @@ -144,6 +154,101 @@ int virIdentitySetCurrent(virIdentity *ident) } =20 =20 +#define TOKEN_BYTES 16 +#define TOKEN_STRLEN (TOKEN_BYTES * 2) + +static char * +virIdentityConstructSystemTokenPath(void) +{ + g_autofree char *commondir =3D NULL; + if (geteuid() =3D=3D 0) { + commondir =3D g_strdup(RUNSTATEDIR "/libvirt/common"); + } else { + g_autofree char *rundir =3D virGetUserRuntimeDirectory(); + commondir =3D g_strdup_printf("%s/common", rundir); + } + + if (g_mkdir_with_parents(commondir, 0700) < 0) { + virReportSystemError(errno, + _("Cannot create daemon common directory '%s'= "), + commondir); + return NULL; + } + + return g_strdup_printf("%s/system.token", commondir); +} + + +char * +virIdentityEnsureSystemToken(void) +{ + g_autofree char *tokenfile =3D virIdentityConstructSystemTokenPath(); + g_autofree char *token =3D NULL; + VIR_AUTOCLOSE fd =3D -1; + struct stat st; + + if (!tokenfile) + return NULL; + + fd =3D open(tokenfile, O_RDWR|O_APPEND|O_CREAT, 0600); + if (fd < 0) { + virReportSystemError(errno, + _("Unable to open system token %s"), + tokenfile); + return NULL; + } + + if (virSetCloseExec(fd) < 0) { + virReportSystemError(errno, + _("Failed to set close-on-exec flag '%s'"), + tokenfile); + return NULL; + } + + if (virFileLock(fd, false, 0, 1, true) < 0) { + virReportSystemError(errno, + _("Failed to lock system token '%s'"), + tokenfile); + return NULL; + } + + if (fstat(fd, &st) < 0) { + virReportSystemError(errno, + _("Failed to check system token '%s'"), + tokenfile); + return NULL; + } + + /* Ok, we're the first one here, so we must populate it */ + if (st.st_size =3D=3D 0) { + if (!(token =3D virRandomToken(TOKEN_BYTES))) { + return NULL; + } + if (safewrite(fd, token, TOKEN_STRLEN) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + return NULL; + } + } else { + if (virFileReadLimFD(fd, TOKEN_STRLEN, &token) < 0) { + virReportSystemError(errno, + _("Failed to write system token '%s'"), + tokenfile); + return NULL; + } + if (strlen(token) !=3D TOKEN_STRLEN) { + virReportSystemError(errno, + _("System token in %s was corrupt"), + tokenfile); + return NULL; + } + } + + return g_steal_pointer(&token); +} + + /** * virIdentityGetSystem: * diff --git a/src/util/viridentitypriv.h b/src/util/viridentitypriv.h new file mode 100644 index 0000000000..e5ca8430f8 --- /dev/null +++ b/src/util/viridentitypriv.h @@ -0,0 +1,30 @@ +/* + * viridentitypriv.h: helper APIs for managing user identities + * + * Copyright (C) 2012-2013 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; If not, see + * . + */ + +#ifndef LIBVIRT_VIRIDENTITYPRIV_H_ALLOW +# error "viridentitypriv.h may only be included by viridentity.c or test s= uites" +#endif /* LIBVIRT_VIRIDENTITYPRIV_H_ALLOW */ + +#pragma once + +#include "viridentity.h" + +char * +virIdentityEnsureSystemToken(void) G_GNUC_NO_INLINE; diff --git a/tests/viridentitytest.c b/tests/viridentitytest.c index afb9fdaec4..99c7899ed7 100644 --- a/tests/viridentitytest.c +++ b/tests/viridentitytest.c @@ -25,7 +25,9 @@ =20 #include "testutils.h" =20 -#include "viridentity.h" +#define LIBVIRT_VIRIDENTITYPRIV_H_ALLOW + +#include "viridentitypriv.h" #include "virerror.h" #include "viralloc.h" #include "virlog.h" @@ -36,6 +38,13 @@ =20 VIR_LOG_INIT("tests.identitytest"); =20 +char * +virIdentityEnsureSystemToken(void) +{ + return g_strdup("3de80bcbf22d4833897f1638e01be9b2"); +} + + static int testIdentityAttrs(const void *data G_GNUC_UNUSED) { g_autoptr(virIdentity) ident =3D virIdentityNew(); --=20 2.31.1