From nobody Tue Feb 10 00:22:33 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (208.118.235.17 [208.118.235.17]) by mx.zohomail.com with SMTPS id 1529080209460834.8689378975959; Fri, 15 Jun 2018 09:30:09 -0700 (PDT) Received: from localhost ([::1]:48030 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTrbx-0006yW-TR for importer@patchew.org; Fri, 15 Jun 2018 12:30:05 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58816) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fTr0O-0008TH-SJ for qemu-devel@nongnu.org; Fri, 15 Jun 2018 11:51:19 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fTr0N-0006Zx-L2 for qemu-devel@nongnu.org; Fri, 15 Jun 2018 11:51:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:57266 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fTr0K-0006Vy-KS; Fri, 15 Jun 2018 11:51:12 -0400 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 285AE40122B6; Fri, 15 Jun 2018 15:51:12 +0000 (UTC) Received: from localhost.localdomain.com (unknown [10.42.22.189]) by smtp.corp.redhat.com (Postfix) with ESMTP id AFD9610FD2A6; Fri, 15 Jun 2018 15:51:10 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Fri, 15 Jun 2018 16:50:58 +0100 Message-Id: <20180615155103.11924-2-berrange@redhat.com> In-Reply-To: <20180615155103.11924-1-berrange@redhat.com> References: <20180615155103.11924-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 15 Jun 2018 15:51:12 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.5]); Fri, 15 Jun 2018 15:51:12 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH 1/6] qemu-nbd: add support for authorization of TLS clients X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Kevin Wolf , qemu-block@nongnu.org, Juan Quintela , Markus Armbruster , Max Reitz , Gerd Hoffmann , Paolo Bonzini , =?UTF-8?q?Marc-Andr=C3=A9=20Lureau?= , "Dr. David Alan Gilbert" Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" Currently any client which can complete the TLS handshake is able to use the NBD server. The server admin can turn on the 'verify-peer' option for the x509 creds to require the client to provide a x509 certificate. This means the client will have to acquire a certificate from the CA before they are permitted to use the NBD server. This is still a fairly low bar to cross. This adds a '--tls-authz OBJECT-ID' option to the qemu-nbd command which takes the ID of a previously added 'QAuthZ' object instance. This will be used to validate the client's x509 distinguished name. Clients failing the authorization check will not be permitted to use the NBD server. For example to setup authorization that only allows connection from a client whose x509 certificate distinguished name contains 'CN=3Dfred', you would use: qemu-nbd -object tls-creds-x509,id=3Dtls0,dir=3D/home/berrange/qemutls,\ endpoint=3Dserver,verify-peer=3Dyes \ -object authz-simple,id=3Dauthz0,policy=3Ddeny,\ rules.0.match=3D*CN=3Dfred,rules.0.policy=3Dallow \ -tls-creds tls0 \ -tls-authz authz0 ....other qemu-nbd args... Signed-off-by: Daniel P. Berrange --- include/block/nbd.h | 2 +- nbd/server.c | 12 +++++++----- qemu-nbd.c | 13 ++++++++++++- qemu-nbd.texi | 4 ++++ 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/include/block/nbd.h b/include/block/nbd.h index fcdcd54502..80ea9d240c 100644 --- a/include/block/nbd.h +++ b/include/block/nbd.h @@ -307,7 +307,7 @@ void nbd_export_close_all(void); void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)); void nbd_client_get(NBDClient *client); void nbd_client_put(NBDClient *client); diff --git a/nbd/server.c b/nbd/server.c index 9e1f227178..579fc828e1 100644 --- a/nbd/server.c +++ b/nbd/server.c @@ -100,7 +100,7 @@ struct NBDClient { =20 NBDExport *exp; QCryptoTLSCreds *tlscreds; - char *tlsaclname; + char *tlsauthz; QIOChannelSocket *sioc; /* The underlying data channel */ QIOChannel *ioc; /* The current I/O channel which may differ (eg TLS) = */ =20 @@ -677,7 +677,7 @@ static QIOChannel *nbd_negotiate_handle_starttls(NBDCli= ent *client, =20 tioc =3D qio_channel_tls_new_server(ioc, client->tlscreds, - client->tlsaclname, + client->tlsauthz, errp); if (!tioc) { return NULL; @@ -1250,7 +1250,7 @@ void nbd_client_put(NBDClient *client) if (client->tlscreds) { object_unref(OBJECT(client->tlscreds)); } - g_free(client->tlsaclname); + g_free(client->tlsauthz); if (client->exp) { QTAILQ_REMOVE(&client->exp->clients, client, next); nbd_export_put(client->exp); @@ -2140,7 +2140,7 @@ static coroutine_fn void nbd_co_client_start(void *op= aque) void nbd_client_new(NBDExport *exp, QIOChannelSocket *sioc, QCryptoTLSCreds *tlscreds, - const char *tlsaclname, + const char *tlsauthz, void (*close_fn)(NBDClient *, bool)) { NBDClient *client; @@ -2153,7 +2153,9 @@ void nbd_client_new(NBDExport *exp, if (tlscreds) { object_ref(OBJECT(client->tlscreds)); } - client->tlsaclname =3D g_strdup(tlsaclname); + if (tlsauthz) { + client->tlsauthz =3D g_strdup(tlsauthz); + } client->sioc =3D sioc; object_ref(OBJECT(client->sioc)); client->ioc =3D QIO_CHANNEL(sioc); diff --git a/qemu-nbd.c b/qemu-nbd.c index 51b9d38c72..c0c9c805c0 100644 --- a/qemu-nbd.c +++ b/qemu-nbd.c @@ -52,6 +52,7 @@ #define QEMU_NBD_OPT_TLSCREDS 261 #define QEMU_NBD_OPT_IMAGE_OPTS 262 #define QEMU_NBD_OPT_FORK 263 +#define QEMU_NBD_OPT_TLSAUTHZ 264 =20 #define MBR_SIZE 512 =20 @@ -66,6 +67,7 @@ static int shared =3D 1; static int nb_fds; static QIONetListener *server; static QCryptoTLSCreds *tlscreds; +static const char *tlsauthz; =20 static void usage(const char *name) { @@ -355,7 +357,7 @@ static void nbd_accept(QIONetListener *listener, QIOCha= nnelSocket *cioc, nb_fds++; nbd_update_server_watch(); nbd_client_new(newproto ? NULL : exp, cioc, - tlscreds, NULL, nbd_client_closed); + tlscreds, tlsauthz, nbd_client_closed); } =20 static void nbd_update_server_watch(void) @@ -533,6 +535,7 @@ int main(int argc, char **argv) { "image-opts", no_argument, NULL, QEMU_NBD_OPT_IMAGE_OPTS }, { "trace", required_argument, NULL, 'T' }, { "fork", no_argument, NULL, QEMU_NBD_OPT_FORK }, + { "tls-authz", no_argument, NULL, QEMU_NBD_OPT_TLSAUTHZ }, { NULL, 0, NULL, 0 } }; int ch; @@ -755,6 +758,9 @@ int main(int argc, char **argv) g_free(trace_file); trace_file =3D trace_opt_parse(optarg); break; + case QEMU_NBD_OPT_TLSAUTHZ: + tlsauthz =3D optarg; + break; case QEMU_NBD_OPT_FORK: fork_process =3D true; break; @@ -819,6 +825,11 @@ int main(int argc, char **argv) error_get_pretty(local_err)); exit(EXIT_FAILURE); } + } else { + if (tlsauthz) { + error_report("--tls-authz is not permitted without --tls-creds= "); + exit(EXIT_FAILURE); + } } =20 if (disconnect) { diff --git a/qemu-nbd.texi b/qemu-nbd.texi index 9a84e81eed..8f16bfb513 100644 --- a/qemu-nbd.texi +++ b/qemu-nbd.texi @@ -91,6 +91,10 @@ of the TLS credentials object previously created with th= e --object option. @item --fork Fork off the server process and exit the parent once the server is running. +@item --tls-authz=3DID +Specify the ID of a qauthz object previously created with the +--object option. This will be used to authorize users who +connect against their x509 distinguished name. @item -v, --verbose Display extra debugging information @item -h, --help --=20 2.17.0