[PATCH 11/15] Add configuration options for permissions on daemon's admin socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.

Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
 daemon/libvirtd-config.c     | 5 ++++-
 daemon/libvirtd-config.h     | 1 +
 daemon/libvirtd.aug          | 1 +
 daemon/libvirtd.conf         | 8 ++++++++
 daemon/test_libvirtd.aug.in  | 1 +
 tests/confdata/libvirtd.conf | 6 ++++++
 tests/confdata/libvirtd.out  | 5 +++++
 7 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 3694455..bce2d70 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)

     if (VIR_STRDUP(data->unix_sock_rw_perms,
                    data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 ||
-        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0)
+        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
+        VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
         goto error;

 #if WITH_SASL
@@ -337,6 +338,7 @@ daemonConfigFree(struct daemonConfig *data)
     }
     VIR_FREE(data->access_drivers);

+    VIR_FREE(data->unix_sock_admin_perms);
     VIR_FREE(data->unix_sock_ro_perms);
     VIR_FREE(data->unix_sock_rw_perms);
     VIR_FREE(data->unix_sock_group);
@@ -404,6 +406,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
         goto error;

     GET_CONF_STR(conf, filename, unix_sock_group);
+    GET_CONF_STR(conf, filename, unix_sock_admin_perms);
     GET_CONF_STR(conf, filename, unix_sock_ro_perms);
     GET_CONF_STR(conf, filename, unix_sock_rw_perms);

diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index c996995..b8d2bc0 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -35,6 +35,7 @@ struct daemonConfig {
     char *tls_port;
     char *tcp_port;

+    char *unix_sock_admin_perms;
     char *unix_sock_ro_perms;
     char *unix_sock_rw_perms;
     char *unix_sock_group;
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 5a0807c..b20ceca 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -35,6 +35,7 @@ module Libvirtd =
    let sock_acl_entry = str_entry "unix_sock_group"
                       | str_entry "unix_sock_ro_perms"
                       | str_entry "unix_sock_rw_perms"
+                      | str_entry "unix_sock_admin_perms"
                       | str_entry "unix_sock_dir"

    let authentication_entry = str_entry "auth_unix_ro"
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 069ef3a..6ef38fa 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -106,9 +106,17 @@
 # control, then you may want to relax this too.
 #unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
 # Set the name of the directory in which sockets will be found/created.
 #unix_sock_dir = "/var/run/libvirt"

+
+
 #################################################################
 #
 # Authentication.
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d..a87df5f 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -12,6 +12,7 @@ module Test_libvirtd =
         { "unix_sock_group" = "libvirt" }
         { "unix_sock_ro_perms" = "0777" }
         { "unix_sock_rw_perms" = "0770" }
+        { "unix_sock_admin_perms" = "0700" }
         { "unix_sock_dir" = "/var/run/libvirt" }
         { "auth_unix_ro" = "none" }
         { "auth_unix_rw" = "none" }
diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf
index 2f2ba4b..5029c4c 100644
--- a/tests/confdata/libvirtd.conf
+++ b/tests/confdata/libvirtd.conf
@@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+


 #################################################################
diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out
index 171945d..4d7ed47 100644
--- a/tests/confdata/libvirtd.out
+++ b/tests/confdata/libvirtd.out
@@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
 # If not using PolicyKit and setting group ownership for access
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
 #################################################################
 #
 # Authentication.
-- 
2.3.5

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]