[PATCH 09/13] Add configuration options for permissions on daemon's admin socket

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.

Signed-off-by: Martin Kletzander <mkletzan@xxxxxxxxxx>
---
 daemon/libvirtd-config.c     | 27 +++++++++++++++++++++++++--
 daemon/libvirtd-config.h     | 13 ++++++++++++-
 daemon/libvirtd.aug          | 13 +++++++++++++
 daemon/libvirtd.conf         | 24 ++++++++++++++++++++++++
 daemon/test_libvirtd.aug.in  |  9 +++++++++
 tests/confdata/libvirtd.conf |  6 ++++++
 tests/confdata/libvirtd.out  |  5 +++++
 7 files changed, 94 insertions(+), 3 deletions(-)

diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 3694455d46f4..10dcc423d2db 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -1,7 +1,7 @@
 /*
  * libvirtd-config.c: daemon start of day, guest process & i/o management
  *
- * Copyright (C) 2006-2012, 2014 Red Hat, Inc.
+ * Copyright (C) 2006-2012, 2014, 2015 Red Hat, Inc.
  * Copyright (C) 2006 Daniel P. Berrange
  *
  * This library is free software; you can redistribute it and/or
@@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)

     if (VIR_STRDUP(data->unix_sock_rw_perms,
                    data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 ||
-        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0)
+        VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
+        VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
         goto error;

 #if WITH_SASL
@@ -293,6 +294,16 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
     data->keepalive_count = 5;
     data->keepalive_required = 0;

+    data->admin_min_workers = 5;
+    data->admin_max_workers = 20;
+    data->admin_max_clients = 5000;
+    data->admin_max_queued_clients = 20;
+    data->admin_max_client_requests = 5;
+
+    data->admin_keepalive_interval = 5;
+    data->admin_keepalive_count = 5;
+    data->admin_keepalive_required = 0;
+
     localhost = virGetHostname();
     if (localhost == NULL) {
         /* we couldn't resolve the hostname; assume that we are
@@ -337,6 +348,7 @@ daemonConfigFree(struct daemonConfig *data)
     }
     VIR_FREE(data->access_drivers);

+    VIR_FREE(data->unix_sock_admin_perms);
     VIR_FREE(data->unix_sock_ro_perms);
     VIR_FREE(data->unix_sock_rw_perms);
     VIR_FREE(data->unix_sock_group);
@@ -404,6 +416,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
         goto error;

     GET_CONF_STR(conf, filename, unix_sock_group);
+    GET_CONF_STR(conf, filename, unix_sock_admin_perms);
     GET_CONF_STR(conf, filename, unix_sock_ro_perms);
     GET_CONF_STR(conf, filename, unix_sock_rw_perms);

@@ -441,6 +454,12 @@ daemonConfigLoadOptions(struct daemonConfig *data,
     GET_CONF_INT(conf, filename, max_requests);
     GET_CONF_UINT(conf, filename, max_client_requests);

+    GET_CONF_UINT(conf, filename, admin_min_workers);
+    GET_CONF_UINT(conf, filename, admin_max_workers);
+    GET_CONF_UINT(conf, filename, admin_max_clients);
+    GET_CONF_UINT(conf, filename, admin_max_queued_clients);
+    GET_CONF_UINT(conf, filename, admin_max_client_requests);
+
     GET_CONF_UINT(conf, filename, audit_level);
     GET_CONF_UINT(conf, filename, audit_logging);

@@ -454,6 +473,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
     GET_CONF_UINT(conf, filename, keepalive_count);
     GET_CONF_UINT(conf, filename, keepalive_required);

+    GET_CONF_INT(conf, filename, admin_keepalive_interval);
+    GET_CONF_UINT(conf, filename, admin_keepalive_count);
+    GET_CONF_UINT(conf, filename, admin_keepalive_required);
+
     return 0;

  error:
diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index c9969955b809..9cdae1a0cb59 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -1,7 +1,7 @@
 /*
  * libvirtd-config.h: daemon start of day, guest process & i/o management
  *
- * Copyright (C) 2006-2012 Red Hat, Inc.
+ * Copyright (C) 2006-2012, 2015 Red Hat, Inc.
  * Copyright (C) 2006 Daniel P. Berrange
  *
  * This library is free software; you can redistribute it and/or
@@ -35,6 +35,7 @@ struct daemonConfig {
     char *tls_port;
     char *tcp_port;

+    char *unix_sock_admin_perms;
     char *unix_sock_ro_perms;
     char *unix_sock_rw_perms;
     char *unix_sock_group;
@@ -81,6 +82,16 @@ struct daemonConfig {
     int keepalive_interval;
     unsigned int keepalive_count;
     int keepalive_required;
+
+    int admin_min_workers;
+    int admin_max_workers;
+    int admin_max_clients;
+    int admin_max_queued_clients;
+    int admin_max_client_requests;
+
+    int admin_keepalive_interval;
+    unsigned int admin_keepalive_count;
+    int admin_keepalive_required;
 };


diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 5a0807c368be..a70aa1dddf90 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -35,6 +35,7 @@ module Libvirtd =
    let sock_acl_entry = str_entry "unix_sock_group"
                       | str_entry "unix_sock_ro_perms"
                       | str_entry "unix_sock_rw_perms"
+                      | str_entry "unix_sock_admin_perms"
                       | str_entry "unix_sock_dir"

    let authentication_entry = str_entry "auth_unix_ro"
@@ -62,6 +63,12 @@ module Libvirtd =
                         | int_entry "max_client_requests"
                         | int_entry "prio_workers"

+   let admin_processing_entry = int_entry "admin_min_workers"
+                              | int_entry "admin_max_workers"
+                              | int_entry "admin_max_clients"
+                              | int_entry "admin_max_queued_clients"
+                              | int_entry "admin_max_client_requests"
+
    let logging_entry = int_entry "log_level"
                      | str_entry "log_filters"
                      | str_entry "log_outputs"
@@ -74,6 +81,10 @@ module Libvirtd =
                        | int_entry "keepalive_count"
                        | bool_entry "keepalive_required"

+   let admin_keepalive_entry = int_entry "admin_keepalive_interval"
+                             | int_entry "admin_keepalive_count"
+                             | bool_entry "admin_keepalive_required"
+
    let misc_entry = str_entry "host_uuid"

    (* Each enty in the config is one of the following three ... *)
@@ -83,9 +94,11 @@ module Libvirtd =
              | certificate_entry
              | authorization_entry
              | processing_entry
+             | admin_processing_entry
              | logging_entry
              | auditing_entry
              | keepalive_entry
+             | admin_keepalive_entry
              | misc_entry
    let comment = [ label "#comment" . del /#[ \t]*/ "# " .  store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
    let empty = [ label "#empty" . eol ]
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 069ef3abbaed..ac06cdd79103 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -106,9 +106,17 @@
 # control, then you may want to relax this too.
 #unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
 # Set the name of the directory in which sockets will be found/created.
 #unix_sock_dir = "/var/run/libvirt"

+
+
 #################################################################
 #
 # Authentication.
@@ -307,6 +315,16 @@
 # and max_workers parameter
 #max_client_requests = 5

+# Same processing controls, but this time for the admin interface.
+# For description of each option, be so kind to scroll few lines
+# upwards.
+
+#admin_min_workers = 1
+#admin_max_workers = 5
+#admin_max_clients = 5
+#admin_max_queued_clients = 5
+#admin_max_client_requests = 5
+
 #################################################################
 #
 # Logging controls
@@ -427,3 +445,9 @@
 # support keepalive protocol.  Defaults to 0.
 #
 #keepalive_required = 1
+
+# Keepalive settings for the admin interface
+#admin_keepalive_interval = 5
+#admin_keepalive_count = 5
+#
+#admin_keepalive_required = 1
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d6032b..4921cbfb86b3 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -12,6 +12,7 @@ module Test_libvirtd =
         { "unix_sock_group" = "libvirt" }
         { "unix_sock_ro_perms" = "0777" }
         { "unix_sock_rw_perms" = "0770" }
+        { "unix_sock_admin_perms" = "0700" }
         { "unix_sock_dir" = "/var/run/libvirt" }
         { "auth_unix_ro" = "none" }
         { "auth_unix_rw" = "none" }
@@ -42,6 +43,11 @@ module Test_libvirtd =
         { "prio_workers" = "5" }
         { "max_requests" = "20" }
         { "max_client_requests" = "5" }
+        { "admin_min_workers" = "1" }
+        { "admin_max_workers" = "5" }
+        { "admin_max_clients" = "5" }
+        { "admin_max_queued_clients" = "5" }
+        { "admin_max_client_requests" = "5" }
         { "log_level" = "3" }
         { "log_filters" = "3:remote 4:event" }
         { "log_outputs" = "3:syslog:libvirtd" }
@@ -52,3 +58,6 @@ module Test_libvirtd =
         { "keepalive_interval" = "5" }
         { "keepalive_count" = "5" }
         { "keepalive_required" = "1" }
+        { "admin_keepalive_interval" = "5" }
+        { "admin_keepalive_count" = "5" }
+        { "admin_keepalive_required" = "1" }
diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf
index 2f2ba4b2f142..5029c4c2e7df 100644
--- a/tests/confdata/libvirtd.conf
+++ b/tests/confdata/libvirtd.conf
@@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"

+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+


 #################################################################
diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out
index 171945da1aaf..4d7ed47a9002 100644
--- a/tests/confdata/libvirtd.out
+++ b/tests/confdata/libvirtd.out
@@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
 # If not using PolicyKit and setting group ownership for access
 # control then you may want to relax this to:
 unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
 #################################################################
 #
 # Authentication.
-- 
2.4.3

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list



[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]