Add a capability check to qemuDomainDefValidate and refuse to start
a domain with VNC graphics if the TLS secret was set in qemu.conf
and it's not supported.
Note that qemuDomainSecretGraphicsPrepare does not generate any
secret data if the capability is not present and qemuBuildTLSx509BackendProps
is not called at all.
Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
---
src/qemu/qemu_domain.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c
index 22d93d56f9..32a43f2064 100644
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@@ -4112,8 +4112,10 @@ qemuDomainDefValidate(const virDomainDef *def,
void *opaque)
{
virQEMUDriverPtr driver = opaque;
+ virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
virQEMUCapsPtr qemuCaps = NULL;
int ret = -1;
+ size_t i;
if (!(qemuCaps = virQEMUCapsCacheLookup(driver->qemuCapsCache,
def->emulator)))
@@ -4234,10 +4236,23 @@ qemuDomainDefValidate(const virDomainDef *def,
if (qemuDomainDefValidateMemory(def, qemuCaps) < 0)
goto cleanup;
+ if (cfg->vncTLS && cfg->vncTLSx509secretUUID &&
+ !virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_TLS_CREDS_X509)) {
+ for (i = 0; i < def->ngraphics; i++) {
+ if (def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
+ virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+ _("encrypted VNC TLS keys are not supported with "
+ "this QEMU binary"));
+ goto cleanup;
+ }
+ }
+ }
+
ret = 0;
cleanup:
virObjectUnref(qemuCaps);
+ virObjectUnref(cfg);
return ret;
}
--
2.20.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
