On 5/7/21 11:24 AM, Daniel P. Berrangé wrote: > When creating the system identity set the system token. The system > token is currently stored in a local path > > /var/run/libvirt/common/system.token > > Obviously with only traditional UNIX DAC in effect, this is largely > security through obscurity, if the client is running at the same > privilege level as the daemon. It does, however, reliably distinguish > an unprivilegd client from the system daemons. unprivileged > > With a MAC system like SELinux though, or possible use of containers, > access can be further restricted. > > A possible future improvement for Linux would be to populate the > kernel keyring with a secret for libvirt daemons to share. > > Reviewed-by: Michal Privoznik <mprivozn@xxxxxxxxxx> > Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx> > --- > src/util/viridentity.c | 102 +++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 102 insertions(+) > -- Eric Blake, Principal Software Engineer Red Hat, Inc. +1-919-301-3226 Virtualization: qemu.org | libvirt.org
