On Mon, Feb 20, 2023 at 11:47:09AM +0100, Peter Krempa wrote: > The example gives the user authorized to work with the domain permission > to open the graphics socket. Since the graphics socket may be protected > with a password it makes sense to grant the user the > 'domain.read-secure' permission to fetch the password for the graphics > object. > > This also goes along with e.g. 'domain.send-input' and > 'domain.screenshot' as they'll allow the user to interact with the > domain even if they didn't have the password. The password isn't required, as you can use virDomainOpenGraphics to connect when its a local display, and that's allowed via the domain.open-graphics permission. virt-viewer at least will use this API, but can't remember in virt-manager will. This also bypasses any need to configure TLS certificates for VNC, or do Kerberos auth if that's enabled. > > Signed-off-by: Peter Krempa <pkrempa@xxxxxxxxxx> > --- > examples/polkit/libvirt-acl.rules | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/examples/polkit/libvirt-acl.rules b/examples/polkit/libvirt-acl.rules > index dd6836599a..2edd9c5b8e 100644 > --- a/examples/polkit/libvirt-acl.rules > +++ b/examples/polkit/libvirt-acl.rules > @@ -93,6 +93,7 @@ restrictedActions = [ > "domain.inject-nmi", > "domain.open-device", > "domain.open-graphics", > + "domain.read-secure", We don't allow the secret.read-secure parameter, and I don't think we should allow this either. > "domain.pm-control", > "domain.read", > "domain.reset", > -- > 2.39.2 > With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
