On Tue, Jan 25, 2011 at 05:36:53PM -0700, Eric Blake wrote: > This series has hopefully taken into account all the feedback from v2 > (https://www.redhat.com/archives/libvir-list/2011-January/msg00608.html). > > Major changes: > - enhance the XML to support optional ccid <controller> (missing > controllers are added according to <address> elements) and optional > <address> per smartcard (missing address assume the next available > port on controller 0) > - enhance the XML to support an optional <source dev='/path'/> for > host mode. For now, this path is only used in SELinux labeling; I > suspect that this needs more work, since the point is that a single > device in the host should be shared among the NSS implementation of > multiple guests (so labeling the host device to belong to a single > guest is wrong); but fixing it correctly requires a better > understanding of what NSS actually needs to access, as well as > possibly modifying qemu's smartcard implementation to take the > host device either as a pathname or even as an already-opened fd. I just remembered how NSS actually talks to cards. So basically if you are using a physical card it will go through a TCP connection to a local daemon called pcscd - I'm guessing that means no SELinux labeling would be required? Does SELinux label sockets? pcscd is a single instance, so wouldn't pose a problem for SELinux. It uses libccid which is linked to libusb which does the actual device open, so just pcscd needs the permissions for device access. > - enhance the XML to support an optional <database> element for > host-certificates mode. > - enhance the qemu command line to fully populate all parameters, > rather than the bare minimum defaults, and reflect that in the tests. > > It requires this pre-requisite patch for qemu -chardev aliases: > https://www.redhat.com/archives/libvir-list/2011-January/msg01032.html > > Eric Blake (5): > smartcard: add XML support for <smartcard> device > smartcard: add domain conf support > smartcard: check for qemu capability > smartcard: enable SELinux support > smartcard: turn on qemu support > > cfg.mk | 1 + > docs/formatdomain.html.in | 95 +++++- > docs/schemas/domain.rng | 73 ++++ > src/conf/domain_conf.c | 396 +++++++++++++++++++- > src/conf/domain_conf.h | 53 +++- > src/libvirt_private.syms | 4 + > src/qemu/qemu_capabilities.c | 2 + > src/qemu/qemu_capabilities.h | 1 + > src/qemu/qemu_command.c | 90 +++++- > src/security/security_selinux.c | 94 +++++ > .../qemuxml2argv-smartcard-controller.args | 1 + > .../qemuxml2argv-smartcard-controller.xml | 20 + > .../qemuxml2argv-smartcard-host-certificates.args | 1 + > .../qemuxml2argv-smartcard-host-certificates.xml | 20 + > .../qemuxml2argv-smartcard-host.args | 1 + > .../qemuxml2argv-smartcard-host.xml | 16 + > .../qemuxml2argv-smartcard-passthrough-tcp.args | 1 + > .../qemuxml2argv-smartcard-passthrough-tcp.xml | 19 + > tests/qemuxml2argvtest.c | 13 + > 19 files changed, 887 insertions(+), 14 deletions(-) > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.xml > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.xml > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.xml > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.args > create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.xml > > -- > 1.7.3.5 > -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list