This patch adds configuration options for the qemu driver to control the
behavior of the TCP tunelling API. The behavior can be configured
separately for read-write connections and for read-only connections
enabling finer granularity of control.
---
src/qemu/qemu.conf | 16 ++++++++++++++++
src/qemu/qemu_conf.c | 26 ++++++++++++++++++++++++++
src/qemu/qemu_conf.h | 13 +++++++++++++
3 files changed, 55 insertions(+)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index dd853c8..9064b33 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -153,6 +153,22 @@
#remote_display_port_min = 5900
#remote_display_port_max = 65535
+##
+# TCP tunneling
+#
+# Libvirt supports TCP tunneling using libvirt's streams. This can be used
+# to forward graphical display and other connections from remote clients
+# to the host machine. This might pose a security risk so the tunneling
+# option is disabled by default.
+#
+# Possible values are: "disable" - don't allow any tcp tunnels
+# "local" - allow connections to "localhost" address
+# "enable" - allow tunneling to any node
+#
+# Configuration of forwarding for read-write connections:
+#tunnel_tcp_rw = "enable"
+# Configuration of forwarding for read-only connections:
+#tunnel_tcp_ro = "local"
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 8d380a1..396e5d9 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -57,6 +57,11 @@
#define VIR_FROM_THIS VIR_FROM_QEMU
+VIR_ENUM_IMPL(qemuTunnelTcpConfig, QEMU_TCP_TUNNEL_LAST,
+ "disable",
+ "local",
+ "enable");
+
struct _qemuDriverCloseDef {
virConnectPtr conn;
qemuDriverCloseCallback cb;
@@ -78,6 +83,7 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
virConfValuePtr p;
char *user = NULL;
char *group = NULL;
+ char *tmp;
int ret = -1;
int i;
@@ -375,6 +381,26 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
GET_VALUE_LONG("keepalive_count", driver->keepAliveCount);
GET_VALUE_LONG("seccomp_sandbox", driver->seccompSandbox);
+ tmp = NULL;
+ GET_VALUE_STR("tunnel_tcp_ro", tmp);
+ if (tmp &&
+ (driver->tunnelTcpRo = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("Invalid value '%s' for config option tunnel_tcp_ro"),
+ tmp);
+ goto cleanup;
+ }
+
+ tmp = NULL;
+ GET_VALUE_STR("tunnel_tcp_rw", tmp);
+ if (tmp &&
+ (driver->tunnelTcpRw = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("Invalid value '%s' for config option tunnel_tcp_rw"),
+ tmp);
+ goto cleanup;
+ }
+
ret = 0;
cleanup:
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d0d25ce..0d2d66b 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -163,8 +163,21 @@ struct _virQEMUDriver {
int keepAliveInterval;
unsigned int keepAliveCount;
int seccompSandbox;
+
+ int tunnelTcpRo;
+ int tunnelTcpRw;
};
+enum qemuTunnelTcpConfigType {
+ QEMU_TCP_TUNNEL_DISABLE = 0,
+ QEMU_TCP_TUNNEL_LOCAL,
+ QEMU_TCP_TUNNEL_ENABLE,
+
+ QEMU_TCP_TUNNEL_LAST
+};
+
+VIR_ENUM_DECL(qemuTunnelTcpConfig);
+
typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;
typedef qemuDomainCmdlineDef *qemuDomainCmdlineDefPtr;
struct _qemuDomainCmdlineDef {
--
1.8.0
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list