This patch introduces a simple access control file capability
for authorizing clients of QEMU's various network services.
The file is designed such that it can be shared amongst multiple
QEMU instances. The style of commands is similar to that used
in the monitor ACL commands. It is a line oriented format, with
comments indicated by leading '#'.Each non-comment line consists
of 4 fields, 'scope', 'aclname', 'action' and 'value'.
The scope allows control over what VMs the rule applies to. This
is a glob, so '*' matches any VM. An explicit value can be match
against the VM name, as given by the '-name' argument.
The aclname is one of the ACLs defined by QEMU, either vnc.username
or vnc.x509dname for now. More later perhaps.
The action can be one of 'policy' 'allow', or 'deny'. The policy
sets the default allow/deny state for the ACL, if no rules match.
Finally the 'value' is another glob matching against the client
name being checked.
An example showing use of both SASL username ACLs, and x509 client
certificate distinguished name ACLs.
# Default deny all for all SASL authenticated users in all VMs
* vnc.username policy deny
# Allow bob access to all VMs
* vnc.username allow bob
# Allow fred and test access to the VM named 'demo'
demo vnc.username allow fred
demo vnc.username allow test
# Deny all x509 client certificates on all VMs
* vnc.x509dname policy deny
# Allow all users from the ACME, London office to all VMs
* vnc.x509dname allow "C=GB,O=ACME,L=London,CN=*"
# Allow Joe from Boston, access to VM 'demo'
demo vnc.x509dname allow "C=GB,O=ACME,L=Boston,CN=joe"