|
From: | Anthony Liguori |
Subject: | Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access |
Date: | Thu, 26 Feb 2009 16:05:18 -0600 |
User-agent: | Thunderbird 2.0.0.19 (X11/20090105) |
Daniel P. Berrange wrote:
This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob At startup the ACLs currently default to an allow policy. The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 +- b/acl.c | 168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++++ monitor.c | 95 +++++++++++++++++++++++++++++++ vnc-auth-sasl.c | 16 ++++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 ++++++ vnc-tls.h | 3 + vnc.c | 14 ++++ vnc.h | 3 + 10 files changed, 398 insertions(+), 7 deletions(-) Signed-off-by: Daniel P. Berrange <address@hidden>
This breaks the build on win32. Attached are the build log and config info. Regards, Anthony Liguori
# Automatically generated by configure - do not modify # Configured with: '/home/anthony/git/qemu/configure' '--cross-prefix=i686-pc-mingw32-' '--target-list=x86_64-softmmu' prefix=c:\\Program Files\\Qemu bindir=${prefix} mandir=${prefix} datadir=${prefix} docdir=${prefix} MAKE=make INSTALL=install CC=i686-pc-mingw32-gcc HOST_CC=gcc AR=i686-pc-mingw32-ar STRIP=i686-pc-mingw32-strip -s -R .comment -R .note OS_CFLAGS= OS_LDFLAGS= ARCH_CFLAGS=-m32 ARCH_LDFLAGS=-m32 CFLAGS= -O2 -g -fno-strict-aliasing -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls LDFLAGS= -g -Wl,--warn-common EXESUF=.exe AIOLIBS= ARCH=i386 CONFIG_WIN32=yes CONFIG_GDBSTUB=yes CONFIG_SLIRP=yes CONFIG_AC97=yes CONFIG_ES1370=yes CONFIG_SB16=yes CONFIG_VNC_TLS=yes CONFIG_VNC_TLS_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include CONFIG_VNC_TLS_LIBS=-L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls VERSION=0.9.1 SRC_PATH=/home/anthony/git/qemu VPATH=/home/anthony/git/qemu TARGET_DIRS=x86_64-softmmu CONFIG_SDL=yes SDL_LIBS=-lmingw32 -lSDLmain -lSDL -mwindows SDL_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include/SDL -D_GNU_SOURCE=1 -Dmain=SDL_main INSTALL_BLOBS=yes HOST_USB=stub TOOLS=qemu-img$(EXESUF)
Install prefix c:\\Program Files\\Qemu BIOS directory c:\\Program Files\\Qemu binary directory c:\\Program Files\\Qemu Source path /home/anthony/git/qemu C compiler i686-pc-mingw32-gcc Host C compiler gcc ARCH_CFLAGS -m32 make make install install host CPU i386 host big endian no target list x86_64-softmmu gprof enabled no sparse enabled no profiler no static build no -Werror enabled no SDL support yes SDL static link yes curses support no mingw32 support yes Audio drivers Extra audio cards ac97 es1370 sb16 Mixer emulation no VNC TLS support yes TLS CFLAGS -I/usr/i686-pc-mingw32/sys-root/mingw/include TLS LIBS -L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls VNC SASL support no kqemu support yes brlapi support no Documentation no NPTL support no vde support no AIO support no Install blobs yes KVM support no - (linux/kvm.h: No such file or directory, #error Invalid KVM version, #error Missing KVM capability KVM_CAP_USER_MEMORY, #error Missing KVM capability KVM_CAP_SET_TSS_ADDR, #error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS) fdt support no
[Prev in Thread] | Current Thread | [Next in Thread] |