[libvirt] [PATCH 3/5] qemu: Add configuration options to enable TCP tunelling
This patch adds configuration options for the qemu driver to control the
behavior of the TCP tunelling API. The behavior can be configured
separately for read-write connections and for read-only connections
enabling finer granularity of control.
---
src/qemu/qemu.conf | 16 ++++++++++++++++
src/qemu/qemu_conf.c | 26 ++++++++++++++++++++++++++
src/qemu/qemu_conf.h | 13 +++++++++++++
3 files changed, 55 insertions(+)
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index dd853c8..3378a01 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -153,6 +153,22 @@
#remote_display_port_min = 5900
#remote_display_port_max = 65535
+##
+# TCP tunneling
+#
+# Libvirt supports TCP tunneling using libvirt's streams. This can be used
+# to forward graphical display and other connections from remote clients
+# to the host machine. This might pose a security risk so the tunneling
+# option is disabled by default.
+#
+# Possible values are: "disable" - don't allow any tcp tunnels
+# "local" - allow connections only to the host node
+# "enable" - allow tunneling to any node
+#
+# Configuration of forwarding for read-write connections:
+#tunnel_tcp_rw = "enable"
+# Configuration of forwarding for read-only connections:
+#tunnel_tcp_ro = "local"
# The default security driver is SELinux. If SELinux is disabled
# on the host, then the security driver will automatically disable
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 8d380a1..396e5d9 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -57,6 +57,11 @@
#define VIR_FROM_THIS VIR_FROM_QEMU
+VIR_ENUM_IMPL(qemuTunnelTcpConfig, QEMU_TCP_TUNNEL_LAST,
+ "disable",
+ "local",
+ "enable");
+
struct _qemuDriverCloseDef {
virConnectPtr conn;
qemuDriverCloseCallback cb;
@@ -78,6 +83,7 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
virConfValuePtr p;
char *user = NULL;
char *group = NULL;
+ char *tmp;
int ret = -1;
int i;
@@ -375,6 +381,26 @@ int qemuLoadDriverConfig(virQEMUDriverPtr driver,
GET_VALUE_LONG("keepalive_count", driver->keepAliveCount);
GET_VALUE_LONG("seccomp_sandbox", driver->seccompSandbox);
+ tmp = NULL;
+ GET_VALUE_STR("tunnel_tcp_ro", tmp);
+ if (tmp &&
+ (driver->tunnelTcpRo = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("Invalid value '%s' for config option
tunnel_tcp_ro"),
+ tmp);
+ goto cleanup;
+ }
+
+ tmp = NULL;
+ GET_VALUE_STR("tunnel_tcp_rw", tmp);
+ if (tmp &&
+ (driver->tunnelTcpRw = qemuTunnelTcpConfigTypeFromString(tmp)) < 0) {
+ virReportError(VIR_ERR_CONF_SYNTAX,
+ _("Invalid value '%s' for config option
tunnel_tcp_rw"),
+ tmp);
+ goto cleanup;
+ }
+
ret = 0;
cleanup:
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index d0d25ce..0d2d66b 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -163,8 +163,21 @@ struct _virQEMUDriver {
int keepAliveInterval;
unsigned int keepAliveCount;
int seccompSandbox;
+
+ int tunnelTcpRo;
+ int tunnelTcpRw;
};
+enum qemuTunnelTcpConfigType {
+ QEMU_TCP_TUNNEL_DISABLE = 0,
+ QEMU_TCP_TUNNEL_LOCAL,
+ QEMU_TCP_TUNNEL_ENABLE,
+
+ QEMU_TCP_TUNNEL_LAST
+};
+
+VIR_ENUM_DECL(qemuTunnelTcpConfig);
+
typedef struct _qemuDomainCmdlineDef qemuDomainCmdlineDef;
typedef qemuDomainCmdlineDef *qemuDomainCmdlineDefPtr;
struct _qemuDomainCmdlineDef {
--
1.8.0