10:54 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
QEMU has support for SASL auth for SPICE guests, but libvirt
has no way to enable it. Following the example from VNC where
it is globally enabled via qemu.conf
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/qemu/libvirtd_qemu.aug | 2 ++
src/qemu/qemu.conf | 16 ++++++++++++++++
src/qemu/qemu_command.c | 10 ++++++++++
src/qemu/qemu_conf.c | 3 +++
src/qemu/qemu_conf.h | 2 ++
src/qemu/test_libvirtd_qemu.aug.in | 2 ++
6 files changed, 35 insertions(+)
diff --git a/src/qemu/libvirtd_qemu.aug b/src/qemu/libvirtd_qemu.aug
index cd13d53..118d4c7 100644
--- a/src/qemu/libvirtd_qemu.aug
+++ b/src/qemu/libvirtd_qemu.aug
@@ -38,6 +38,8 @@ module Libvirtd_qemu =
| bool_entry "spice_tls"
| str_entry "spice_tls_x509_cert_dir"
| str_entry "spice_password"
+ | bool_entry "spice_sasl"
+ | str_entry "spice_sasl_dir"
let nogfx_entry = bool_entry "nographics_allow_host_audio"
diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
index 5fd6263..6d4e99e 100644
--- a/src/qemu/qemu.conf
+++ b/src/qemu/qemu.conf
@@ -140,6 +140,22 @@
#spice_password = "XYZ12345"
+# Enable use of SASL encryption on the SPICE server. This requires
+# a SPICE client which supports the SASL protocol extension.
+#
+# It is necessary to configure /etc/sasl2/qemu.conf to choose
+# the desired SASL plugin (eg, GSSPI for Kerberos)
+#
+#spice_sasl = 1
+
+# The default SASL configuration file is located in /etc/sasl2/
+# When running libvirtd unprivileged, it may be desirable to
+# override the configs in this location. Set this parameter to
+# point to the directory, and create a qemu.conf in that location
+#
+#spice_sasl_dir = "/some/directory/sasl2"
+
+
# By default, if no graphical front end is configured, libvirt will disable
# QEMU audio output since directly talking to alsa/pulseaudio may not work
# with various security settings. If you know what you're doing, enable
diff --git a/src/qemu/qemu_command.c b/src/qemu/qemu_command.c
index 91ca86a..5e4ebc8 100644
--- a/src/qemu/qemu_command.c
+++ b/src/qemu/qemu_command.c
@@ -7065,6 +7065,16 @@ qemuBuildGraphicsSPICECommandLine(virQEMUDriverConfigPtr cfg,
virBufferAsprintf(&opt, "tls-port=%u", tlsPort);
}
+ if (cfg->spiceSASL) {
+ virBufferAddLit(&opt, ",sasl");
+
+ if (cfg->spiceSASLdir)
+ virCommandAddEnvPair(cmd, "SASL_CONF_DIR",
+ cfg->spiceSASLdir);
+
+ /* TODO: Support ACLs later */
+ }
+
switch (virDomainGraphicsListenGetType(graphics, 0)) {
case VIR_DOMAIN_GRAPHICS_LISTEN_TYPE_ADDRESS:
listenAddr = virDomainGraphicsListenGetAddress(graphics, 0);
diff --git a/src/qemu/qemu_conf.c b/src/qemu/qemu_conf.c
index 1f57f72..41ca7a3 100644
--- a/src/qemu/qemu_conf.c
+++ b/src/qemu/qemu_conf.c
@@ -266,6 +266,7 @@ static void virQEMUDriverConfigDispose(void *obj)
VIR_FREE(cfg->spiceTLSx509certdir);
VIR_FREE(cfg->spiceListen);
VIR_FREE(cfg->spicePassword);
+ VIR_FREE(cfg->spiceSASLdir);
VIR_FREE(cfg->hugetlbfsMount);
VIR_FREE(cfg->hugepagePath);
@@ -379,6 +380,8 @@ int virQEMUDriverConfigLoadFile(virQEMUDriverConfigPtr cfg,
GET_VALUE_BOOL("spice_tls", cfg->spiceTLS);
GET_VALUE_STR("spice_tls_x509_cert_dir", cfg->spiceTLSx509certdir);
+ GET_VALUE_BOOL("spice_sasl", cfg->spiceSASL);
+ GET_VALUE_STR("spice_sasl_dir", cfg->spiceSASLdir);
GET_VALUE_STR("spice_listen", cfg->spiceListen);
GET_VALUE_STR("spice_password", cfg->spicePassword);
diff --git a/src/qemu/qemu_conf.h b/src/qemu/qemu_conf.h
index 206f2c6..cbd7053 100644
--- a/src/qemu/qemu_conf.h
+++ b/src/qemu/qemu_conf.h
@@ -111,6 +111,8 @@ struct _virQEMUDriverConfig {
bool spiceTLS;
char *spiceTLSx509certdir;
+ bool spiceSASL;
+ char *spiceSASLdir;
char *spiceListen;
char *spicePassword;
diff --git a/src/qemu/test_libvirtd_qemu.aug.in b/src/qemu/test_libvirtd_qemu.aug.in
index ea770dc..1a9fb20 100644
--- a/src/qemu/test_libvirtd_qemu.aug.in
+++ b/src/qemu/test_libvirtd_qemu.aug.in
@@ -15,6 +15,8 @@ module Test_libvirtd_qemu =
{ "spice_tls" = "1" }
{ "spice_tls_x509_cert_dir" = "/etc/pki/libvirt-spice" }
{ "spice_password" = "XYZ12345" }
+{ "spice_sasl" = "1" }
+{ "spice_sasl_dir" = "/some/directory/sasl2" }
{ "nographics_allow_host_audio" = "1" }
{ "remote_display_port_min" = "5900" }
{ "remote_display_port_max" = "65535" }
--
1.8.3.1