On Tue, Jan 25, 2011 at 05:36:53PM -0700, Eric Blake wrote:
This series has hopefully taken into account all the feedback from v2 (https://www.redhat.com/archives/libvir-list/2011-January/msg00608.html).
Major changes: - enhance the XML to support optional ccid <controller> (missing controllers are added according to <address> elements) and optional <address> per smartcard (missing address assume the next available port on controller 0) - enhance the XML to support an optional <source dev='/path'/> for host mode. For now, this path is only used in SELinux labeling; I suspect that this needs more work, since the point is that a single device in the host should be shared among the NSS implementation of multiple guests (so labeling the host device to belong to a single guest is wrong); but fixing it correctly requires a better understanding of what NSS actually needs to access, as well as possibly modifying qemu's smartcard implementation to take the host device either as a pathname or even as an already-opened fd.
I just remembered how NSS actually talks to cards. So basically if you are using a physical card it will go through a TCP connection to a local daemon called pcscd - I'm guessing that means no SELinux labeling would be required? Does SELinux label sockets? pcscd is a single instance, so wouldn't pose a problem for SELinux. It uses libccid which is linked to libusb which does the actual device open, so just pcscd needs the permissions for device access.
- enhance the XML to support an optional <database> element for host-certificates mode. - enhance the qemu command line to fully populate all parameters, rather than the bare minimum defaults, and reflect that in the tests.
It requires this pre-requisite patch for qemu -chardev aliases: https://www.redhat.com/archives/libvir-list/2011-January/msg01032.html
Eric Blake (5): smartcard: add XML support for <smartcard> device smartcard: add domain conf support smartcard: check for qemu capability smartcard: enable SELinux support smartcard: turn on qemu support
cfg.mk | 1 + docs/formatdomain.html.in | 95 +++++- docs/schemas/domain.rng | 73 ++++ src/conf/domain_conf.c | 396 +++++++++++++++++++- src/conf/domain_conf.h | 53 +++- src/libvirt_private.syms | 4 + src/qemu/qemu_capabilities.c | 2 + src/qemu/qemu_capabilities.h | 1 + src/qemu/qemu_command.c | 90 +++++- src/security/security_selinux.c | 94 +++++ .../qemuxml2argv-smartcard-controller.args | 1 + .../qemuxml2argv-smartcard-controller.xml | 20 + .../qemuxml2argv-smartcard-host-certificates.args | 1 + .../qemuxml2argv-smartcard-host-certificates.xml | 20 + .../qemuxml2argv-smartcard-host.args | 1 + .../qemuxml2argv-smartcard-host.xml | 16 + .../qemuxml2argv-smartcard-passthrough-tcp.args | 1 + .../qemuxml2argv-smartcard-passthrough-tcp.xml | 19 + tests/qemuxml2argvtest.c | 13 + 19 files changed, 887 insertions(+), 14 deletions(-) create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.xml create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.args create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.xml
-- 1.7.3.5