On Mon, Feb 20, 2023 at 11:47:09AM +0100, Peter Krempa wrote:
The example gives the user authorized to work with the domain permission to open the graphics socket. Since the graphics socket may be protected with a password it makes sense to grant the user the 'domain.read-secure' permission to fetch the password for the graphics object.
This also goes along with e.g. 'domain.send-input' and 'domain.screenshot' as they'll allow the user to interact with the domain even if they didn't have the password.
The password isn't required, as you can use virDomainOpenGraphics to connect when its a local display, and that's allowed via the domain.open-graphics permission. virt-viewer at least will use this API, but can't remember in virt-manager will. This also bypasses any need to configure TLS certificates for VNC, or do Kerberos auth if that's enabled.
Signed-off-by: Peter Krempa <pkrempa@redhat.com> --- examples/polkit/libvirt-acl.rules | 1 + 1 file changed, 1 insertion(+)
diff --git a/examples/polkit/libvirt-acl.rules b/examples/polkit/libvirt-acl.rules index dd6836599a..2edd9c5b8e 100644 --- a/examples/polkit/libvirt-acl.rules +++ b/examples/polkit/libvirt-acl.rules @@ -93,6 +93,7 @@ restrictedActions = [ "domain.inject-nmi", "domain.open-device", "domain.open-graphics", + "domain.read-secure",
We don't allow the secret.read-secure parameter, and I don't think we should allow this either.
"domain.pm-control", "domain.read", "domain.reset", -- 2.39.2
With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|