9:46 a.m.
This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.
Signed-off-by: Martin Kletzander <mkletzan(a)redhat.com>
---
daemon/libvirtd-config.c | 5 ++++-
daemon/libvirtd-config.h | 1 +
daemon/libvirtd.aug | 1 +
daemon/libvirtd.conf | 8 ++++++++
daemon/test_libvirtd.aug.in | 1 +
tests/confdata/libvirtd.conf | 6 ++++++
tests/confdata/libvirtd.out | 5 +++++
7 files changed, 26 insertions(+), 1 deletion(-)
diff --git a/daemon/libvirtd-config.c b/daemon/libvirtd-config.c
index 3694455..bce2d70 100644
--- a/daemon/libvirtd-config.c
+++ b/daemon/libvirtd-config.c
@@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
if (VIR_STRDUP(data->unix_sock_rw_perms,
data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" :
"0700") < 0 ||
- VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0)
+ VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
+ VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
goto error;
#if WITH_SASL
@@ -337,6 +338,7 @@ daemonConfigFree(struct daemonConfig *data)
}
VIR_FREE(data->access_drivers);
+ VIR_FREE(data->unix_sock_admin_perms);
VIR_FREE(data->unix_sock_ro_perms);
VIR_FREE(data->unix_sock_rw_perms);
VIR_FREE(data->unix_sock_group);
@@ -404,6 +406,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
goto error;
GET_CONF_STR(conf, filename, unix_sock_group);
+ GET_CONF_STR(conf, filename, unix_sock_admin_perms);
GET_CONF_STR(conf, filename, unix_sock_ro_perms);
GET_CONF_STR(conf, filename, unix_sock_rw_perms);
diff --git a/daemon/libvirtd-config.h b/daemon/libvirtd-config.h
index c996995..b8d2bc0 100644
--- a/daemon/libvirtd-config.h
+++ b/daemon/libvirtd-config.h
@@ -35,6 +35,7 @@ struct daemonConfig {
char *tls_port;
char *tcp_port;
+ char *unix_sock_admin_perms;
char *unix_sock_ro_perms;
char *unix_sock_rw_perms;
char *unix_sock_group;
diff --git a/daemon/libvirtd.aug b/daemon/libvirtd.aug
index 5a0807c..b20ceca 100644
--- a/daemon/libvirtd.aug
+++ b/daemon/libvirtd.aug
@@ -35,6 +35,7 @@ module Libvirtd =
let sock_acl_entry = str_entry "unix_sock_group"
| str_entry "unix_sock_ro_perms"
| str_entry "unix_sock_rw_perms"
+ | str_entry "unix_sock_admin_perms"
| str_entry "unix_sock_dir"
let authentication_entry = str_entry "auth_unix_ro"
diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
index 069ef3a..6ef38fa 100644
--- a/daemon/libvirtd.conf
+++ b/daemon/libvirtd.conf
@@ -106,9 +106,17 @@
# control, then you may want to relax this too.
#unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to.
+#unix_sock_admin_perms = "0700"
+
# Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt"
+
+
#################################################################
#
# Authentication.
diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
index 37ff33d..a87df5f 100644
--- a/daemon/test_libvirtd.aug.in
+++ b/daemon/test_libvirtd.aug.in
@@ -12,6 +12,7 @@ module Test_libvirtd =
{ "unix_sock_group" = "libvirt" }
{ "unix_sock_ro_perms" = "0777" }
{ "unix_sock_rw_perms" = "0770" }
+ { "unix_sock_admin_perms" = "0700" }
{ "unix_sock_dir" = "/var/run/libvirt" }
{ "auth_unix_ro" = "none" }
{ "auth_unix_rw" = "none" }
diff --git a/tests/confdata/libvirtd.conf b/tests/confdata/libvirtd.conf
index 2f2ba4b..5029c4c 100644
--- a/tests/confdata/libvirtd.conf
+++ b/tests/confdata/libvirtd.conf
@@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
# control then you may want to relax this to:
unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
+
#################################################################
diff --git a/tests/confdata/libvirtd.out b/tests/confdata/libvirtd.out
index 171945d..4d7ed47 100644
--- a/tests/confdata/libvirtd.out
+++ b/tests/confdata/libvirtd.out
@@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
# If not using PolicyKit and setting group ownership for access
# control then you may want to relax this to:
unix_sock_rw_perms = "0770"
+# Set the UNIX socket permissions for the admin interface socket.
+#
+# Default allows only owner (root), do not change it unless you are
+# sure to whom you are exposing the access to
+unix_sock_admin_perms = "0700"
#################################################################
#
# Authentication.
--
2.3.5