This patch hooks up the basic authentication RPC calls, and the specific SASL implementation. The SASL impl can be enabled/disable via the configurre script with --without-sasl / --with-sasl - it'll auto-enable it if it finds the headers & libs OK. The sample /etc/sasl2/libvirt.conf file enables the DIGEST-MD5 mechanism by default, since it is by far the easiest to setup for admins. No need for a Kerberos server, or certificates - it just uses username/password which can be set with 'saslpasswd2 -a libvirt [username]' and a list of all active users viewed with 'sasldblistusers2 -a libvirt' There are also example settings for enabling Kerberos (GSSAPI) but this is disabled by default. It requires a file /etc/libvirt/krb5.tab containing a service principle. On some distros you need to set KRB5_KTNAME to point to this file when starting the daemon, so our init script does that. Other distros, the 'keytab' config param in /etc/sasl2/libvirt.conf is actually honoured. With this patch you can successfully authentication client <-> server for any authentication mechansim which doesn't need to prompt the user for credentials. In effect this means it only works for GSSAPI/Kerberos, but the later patches in this series will enable callbacks making the default DIGEST-MD5 auth work. The way auth is controlled, is that if the 'auth' parameter is set on the struct qemud_client object, *NO* rpc call will be processed except for the REMOTE_PROC_AUTH_LIST, SASL_AUTH_INIT, SASL_AUTH_START & SASL_AUTH_STEP calls. If SASL is not compiled in, the latter 3 will send errors back to the caller. Only once authentication is complete, are the other calls allowed. It currently hardcodes use of SASL on the TCP socket. The TLS & UNIX sockets are unchanged. A subsequent patch will make it configurable. b/qemud/libvirtd.sasl | 28 ++ configure.in | 39 ++ include/libvirt/virterror.h | 1 libvirt.spec.in | 4 qemud/Makefile.am | 21 + qemud/internal.h | 8 qemud/libvirtd.init.in | 3 qemud/libvirtd.sysconf | 3 qemud/qemud.c | 28 +- qemud/remote.c | 392 +++++++++++++++++++++++++++- qemud/remote_dispatch_localvars.h | 6 qemud/remote_dispatch_proc_switch.h | 30 ++ qemud/remote_dispatch_prototypes.h | 4 qemud/remote_protocol.c | 87 ++++++ qemud/remote_protocol.h | 78 +++++ qemud/remote_protocol.x | 50 +++ src/Makefile.am | 3 src/remote_internal.c | 498 +++++++++++++++++++++++++++++++----- src/virsh.c | 4 src/virterror.c | 6 tests/Makefile.am | 2 21 files changed, 1205 insertions(+), 90 deletions(-) diff -r 1c3780349e89 configure.in --- a/configure.in Wed Nov 28 12:02:28 2007 -0500 +++ b/configure.in Thu Nov 29 09:24:10 2007 -0500 @@ -353,6 +353,40 @@ AC_CHECK_TYPE(gnutls_session, [#include <gnutls/gnutls.h>]) CFLAGS="$old_cflags" LDFLAGS="$old_ldflags" + + +dnl Cyrus SASL +AC_ARG_WITH(sasl, + [ --with-sasl use cyrus SASL for authentication], + [], + [with_sasl=yes]) + +SASL_CFLAGS= +SASL_LIBS= +if test "$with_sasl" != "no"; then + if test "$with_sasl" != "yes"; then + SASL_CFLAGS="-I$with_sasl" + SASL_LIBS="-L$with_sasl" + fi + old_cflags="$CFLAGS" + old_libs="$LIBS" + CFLAGS="$CFLAGS $SASL_CFLAGS" + LIBS="$LIBS $SASL_LIBS" + AC_CHECK_HEADER([sasl/sasl.h], + [], + AC_MSG_ERROR([You must install the Cyrus SASL development package in order to compile libvirt])) + AC_CHECK_LIB(sasl2, sasl_client_init, + [], + [AC_MSG_ERROR([You must install the Cyrus SASL library in order to compile and run libvirt])]) + CFLAGS="$old_cflags" + LIBS="$old_libs" + SASL_LIBS="$SASL_LIBS -lsasl2" + AC_DEFINE_UNQUOTED(HAVE_SASL, 1, [whether Cyrus SASL is available for authentication]) +fi +AM_CONDITIONAL(HAVE_SASL, [test "$with_sasl" != "no"]) +AC_SUBST(SASL_CFLAGS) +AC_SUBST(SASL_LIBS) + dnl Avahi library @@ -564,6 +598,11 @@ AC_MSG_NOTICE([]) AC_MSG_NOTICE([]) AC_MSG_NOTICE([ libxml: $LIBXML_CFLAGS $LIBXML_LIBS]) AC_MSG_NOTICE([ gnutls: $GNUTLS_CFLAGS $GNUTLS_LIBS]) +if test "$with_sasl" != "no" ; then +AC_MSG_NOTICE([ sasl: $SASL_CFLAGS $SASL_LIBS]) +else +AC_MSG_NOTICE([ sasl: no]) +fi if test "$with_avahi" = "yes" ; then AC_MSG_NOTICE([ avahi: $AVAHI_CFLAGS $AVAHI_LIBS]) else diff -r 1c3780349e89 include/libvirt/virterror.h --- a/include/libvirt/virterror.h Wed Nov 28 12:02:28 2007 -0500 +++ b/include/libvirt/virterror.h Thu Nov 29 09:24:10 2007 -0500 @@ -131,6 +131,7 @@ typedef enum { VIR_ERR_NO_DOMAIN, /* domain not found or unexpectedly disappeared */ VIR_ERR_NO_NETWORK, /* network not found */ VIR_ERR_INVALID_MAC, /* invalid MAC adress */ + VIR_ERR_AUTH_FAILED, /* authentication failed */ } virErrorNumber; /** diff -r 1c3780349e89 libvirt.spec.in --- a/libvirt.spec.in Wed Nov 28 12:02:28 2007 -0500 +++ b/libvirt.spec.in Thu Nov 29 09:24:10 2007 -0500 @@ -16,6 +16,8 @@ Requires: dnsmasq Requires: dnsmasq Requires: bridge-utils Requires: iptables +Requires: cyrus-sasl +Requires: cyrus-sasl-gssapi BuildRequires: xen-devel BuildRequires: libxml2-devel BuildRequires: readline-devel @@ -26,6 +28,7 @@ BuildRequires: dnsmasq BuildRequires: dnsmasq BuildRequires: bridge-utils BuildRequires: qemu +BuildRequires: cyrus-sasl-devel Obsoletes: libvir ExclusiveArch: i386 x86_64 ia64 @@ -132,6 +135,7 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/libvirtd %config(noreplace) %{_sysconfdir}/libvirt/libvirtd.conf %config(noreplace) %{_sysconfdir}/libvirt/qemu.conf +%config(noreplace) %{_sysconfdir}/sasl2/libvirt.conf %dir %{_datadir}/libvirt/ %dir %{_datadir}/libvirt/networks/ %{_datadir}/libvirt/networks/default.xml diff -r 1c3780349e89 qemud/Makefile.am --- a/qemud/Makefile.am Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/Makefile.am Thu Nov 29 09:24:10 2007 -0500 @@ -17,6 +17,7 @@ EXTRA_DIST = libvirtd.init.in libvirtd.s remote_dispatch_localvars.h \ remote_dispatch_proc_switch.h \ mdns.c mdns.h \ + libvirtd.sasl \ $(conf_DATA) libvirtd_SOURCES = \ @@ -28,14 +29,14 @@ libvirtd_SOURCES = \ #-D_XOPEN_SOURCE=600 -D_XOPEN_SOURCE_EXTENDED=1 -D_POSIX_C_SOURCE=199506L libvirtd_CFLAGS = \ -I$(top_srcdir)/include -I$(top_builddir)/include \ - $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) \ + $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \ $(WARN_CFLAGS) -DLOCAL_STATE_DIR="\"$(localstatedir)\"" \ -DSYSCONF_DIR="\"$(sysconfdir)\"" \ -DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\"" \ -DREMOTE_PID_FILE="\"$(REMOTE_PID_FILE)\"" \ -DGETTEXT_PACKAGE=\"$(PACKAGE)\" -libvirtd_LDFLAGS = $(WARN_CFLAGS) $(LIBXML_LIBS) $(GNUTLS_LIBS) +libvirtd_LDFLAGS = $(WARN_CFLAGS) $(LIBXML_LIBS) $(GNUTLS_LIBS) $(SASL_LIBS) libvirtd_DEPENDENCIES = ../src/libvirt.la libvirtd_LDADD = ../src/libvirt.la @@ -46,7 +47,7 @@ endif endif default_xml_dest = libvirt/qemu/networks/default.xml -install-data-local: install-init +install-data-local: install-init install-data-sasl mkdir -p $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart $(INSTALL_DATA) $(srcdir)/default-network.xml \ $(DESTDIR)$(sysconfdir)/$(default_xml_dest) @@ -59,7 +60,7 @@ install-data-local: install-init mkdir -p $(DESTDIR)$(localstatedir)/run/libvirt mkdir -p $(DESTDIR)$(localstatedir)/lib/libvirt -uninstall-local: uninstall-init +uninstall-local:: uninstall-init uninstall-data-sasl rm -f $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart/default.xml rm -f $(DESTDIR)$(sysconfdir)/$(default_xml_dest) rmdir $(DESTDIR)$(sysconfdir)/libvirt/qemu/networks/autostart || : @@ -67,6 +68,18 @@ uninstall-local: uninstall-init rmdir $(DESTDIR)$(localstatedir)/run/libvirt || : rmdir $(DESTDIR)$(localstatedir)/lib/libvirt || : +if HAVE_SASL +install-data-sasl:: install-init + mkdir -p $(DESTDIR)$(sysconfdir)/sasl2/ + $(INSTALL_DATA) $(srcdir)/libvirtd.sasl $(DESTDIR)$(sysconfdir)/sasl2/libvirt.conf + +uninstall-data-sasl:: install-init + rm -f $(DESTDIR)$(sysconfdir)/sasl2/libvirt.conf + rmdir $(DESTDIR)$(sysconfdir)/sasl2/ +else +install-data-sasl: +uninstall-data-sasl: +endif if RPCGEN .x.c: diff -r 1c3780349e89 qemud/internal.h --- a/qemud/internal.h Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/internal.h Thu Nov 29 09:24:10 2007 -0500 @@ -28,6 +28,9 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> #include "../src/gnutls_1_0_compat.h" +#if HAVE_SASL +#include <sasl/sasl.h> +#endif #ifdef HAVE_SYS_SYSLIMITS_H #include <sys/syslimits.h> @@ -91,6 +94,10 @@ struct qemud_client { int tls; gnutls_session_t session; enum qemud_tls_direction direction; + int auth; +#if HAVE_SASL + sasl_conn_t *saslconn; +#endif unsigned int incomingSerial; unsigned int outgoingSerial; @@ -116,6 +123,7 @@ struct qemud_socket { int readonly; /* If set, TLS is required on this socket. */ int tls; + int auth; int port; struct qemud_socket *next; }; diff -r 1c3780349e89 qemud/libvirtd.init.in --- a/qemud/libvirtd.init.in Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/libvirtd.init.in Thu Nov 29 09:24:10 2007 -0500 @@ -37,6 +37,7 @@ PROCESS=libvirtd LIBVIRTD_CONFIG= LIBVIRTD_ARGS= +KRB5_KTNAME=/etc/libvirt/krb5.tab test -f @sysconfdir@/sysconfig/libvirtd && . @sysconfdir@/sysconfig/libvirtd @@ -50,7 +51,7 @@ RETVAL=0 start() { echo -n $"Starting $SERVICE daemon: " - daemon --check $SERVICE $PROCESS --daemon $LIBVIRTD_CONFIG_ARGS $LIBVIRTD_ARGS + KRB5_KTNAME=$KRB5_KTNAME daemon --check $SERVICE $PROCESS --daemon $LIBVIRTD_CONFIG_ARGS $LIBVIRTD_ARGS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch @localstatedir@/lock/subsys/$SERVICE diff -r 1c3780349e89 qemud/libvirtd.sasl --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/qemud/libvirtd.sasl Thu Nov 29 09:24:10 2007 -0500 @@ -0,0 +1,28 @@ +# If you want to use the non-TLS socket, then you *must* include +# the GSSAPI or DIGEST-MD5 mechanisms, because they are the only +# ones that can offer session encryption as well as authentication. +# +# If you're only using TLS, then you can turn on any mechanisms +# you like for authentication, because TLS provides the encryption +# +# Default to a simple username+password mechanism +mech_list: digest-md5 + +# Before you can use GSSAPI, you need a service principle on the +# KDC server for libvirt, and that to be exported to the keytab +# file listed below +#mech_list: gssapi +# +# You can also list many mechanisms at once, then the user can choose +# by adding '?auth=sasl.gssapi' to their libvirt URI, eg +# qemu+tcp://hostname/system?auth=sasl.gssapi +#mech_list: digest-md5 gssapi + +# MIT kerberos ignores this option & needs KRB5_KTNAME env var. +# May be useful for other non-Linux OS though.... +keytab: /etc/libvirt/krb5.tab + +# If using digest-md5 for username/passwds, then this is the file +# containing the passwds. Use 'saslpasswd2 -a libvirt [username]' +# to add entries, and 'sasldblistusers2 -a libvirt' to browse it +sasldb_path: /etc/libvirt/passwd.db diff -r 1c3780349e89 qemud/libvirtd.sysconf --- a/qemud/libvirtd.sysconf Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/libvirtd.sysconf Thu Nov 29 09:24:10 2007 -0500 @@ -4,3 +4,6 @@ # Listen for TCP/IP connections # NB. must setup TLS/SSL keys prior to using this #LIBVIRTD_ARGS="--listen" + +# Override Kerberos service keytab for SASL/GSSAPI +#KRB5_KTNAME=/etc/libvirt/krb5.tab diff -r 1c3780349e89 qemud/qemud.c --- a/qemud/qemud.c Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/qemud.c Thu Nov 29 09:24:10 2007 -0500 @@ -577,7 +577,8 @@ static int static int remoteListenTCP (struct qemud_server *server, const char *port, - int tls) + int tls, + int auth) { int fds[2]; int nfds = 0; @@ -606,6 +607,7 @@ remoteListenTCP (struct qemud_server *se sock->fd = fds[i]; sock->tls = tls; + sock->auth = auth; if (getsockname(sock->fd, (struct sockaddr *)(&sa), &salen) < 0) return -1; @@ -701,6 +703,9 @@ static struct qemud_server *qemudInitial struct qemud_socket *sock; char sockname[PATH_MAX]; char roSockname[PATH_MAX]; +#if HAVE_SASL + int err; +#endif /* HAVE_SASL */ if (!(server = calloc(1, sizeof(struct qemud_server)))) { qemudLog(QEMUD_ERR, "Failed to allocate struct qemud_server"); @@ -730,15 +735,28 @@ static struct qemud_server *qemudInitial virStateInitialize(); +#if HAVE_SASL + if ((err = sasl_server_init(NULL, "libvirt")) != SASL_OK) { + qemudLog(QEMUD_ERR, "Failed to initialize SASL authentication %s", + sasl_errstring(err, NULL, NULL)); + goto cleanup; + } +#endif + if (ipsock) { - if (listen_tcp && remoteListenTCP (server, tcp_port, 0) < 0) +#if HAVE_SASL + if (listen_tcp && remoteListenTCP (server, tcp_port, 0, REMOTE_AUTH_SASL) < 0) goto cleanup; +#else + if (listen_tcp && remoteListenTCP (server, tcp_port, 0, REMOTE_AUTH_NONE) < 0) + goto cleanup; +#endif if (listen_tls) { if (remoteInitializeGnuTLS () < 0) goto cleanup; - if (remoteListenTCP (server, tls_port, 1) < 0) + if (remoteListenTCP (server, tls_port, 1, REMOTE_AUTH_NONE) < 0) goto cleanup; } } @@ -1048,6 +1066,7 @@ static int qemudDispatchServer(struct qe client->fd = fd; client->readonly = sock->readonly; client->tls = sock->tls; + client->auth = sock->auth; memcpy (&client->addr, &addr, sizeof addr); client->addrlen = addrlen; @@ -1128,6 +1147,9 @@ static void qemudDispatchClientFailure(s if (client->conn) virConnectClose(client->conn); +#if HAVE_SASL + if (client->saslconn) sasl_dispose(&client->saslconn); +#endif if (client->tls && client->session) gnutls_deinit (client->session); close(client->fd); free(client); diff -r 1c3780349e89 qemud/remote.c --- a/qemud/remote.c Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote.c Thu Nov 29 09:24:10 2007 -0500 @@ -52,6 +52,8 @@ #define DEBUG 0 +#define REMOTE_DEBUG(fmt,...) qemudDebug("REMOTE: " fmt, __VA_ARGS__) + static void remoteDispatchError (struct qemud_client *client, remote_message_header *req, const char *fmt, ...) @@ -116,6 +118,21 @@ remoteDispatchClientRequest (struct qemu (int) req.status); xdr_destroy (&xdr); return; + } + + /* If client is marked as needing auth, don't allow any RPC ops, + * except for authentication ones + */ + if (client->auth) { + if (req.proc != REMOTE_PROC_AUTH_LIST && + req.proc != REMOTE_PROC_AUTH_SASL_INIT && + req.proc != REMOTE_PROC_AUTH_SASL_START && + req.proc != REMOTE_PROC_AUTH_SASL_STEP + ) { + remoteDispatchError (client, &req, "authentication required"); + xdr_destroy (&xdr); + return; + } } /* Based on the procedure number, dispatch. In future we may base @@ -275,23 +292,14 @@ remoteDispatchClientRequest (struct qemu * reply. */ static void -remoteDispatchError (struct qemud_client *client, - remote_message_header *req, - const char *fmt, ...) +remoteDispatchSendError (struct qemud_client *client, + remote_message_header *req, + int code, const char *msg) { remote_message_header rep; remote_error error; - va_list args; - char msgbuf[1024]; - char *msg = msgbuf; XDR xdr; int len; - - va_start (args, fmt); - vsnprintf (msgbuf, sizeof msgbuf, fmt, args); - va_end (args); - - qemudDebug ("%s", msgbuf); /* Future versions of the protocol may use different vers or prog. Try * our hardest to send back a message that such clients could see. @@ -313,12 +321,12 @@ remoteDispatchError (struct qemud_client } /* Construct the error. */ - error.code = VIR_ERR_RPC; + error.code = code; error.domain = VIR_FROM_REMOTE; - error.message = &msg; + error.message = (char**)&msg; error.level = VIR_ERR_ERROR; error.dom = NULL; - error.str1 = &msg; + error.str1 = (char**)&msg; error.str2 = NULL; error.str3 = NULL; error.int1 = 0; @@ -363,6 +371,31 @@ remoteDispatchError (struct qemud_client client->bufferOffset = 0; if (client->tls) client->direction = QEMUD_TLS_DIRECTION_WRITE; } + +static void +remoteDispatchFailAuth (struct qemud_client *client, + remote_message_header *req) +{ + remoteDispatchSendError (client, req, VIR_ERR_AUTH_FAILED, "authentication failed"); +} + +static void +remoteDispatchError (struct qemud_client *client, + remote_message_header *req, + const char *fmt, ...) +{ + va_list args; + char msgbuf[1024]; + char *msg = msgbuf; + + va_start (args, fmt); + vsnprintf (msgbuf, sizeof msgbuf, fmt, args); + va_end (args); + + remoteDispatchSendError (client, req, VIR_ERR_RPC, msg); +} + + /*----- Functions. -----*/ @@ -1946,6 +1979,335 @@ remoteDispatchNumOfNetworks (struct qemu return 0; } + +static int +remoteDispatchAuthList (struct qemud_client *client, + remote_message_header *req ATTRIBUTE_UNUSED, + void *args ATTRIBUTE_UNUSED, + remote_auth_list_ret *ret) +{ + ret->types.types_len = 1; + if ((ret->types.types_val = calloc (ret->types.types_len, sizeof (remote_auth_type))) == NULL) { + remoteDispatchSendError(client, req, VIR_ERR_NO_MEMORY, "auth types"); + return -2; + } + ret->types.types_val[0] = client->auth; + return 0; +} + + +#if HAVE_SASL +/* + * NB, keep in sync with similar method in src/remote_internal.c + */ +static char *addrToString(struct qemud_client *client, + remote_message_header *req, + struct sockaddr_storage *sa, socklen_t salen) { + char host[1024], port[20]; + char *addr; + int err; + + if ((err = getnameinfo((struct sockaddr *)sa, salen, + host, sizeof(host), + port, sizeof(port), + NI_NUMERICHOST | NI_NUMERICSERV)) != 0) { + remoteDispatchError(client, req, + "Cannot resolve address %d: %s", err, gai_strerror(err)); + return NULL; + } + + addr = malloc(strlen(host) + 1 + strlen(port) + 1); + if (!addr) { + remoteDispatchError(client, req, "cannot allocate address"); + return NULL; + } + + strcpy(addr, host); + strcat(addr, ";"); + strcat(addr, port); + return addr; +} + + +/* + * Initializes the SASL session in prepare for authentication + * and gives the client a list of allowed mechansims to choose + * + * XXX callbacks for stuff like password verification ? + */ +static int +remoteDispatchAuthSaslInit (struct qemud_client *client, + remote_message_header *req, + void *args ATTRIBUTE_UNUSED, + remote_auth_sasl_init_ret *ret) +{ + const char *mechlist = NULL; + int err; + struct sockaddr_storage sa; + socklen_t salen; + char *localAddr, *remoteAddr; + + REMOTE_DEBUG("Initialize SASL auth %d", client->fd); + if (client->auth != REMOTE_AUTH_SASL || + client->saslconn != NULL) { + qemudLog(QEMUD_ERR, "client tried invalid SASL init request"); + remoteDispatchFailAuth(client, req); + return -2; + } + + /* Get local address in form IPADDR:PORT */ + salen = sizeof(sa); + if (getsockname(client->fd, (struct sockaddr*)&sa, &salen) < 0) { + remoteDispatchError(client, req, "failed to get sock address %d (%s)", + errno, strerror(errno)); + return -2; + } + if ((localAddr = addrToString(client, req, &sa, salen)) == NULL) { + return -2; + } + + /* Get remote address in form IPADDR:PORT */ + salen = sizeof(sa); + if (getpeername(client->fd, (struct sockaddr*)&sa, &salen) < 0) { + remoteDispatchError(client, req, "failed to get peer address %d (%s)", + errno, strerror(errno)); + free(localAddr); + return -2; + } + if ((remoteAddr = addrToString(client, req, &sa, salen)) == NULL) { + free(localAddr); + return -2; + } + + err = sasl_server_new("libvirt", + NULL, /* FQDN - just delegates to gethostname */ + NULL, /* User realm */ + localAddr, + remoteAddr, + NULL, /* XXX Callbacks */ + SASL_SUCCESS_DATA, + &client->saslconn); + free(localAddr); + free(remoteAddr); + if (err != SASL_OK) { + qemudLog(QEMUD_ERR, "sasl context setup failed %d (%s)", + err, sasl_errstring(err, NULL, NULL)); + remoteDispatchFailAuth(client, req); + client->saslconn = NULL; + return -2; + } + + err = sasl_listmech(client->saslconn, + NULL, /* Don't need to set user */ + "", /* Prefix */ + ",", /* Separator */ + "", /* Suffix */ + &mechlist, + NULL, + NULL); + if (err != SASL_OK) { + qemudLog(QEMUD_ERR, "cannot list SASL mechanisms %d (%s)", + err, sasl_errdetail(client->saslconn)); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -2; + } + REMOTE_DEBUG("Available mechanisms for client: '%s'", mechlist); + ret->mechlist = strdup(mechlist); + if (!ret->mechlist) { + qemudLog(QEMUD_ERR, "cannot allocate mechlist"); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -2; + } + + return 0; +} + + +/* + * This starts the SASL authentication negotiation. + */ +static int +remoteDispatchAuthSaslStart (struct qemud_client *client, + remote_message_header *req, + remote_auth_sasl_start_args *args, + remote_auth_sasl_start_ret *ret) +{ + const char *serverout; + unsigned int serveroutlen; + int err; + + REMOTE_DEBUG("Start SASL auth %d", client->fd); + if (client->auth != REMOTE_AUTH_SASL || + client->saslconn == NULL) { + qemudLog(QEMUD_ERR, "client tried invalid SASL start request"); + remoteDispatchFailAuth(client, req); + return -2; + } + + REMOTE_DEBUG("Using SASL mechanism %s. Data %d bytes, nil: %d", + args->mech, args->data.data_len, args->nil); + err = sasl_server_start(client->saslconn, + args->mech, + /* NB, distinction of NULL vs "" is *critical* in SASL */ + args->nil ? NULL : args->data.data_val, + args->data.data_len, + &serverout, + &serveroutlen); + if (err != SASL_OK && + err != SASL_CONTINUE) { + qemudLog(QEMUD_ERR, "sasl start failed %d (%s)", + err, sasl_errdetail(client->saslconn)); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + remoteDispatchFailAuth(client, req); + return -2; + } + if (serveroutlen > REMOTE_AUTH_SASL_DATA_MAX) { + qemudLog(QEMUD_ERR, "sasl start reply data too long %d", serveroutlen); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + remoteDispatchFailAuth(client, req); + return -2; + } + + /* NB, distinction of NULL vs "" is *critical* in SASL */ + if (serverout) { + ret->data.data_val = malloc(serveroutlen); + if (!ret->data.data_val) { + remoteDispatchError (client, req, "out of memory allocating array"); + return -2; + } + memcpy(ret->data.data_val, serverout, serveroutlen); + } else { + ret->data.data_val = NULL; + } + ret->nil = serverout ? 0 : 1; + ret->data.data_len = serveroutlen; + + REMOTE_DEBUG("SASL return data %d bytes, nil; %d", ret->data.data_len, ret->nil); + if (err == SASL_CONTINUE) { + ret->complete = 0; + } else { + REMOTE_DEBUG("Authentication successful %d", client->fd); + ret->complete = 1; + client->auth = REMOTE_AUTH_NONE; + } + + return 0; +} + + +static int +remoteDispatchAuthSaslStep (struct qemud_client *client, + remote_message_header *req, + remote_auth_sasl_step_args *args, + remote_auth_sasl_step_ret *ret) +{ + const char *serverout; + unsigned int serveroutlen; + int err; + + REMOTE_DEBUG("Step SASL auth %d", client->fd); + if (client->auth != REMOTE_AUTH_SASL || + client->saslconn == NULL) { + qemudLog(QEMUD_ERR, "client tried invalid SASL start request"); + remoteDispatchFailAuth(client, req); + return -2; + } + + REMOTE_DEBUG("Using SASL Data %d bytes, nil: %d", + args->data.data_len, args->nil); + err = sasl_server_step(client->saslconn, + /* NB, distinction of NULL vs "" is *critical* in SASL */ + args->nil ? NULL : args->data.data_val, + args->data.data_len, + &serverout, + &serveroutlen); + if (err != SASL_OK && + err != SASL_CONTINUE) { + qemudLog(QEMUD_ERR, "sasl step failed %d (%s)", + err, sasl_errdetail(client->saslconn)); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + remoteDispatchFailAuth(client, req); + return -2; + } + + if (serveroutlen > REMOTE_AUTH_SASL_DATA_MAX) { + qemudLog(QEMUD_ERR, "sasl step reply data too long %d", serveroutlen); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + remoteDispatchFailAuth(client, req); + return -2; + } + + /* NB, distinction of NULL vs "" is *critical* in SASL */ + if (serverout) { + ret->data.data_val = malloc(serveroutlen); + if (!ret->data.data_val) { + remoteDispatchError (client, req, "out of memory allocating array"); + return -2; + } + memcpy(ret->data.data_val, serverout, serveroutlen); + } else { + ret->data.data_val = NULL; + } + ret->nil = serverout ? 0 : 1; + ret->data.data_len = serveroutlen; + + REMOTE_DEBUG("SASL return data %d bytes, nil; %d", ret->data.data_len, ret->nil); + if (err == SASL_CONTINUE) { + ret->complete = 0; + } else { + REMOTE_DEBUG("Authentication successful %d", client->fd); + ret->complete = 1; + client->auth = REMOTE_AUTH_NONE; + } + + return 0; +} + + +#else /* HAVE_SASL */ +static int +remoteDispatchAuthSaslInit (struct qemud_client *client, + remote_message_header *req, + void *args ATTRIBUTE_UNUSED, + remote_auth_sasl_init_ret *ret ATTRIBUTE_UNUSED) +{ + qemudLog(QEMUD_ERR, "client tried unsupported SASL init request"); + remoteDispatchFailAuth(client, req); + return -1; +} + +static int +remoteDispatchAuthSaslStart (struct qemud_client *client, + remote_message_header *req, + remote_auth_sasl_start_args *args ATTRIBUTE_UNUSED, + remote_auth_sasl_start_ret *ret ATTRIBUTE_UNUSED) +{ + qemudLog(QEMUD_ERR, "client tried unsupported SASL start request"); + remoteDispatchFailAuth(client, req); + return -1; +} + +static int +remoteDispatchAuthSaslStep (struct qemud_client *client, + remote_message_header *req, + remote_auth_sasl_step_args *args ATTRIBUTE_UNUSED, + remote_auth_sasl_step_ret *ret ATTRIBUTE_UNUSED) +{ + qemudLog(QEMUD_ERR, "client tried unsupported SASL step request"); + remoteDispatchFailAuth(client, req); + return -1; +} +#endif /* HAVE_SASL */ + + /*----- Helpers. -----*/ /* get_nonnull_domain and get_nonnull_network turn an on-wire diff -r 1c3780349e89 qemud/remote_dispatch_localvars.h --- a/qemud/remote_dispatch_localvars.h Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_dispatch_localvars.h Thu Nov 29 09:24:10 2007 -0500 @@ -9,6 +9,7 @@ remote_list_defined_domains_ret lv_remot remote_list_defined_domains_ret lv_remote_list_defined_domains_ret; remote_get_capabilities_ret lv_remote_get_capabilities_ret; remote_domain_set_max_memory_args lv_remote_domain_set_max_memory_args; +remote_auth_sasl_init_ret lv_remote_auth_sasl_init_ret; remote_domain_get_os_type_args lv_remote_domain_get_os_type_args; remote_domain_get_os_type_ret lv_remote_domain_get_os_type_ret; remote_domain_get_autostart_args lv_remote_domain_get_autostart_args; @@ -36,6 +37,8 @@ remote_domain_create_linux_args lv_remot remote_domain_create_linux_args lv_remote_domain_create_linux_args; remote_domain_create_linux_ret lv_remote_domain_create_linux_ret; remote_domain_set_scheduler_parameters_args lv_remote_domain_set_scheduler_parameters_args; +remote_auth_sasl_start_args lv_remote_auth_sasl_start_args; +remote_auth_sasl_start_ret lv_remote_auth_sasl_start_ret; remote_domain_interface_stats_args lv_remote_domain_interface_stats_args; remote_domain_interface_stats_ret lv_remote_domain_interface_stats_ret; remote_domain_get_max_vcpus_args lv_remote_domain_get_max_vcpus_args; @@ -50,6 +53,8 @@ remote_network_get_bridge_name_args lv_r remote_network_get_bridge_name_args lv_remote_network_get_bridge_name_args; remote_network_get_bridge_name_ret lv_remote_network_get_bridge_name_ret; remote_domain_destroy_args lv_remote_domain_destroy_args; +remote_auth_sasl_step_args lv_remote_auth_sasl_step_args; +remote_auth_sasl_step_ret lv_remote_auth_sasl_step_ret; remote_domain_migrate_finish_args lv_remote_domain_migrate_finish_args; remote_domain_migrate_finish_ret lv_remote_domain_migrate_finish_ret; remote_domain_get_vcpus_args lv_remote_domain_get_vcpus_args; @@ -74,6 +79,7 @@ remote_network_set_autostart_args lv_rem remote_network_set_autostart_args lv_remote_network_set_autostart_args; remote_network_get_autostart_args lv_remote_network_get_autostart_args; remote_network_get_autostart_ret lv_remote_network_get_autostart_ret; +remote_auth_list_ret lv_remote_auth_list_ret; remote_domain_core_dump_args lv_remote_domain_core_dump_args; remote_domain_get_max_memory_args lv_remote_domain_get_max_memory_args; remote_domain_get_max_memory_ret lv_remote_domain_get_max_memory_ret; diff -r 1c3780349e89 qemud/remote_dispatch_proc_switch.h --- a/qemud/remote_dispatch_proc_switch.h Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_dispatch_proc_switch.h Thu Nov 29 09:24:10 2007 -0500 @@ -2,6 +2,36 @@ * Do not edit this file. Any changes you make will be lost. */ +case REMOTE_PROC_AUTH_LIST: + fn = (dispatch_fn) remoteDispatchAuthList; + ret_filter = (xdrproc_t) xdr_remote_auth_list_ret; + ret = (char *) &lv_remote_auth_list_ret; + memset (&lv_remote_auth_list_ret, 0, sizeof lv_remote_auth_list_ret); + break; +case REMOTE_PROC_AUTH_SASL_INIT: + fn = (dispatch_fn) remoteDispatchAuthSaslInit; + ret_filter = (xdrproc_t) xdr_remote_auth_sasl_init_ret; + ret = (char *) &lv_remote_auth_sasl_init_ret; + memset (&lv_remote_auth_sasl_init_ret, 0, sizeof lv_remote_auth_sasl_init_ret); + break; +case REMOTE_PROC_AUTH_SASL_START: + fn = (dispatch_fn) remoteDispatchAuthSaslStart; + args_filter = (xdrproc_t) xdr_remote_auth_sasl_start_args; + args = (char *) &lv_remote_auth_sasl_start_args; + memset (&lv_remote_auth_sasl_start_args, 0, sizeof lv_remote_auth_sasl_start_args); + ret_filter = (xdrproc_t) xdr_remote_auth_sasl_start_ret; + ret = (char *) &lv_remote_auth_sasl_start_ret; + memset (&lv_remote_auth_sasl_start_ret, 0, sizeof lv_remote_auth_sasl_start_ret); + break; +case REMOTE_PROC_AUTH_SASL_STEP: + fn = (dispatch_fn) remoteDispatchAuthSaslStep; + args_filter = (xdrproc_t) xdr_remote_auth_sasl_step_args; + args = (char *) &lv_remote_auth_sasl_step_args; + memset (&lv_remote_auth_sasl_step_args, 0, sizeof lv_remote_auth_sasl_step_args); + ret_filter = (xdrproc_t) xdr_remote_auth_sasl_step_ret; + ret = (char *) &lv_remote_auth_sasl_step_ret; + memset (&lv_remote_auth_sasl_step_ret, 0, sizeof lv_remote_auth_sasl_step_ret); + break; case REMOTE_PROC_CLOSE: fn = (dispatch_fn) remoteDispatchClose; break; diff -r 1c3780349e89 qemud/remote_dispatch_prototypes.h --- a/qemud/remote_dispatch_prototypes.h Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_dispatch_prototypes.h Thu Nov 29 09:24:10 2007 -0500 @@ -2,6 +2,10 @@ * Do not edit this file. Any changes you make will be lost. */ +static int remoteDispatchAuthList (struct qemud_client *client, remote_message_header *req, void *args, remote_auth_list_ret *ret); +static int remoteDispatchAuthSaslInit (struct qemud_client *client, remote_message_header *req, void *args, remote_auth_sasl_init_ret *ret); +static int remoteDispatchAuthSaslStart (struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args, remote_auth_sasl_start_ret *ret); +static int remoteDispatchAuthSaslStep (struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args, remote_auth_sasl_step_ret *ret); static int remoteDispatchClose (struct qemud_client *client, remote_message_header *req, void *args, void *ret); static int remoteDispatchDomainAttachDevice (struct qemud_client *client, remote_message_header *req, remote_domain_attach_device_args *args, void *ret); static int remoteDispatchDomainBlockStats (struct qemud_client *client, remote_message_header *req, remote_domain_block_stats_args *args, remote_domain_block_stats_ret *ret); diff -r 1c3780349e89 qemud/remote_protocol.c --- a/qemud/remote_protocol.c Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_protocol.c Thu Nov 29 09:24:10 2007 -0500 @@ -100,6 +100,15 @@ xdr_remote_error (XDR *xdrs, remote_erro if (!xdr_int (xdrs, &objp->int2)) return FALSE; if (!xdr_remote_network (xdrs, &objp->net)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_type (XDR *xdrs, remote_auth_type *objp) +{ + + if (!xdr_enum (xdrs, (enum_t *) objp)) return FALSE; return TRUE; } @@ -1222,6 +1231,84 @@ xdr_remote_network_set_autostart_args (X } bool_t +xdr_remote_auth_list_ret (XDR *xdrs, remote_auth_list_ret *objp) +{ + char **objp_cpp0 = (char **) (void *) &objp->types.types_val; + + if (!xdr_array (xdrs, objp_cpp0, (u_int *) &objp->types.types_len, REMOTE_AUTH_TYPE_LIST_MAX, + sizeof (remote_auth_type), (xdrproc_t) xdr_remote_auth_type)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_sasl_init_ret (XDR *xdrs, remote_auth_sasl_init_ret *objp) +{ + + if (!xdr_remote_nonnull_string (xdrs, &objp->mechlist)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_sasl_start_args (XDR *xdrs, remote_auth_sasl_start_args *objp) +{ + char **objp_cpp0 = (char **) (void *) &objp->data.data_val; + + if (!xdr_remote_nonnull_string (xdrs, &objp->mech)) + return FALSE; + if (!xdr_int (xdrs, &objp->nil)) + return FALSE; + if (!xdr_array (xdrs, objp_cpp0, (u_int *) &objp->data.data_len, REMOTE_AUTH_SASL_DATA_MAX, + sizeof (char), (xdrproc_t) xdr_char)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_sasl_start_ret (XDR *xdrs, remote_auth_sasl_start_ret *objp) +{ + char **objp_cpp0 = (char **) (void *) &objp->data.data_val; + + if (!xdr_int (xdrs, &objp->complete)) + return FALSE; + if (!xdr_int (xdrs, &objp->nil)) + return FALSE; + if (!xdr_array (xdrs, objp_cpp0, (u_int *) &objp->data.data_len, REMOTE_AUTH_SASL_DATA_MAX, + sizeof (char), (xdrproc_t) xdr_char)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_sasl_step_args (XDR *xdrs, remote_auth_sasl_step_args *objp) +{ + char **objp_cpp0 = (char **) (void *) &objp->data.data_val; + + if (!xdr_int (xdrs, &objp->nil)) + return FALSE; + if (!xdr_array (xdrs, objp_cpp0, (u_int *) &objp->data.data_len, REMOTE_AUTH_SASL_DATA_MAX, + sizeof (char), (xdrproc_t) xdr_char)) + return FALSE; + return TRUE; +} + +bool_t +xdr_remote_auth_sasl_step_ret (XDR *xdrs, remote_auth_sasl_step_ret *objp) +{ + char **objp_cpp0 = (char **) (void *) &objp->data.data_val; + + if (!xdr_int (xdrs, &objp->complete)) + return FALSE; + if (!xdr_int (xdrs, &objp->nil)) + return FALSE; + if (!xdr_array (xdrs, objp_cpp0, (u_int *) &objp->data.data_len, REMOTE_AUTH_SASL_DATA_MAX, + sizeof (char), (xdrproc_t) xdr_char)) + return FALSE; + return TRUE; +} + +bool_t xdr_remote_procedure (XDR *xdrs, remote_procedure *objp) { diff -r 1c3780349e89 qemud/remote_protocol.h --- a/qemud/remote_protocol.h Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_protocol.h Thu Nov 29 09:24:10 2007 -0500 @@ -28,6 +28,8 @@ typedef remote_nonnull_string *remote_st #define REMOTE_MIGRATE_COOKIE_MAX 256 #define REMOTE_NETWORK_NAME_LIST_MAX 256 #define REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX 16 +#define REMOTE_AUTH_SASL_DATA_MAX 65536 +#define REMOTE_AUTH_TYPE_LIST_MAX 20 typedef char remote_uuid[VIR_UUID_BUFLEN]; @@ -63,6 +65,12 @@ struct remote_error { }; typedef struct remote_error remote_error; +enum remote_auth_type { + REMOTE_AUTH_NONE = 0, + REMOTE_AUTH_SASL = 1, +}; +typedef enum remote_auth_type remote_auth_type; + struct remote_vcpu_info { u_int number; int state; @@ -659,6 +667,58 @@ struct remote_network_set_autostart_args int autostart; }; typedef struct remote_network_set_autostart_args remote_network_set_autostart_args; + +struct remote_auth_list_ret { + struct { + u_int types_len; + remote_auth_type *types_val; + } types; +}; +typedef struct remote_auth_list_ret remote_auth_list_ret; + +struct remote_auth_sasl_init_ret { + remote_nonnull_string mechlist; +}; +typedef struct remote_auth_sasl_init_ret remote_auth_sasl_init_ret; + +struct remote_auth_sasl_start_args { + remote_nonnull_string mech; + int nil; + struct { + u_int data_len; + char *data_val; + } data; +}; +typedef struct remote_auth_sasl_start_args remote_auth_sasl_start_args; + +struct remote_auth_sasl_start_ret { + int complete; + int nil; + struct { + u_int data_len; + char *data_val; + } data; +}; +typedef struct remote_auth_sasl_start_ret remote_auth_sasl_start_ret; + +struct remote_auth_sasl_step_args { + int nil; + struct { + u_int data_len; + char *data_val; + } data; +}; +typedef struct remote_auth_sasl_step_args remote_auth_sasl_step_args; + +struct remote_auth_sasl_step_ret { + int complete; + int nil; + struct { + u_int data_len; + char *data_val; + } data; +}; +typedef struct remote_auth_sasl_step_ret remote_auth_sasl_step_ret; #define REMOTE_PROGRAM 0x20008086 #define REMOTE_PROTOCOL_VERSION 1 @@ -728,6 +788,10 @@ enum remote_procedure { REMOTE_PROC_DOMAIN_MIGRATE_FINISH = 63, REMOTE_PROC_DOMAIN_BLOCK_STATS = 64, REMOTE_PROC_DOMAIN_INTERFACE_STATS = 65, + REMOTE_PROC_AUTH_LIST = 66, + REMOTE_PROC_AUTH_SASL_INIT = 67, + REMOTE_PROC_AUTH_SASL_START = 68, + REMOTE_PROC_AUTH_SASL_STEP = 69, }; typedef enum remote_procedure remote_procedure; @@ -766,6 +830,7 @@ extern bool_t xdr_remote_domain (XDR *, extern bool_t xdr_remote_domain (XDR *, remote_domain*); extern bool_t xdr_remote_network (XDR *, remote_network*); extern bool_t xdr_remote_error (XDR *, remote_error*); +extern bool_t xdr_remote_auth_type (XDR *, remote_auth_type*); extern bool_t xdr_remote_vcpu_info (XDR *, remote_vcpu_info*); extern bool_t xdr_remote_sched_param_value (XDR *, remote_sched_param_value*); extern bool_t xdr_remote_sched_param (XDR *, remote_sched_param*); @@ -864,6 +929,12 @@ extern bool_t xdr_remote_network_get_au extern bool_t xdr_remote_network_get_autostart_args (XDR *, remote_network_get_autostart_args*); extern bool_t xdr_remote_network_get_autostart_ret (XDR *, remote_network_get_autostart_ret*); extern bool_t xdr_remote_network_set_autostart_args (XDR *, remote_network_set_autostart_args*); +extern bool_t xdr_remote_auth_list_ret (XDR *, remote_auth_list_ret*); +extern bool_t xdr_remote_auth_sasl_init_ret (XDR *, remote_auth_sasl_init_ret*); +extern bool_t xdr_remote_auth_sasl_start_args (XDR *, remote_auth_sasl_start_args*); +extern bool_t xdr_remote_auth_sasl_start_ret (XDR *, remote_auth_sasl_start_ret*); +extern bool_t xdr_remote_auth_sasl_step_args (XDR *, remote_auth_sasl_step_args*); +extern bool_t xdr_remote_auth_sasl_step_ret (XDR *, remote_auth_sasl_step_ret*); extern bool_t xdr_remote_procedure (XDR *, remote_procedure*); extern bool_t xdr_remote_message_direction (XDR *, remote_message_direction*); extern bool_t xdr_remote_message_status (XDR *, remote_message_status*); @@ -878,6 +949,7 @@ extern bool_t xdr_remote_domain (); extern bool_t xdr_remote_domain (); extern bool_t xdr_remote_network (); extern bool_t xdr_remote_error (); +extern bool_t xdr_remote_auth_type (); extern bool_t xdr_remote_vcpu_info (); extern bool_t xdr_remote_sched_param_value (); extern bool_t xdr_remote_sched_param (); @@ -976,6 +1048,12 @@ extern bool_t xdr_remote_network_get_aut extern bool_t xdr_remote_network_get_autostart_args (); extern bool_t xdr_remote_network_get_autostart_ret (); extern bool_t xdr_remote_network_set_autostart_args (); +extern bool_t xdr_remote_auth_list_ret (); +extern bool_t xdr_remote_auth_sasl_init_ret (); +extern bool_t xdr_remote_auth_sasl_start_args (); +extern bool_t xdr_remote_auth_sasl_start_ret (); +extern bool_t xdr_remote_auth_sasl_step_args (); +extern bool_t xdr_remote_auth_sasl_step_ret (); extern bool_t xdr_remote_procedure (); extern bool_t xdr_remote_message_direction (); extern bool_t xdr_remote_message_status (); diff -r 1c3780349e89 qemud/remote_protocol.x --- a/qemud/remote_protocol.x Wed Nov 28 12:02:28 2007 -0500 +++ b/qemud/remote_protocol.x Thu Nov 29 09:24:10 2007 -0500 @@ -80,6 +80,12 @@ const REMOTE_NETWORK_NAME_LIST_MAX = 256 /* Upper limit on list of scheduler parameters. */ const REMOTE_DOMAIN_SCHEDULER_PARAMETERS_MAX = 16; + +/* Upper limit on SASL auth negotiation packet */ +const REMOTE_AUTH_SASL_DATA_MAX = 65536; + +/* Maximum number of auth types */ +const REMOTE_AUTH_TYPE_LIST_MAX = 20; /* UUID. VIR_UUID_BUFLEN definition comes from libvirt.h */ typedef opaque remote_uuid[VIR_UUID_BUFLEN]; @@ -122,6 +128,13 @@ struct remote_error { int int2; remote_network net; }; + +/* Authentication types available thus far.... */ +enum remote_auth_type { + REMOTE_AUTH_NONE = 0, + REMOTE_AUTH_SASL = 1 +}; + /* Wire encoding of virVcpuInfo. */ struct remote_vcpu_info { @@ -610,6 +623,37 @@ struct remote_network_set_autostart_args struct remote_network_set_autostart_args { remote_nonnull_network net; int autostart; +}; + +struct remote_auth_list_ret { + remote_auth_type types<REMOTE_AUTH_TYPE_LIST_MAX>; +}; + +struct remote_auth_sasl_init_ret { + remote_nonnull_string mechlist; +}; + +struct remote_auth_sasl_start_args { + remote_nonnull_string mech; + int nil; + char data<REMOTE_AUTH_SASL_DATA_MAX>; +}; + +struct remote_auth_sasl_start_ret { + int complete; + int nil; + char data<REMOTE_AUTH_SASL_DATA_MAX>; +}; + +struct remote_auth_sasl_step_args { + int nil; + char data<REMOTE_AUTH_SASL_DATA_MAX>; +}; + +struct remote_auth_sasl_step_ret { + int complete; + int nil; + char data<REMOTE_AUTH_SASL_DATA_MAX>; }; /*----- Protocol. -----*/ @@ -683,7 +727,11 @@ enum remote_procedure { REMOTE_PROC_DOMAIN_MIGRATE_PERFORM = 62, REMOTE_PROC_DOMAIN_MIGRATE_FINISH = 63, REMOTE_PROC_DOMAIN_BLOCK_STATS = 64, - REMOTE_PROC_DOMAIN_INTERFACE_STATS = 65 + REMOTE_PROC_DOMAIN_INTERFACE_STATS = 65, + REMOTE_PROC_AUTH_LIST = 66, + REMOTE_PROC_AUTH_SASL_INIT = 67, + REMOTE_PROC_AUTH_SASL_START = 68, + REMOTE_PROC_AUTH_SASL_STEP = 69 }; /* Custom RPC structure. */ diff -r 1c3780349e89 src/Makefile.am --- a/src/Makefile.am Wed Nov 28 12:02:28 2007 -0500 +++ b/src/Makefile.am Thu Nov 29 09:24:10 2007 -0500 @@ -5,6 +5,7 @@ INCLUDES = -I$(top_builddir)/include \ -I@top_srcdir@/qemud \ $(LIBXML_CFLAGS) \ $(GNUTLS_CFLAGS) \ + $(SASL_CFLAGS) \ -DBINDIR=\""$(libexecdir)"\" \ -DSBINDIR=\""$(sbindir)"\" \ -DSYSCONF_DIR="\"$(sysconfdir)\"" \ @@ -24,7 +25,7 @@ EXTRA_DIST = libvirt_sym.version $(conf_ EXTRA_DIST = libvirt_sym.version $(conf_DATA) lib_LTLIBRARIES = libvirt.la -libvirt_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) +libvirt_la_LIBADD = $(LIBXML_LIBS) $(GNUTLS_LIBS) $(SASL_LIBS) libvirt_la_LDFLAGS = -Wl,--version-script=$(srcdir)/libvirt_sym.version \ -version-info @LIBVIRT_VERSION_INFO@ \ $(COVERAGE_CFLAGS:-f%=-Wc,-f%) diff -r 1c3780349e89 src/remote_internal.c --- a/src/remote_internal.c Wed Nov 28 12:02:28 2007 -0500 +++ b/src/remote_internal.c Thu Nov 29 09:24:10 2007 -0500 @@ -48,6 +48,9 @@ #include <gnutls/gnutls.h> #include <gnutls/x509.h> #include "gnutls_1_0_compat.h" +#if HAVE_SASL +#include <sasl/sasl.h> +#endif #include <libxml/uri.h> #include "internal.h" @@ -72,6 +75,11 @@ struct private_data { char *type; /* Cached return from remoteType. */ int counter; /* Generates serial numbers for RPC. */ int networkOnly; /* Only used for network API */ + char *hostname; /* Original hostname */ + FILE *debugLog; /* Debug remote protocol */ +#if HAVE_SASL + sasl_conn_t *saslconn; /* SASL context */ +#endif }; #define GET_PRIVATE(conn,retcode) \ @@ -90,7 +98,20 @@ struct private_data { return (retcode); \ } -static int call (virConnectPtr conn, struct private_data *priv, int in_open, int proc_nr, xdrproc_t args_filter, char *args, xdrproc_t ret_filter, char *ret); +enum { + REMOTE_CALL_IN_OPEN = 1, + REMOTE_CALL_QUIET_MISSING_RPC = 2, +}; + + +static int call (virConnectPtr conn, struct private_data *priv, + int flags, int proc_nr, + xdrproc_t args_filter, char *args, + xdrproc_t ret_filter, char *ret); +static int remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open); +#if HAVE_SASL +static int remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open); +#endif static void error (virConnectPtr conn, virErrorNumber code, const char *info); static void server_error (virConnectPtr conn, remote_error *err); static virDomainPtr get_nonnull_domain (virConnectPtr conn, remote_nonnull_domain domain); @@ -121,7 +142,7 @@ static void query_free (struct query_fie /* GnuTLS functions used by remoteOpen. */ static int initialise_gnutls (virConnectPtr conn); -static gnutls_session_t negotiate_gnutls_on_connection (virConnectPtr conn, int sock, int no_verify, const char *hostname); +static gnutls_session_t negotiate_gnutls_on_connection (virConnectPtr conn, struct private_data *priv, int no_verify); static int remoteStartup(void) @@ -132,6 +153,22 @@ remoteStartup(void) inside_daemon = 1; return 0; } + +#if HAVE_SASL +static void +remoteDebug(struct private_data *priv, const char *msg,...) +{ + va_list args; + if (priv->debugLog == NULL) + return; + + va_start(args, msg); + vfprintf(priv->debugLog, msg, args); + va_end(args); + fprintf(priv->debugLog, "\n"); +} +#endif /* HAVE_SASL */ + /** * remoteFindServerPath: @@ -297,7 +334,7 @@ doRemoteOpen (virConnectPtr conn, struct * get freed in the failed: path. */ char *name = 0, *command = 0, *sockname = 0, *netcat = 0, *username = 0; - char *server = 0, *port = 0; + char *port = 0; int no_verify = 0, no_tty = 0; char **cmd_argv = 0; @@ -305,12 +342,6 @@ doRemoteOpen (virConnectPtr conn, struct int retcode = VIR_DRV_OPEN_ERROR; /* Remote server defaults to "localhost" if not specified. */ - server = strdup (uri->server ? uri->server : "localhost"); - if (!server) { - out_of_memory: - error (conn, VIR_ERR_NO_MEMORY, "duplicating server name"); - goto failed; - } if (uri->port != 0) { if (asprintf (&port, "%d", uri->port) == -1) goto out_of_memory; } else if (transport == trans_tls) { @@ -325,6 +356,12 @@ doRemoteOpen (virConnectPtr conn, struct } else port = NULL; /* Port not used for unix, ext. */ + + priv->hostname = strdup (uri->server ? uri->server : "localhost"); + if (!priv->hostname) { + error (NULL, VIR_ERR_NO_MEMORY, "allocating priv->hostname"); + goto failed; + } if (uri->user) { username = strdup (uri->user); if (!username) goto out_of_memory; @@ -367,6 +404,12 @@ doRemoteOpen (virConnectPtr conn, struct } else if (strcasecmp (var->name, "no_tty") == 0) { no_tty = atoi (var->value); var->ignore = 1; + } else if (strcasecmp (var->name, "debug") == 0) { + if (var->value && + strcasecmp(var->value, "stdout") == 0) + priv->debugLog = stdout; + else + priv->debugLog = stderr; } #if DEBUG else @@ -436,7 +479,7 @@ doRemoteOpen (virConnectPtr conn, struct memset (&hints, 0, sizeof hints); hints.ai_socktype = SOCK_STREAM; hints.ai_flags = AI_ADDRCONFIG; - int e = getaddrinfo (server, port, &hints, &res); + int e = getaddrinfo (priv->hostname, port, &hints, &res); if (e != 0) { error (conn, VIR_ERR_INVALID_ARG, gai_strerror (e)); goto failed; @@ -476,7 +519,7 @@ doRemoteOpen (virConnectPtr conn, struct if (priv->uses_tls) { priv->session = negotiate_gnutls_on_connection - (conn, priv->sock, no_verify, server); + (conn, priv, no_verify); if (!priv->session) { close (priv->sock); priv->sock = -1; @@ -603,7 +646,7 @@ doRemoteOpen (virConnectPtr conn, struct cmd_argv[j++] = strdup ("-e"); cmd_argv[j++] = strdup ("none"); } - cmd_argv[j++] = strdup (server); + cmd_argv[j++] = strdup (priv->hostname); cmd_argv[j++] = strdup (netcat ? netcat : "nc"); cmd_argv[j++] = strdup ("-U"); cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET); @@ -665,10 +708,15 @@ doRemoteOpen (virConnectPtr conn, struct } } /* switch (transport) */ + + /* Try and authenticate with server */ + if (remoteAuthenticate(conn, priv, 1) == -1) + goto failed; + /* Finally we can call the remote side's open function. */ remote_open_args args = { &name, flags }; - if (call (conn, priv, 1, REMOTE_PROC_OPEN, + if (call (conn, priv, REMOTE_CALL_IN_OPEN, REMOTE_PROC_OPEN, (xdrproc_t) xdr_remote_open_args, (char *) &args, (xdrproc_t) xdr_void, (char *) NULL) == -1) goto failed; @@ -676,12 +724,35 @@ doRemoteOpen (virConnectPtr conn, struct /* Successful. */ retcode = VIR_DRV_OPEN_SUCCESS; - /*FALLTHROUGH*/ + cleanup: + /* Free up the URL and strings. */ + if (name) free (name); + if (command) free (command); + if (sockname) free (sockname); + if (netcat) free (netcat); + if (username) free (username); + if (port) free (port); + if (cmd_argv) { + char **cmd_argv_ptr = cmd_argv; + while (*cmd_argv_ptr) { + free (*cmd_argv_ptr); + cmd_argv_ptr++; + } + free (cmd_argv); + } + + return retcode; + + out_of_memory: + error (NULL, VIR_ERR_NO_MEMORY, "uri params"); + failed: /* Close the socket if we failed. */ - if (retcode != VIR_DRV_OPEN_SUCCESS && priv->sock >= 0) { - if (priv->uses_tls && priv->session) + if (priv->sock >= 0) { + if (priv->uses_tls && priv->session) { gnutls_bye (priv->session, GNUTLS_SHUT_RDWR); + gnutls_deinit (priv->session); + } close (priv->sock); if (priv->pid > 0) { pid_t reap; @@ -693,24 +764,12 @@ doRemoteOpen (virConnectPtr conn, struct } } - /* Free up the URL and strings. */ - if (name) free (name); - if (command) free (command); - if (sockname) free (sockname); - if (netcat) free (netcat); - if (username) free (username); - if (server) free (server); - if (port) free (port); - if (cmd_argv) { - char **cmd_argv_ptr = cmd_argv; - while (*cmd_argv_ptr) { - free (*cmd_argv_ptr); - cmd_argv_ptr++; - } - free (cmd_argv); - } - - return retcode; + if (priv->hostname) { + free (priv->hostname); + priv->hostname = NULL; + } + + goto cleanup; } static int @@ -1017,11 +1076,12 @@ initialise_gnutls (virConnectPtr conn) return 0; } -static int verify_certificate (virConnectPtr conn, gnutls_session_t session, const char *hostname); +static int verify_certificate (virConnectPtr conn, struct private_data *priv, gnutls_session_t session); static gnutls_session_t negotiate_gnutls_on_connection (virConnectPtr conn, - int sock, int no_verify, const char *hostname) + struct private_data *priv, + int no_verify) { const int cert_type_priority[3] = { GNUTLS_CRT_X509, @@ -1062,7 +1122,7 @@ negotiate_gnutls_on_connection (virConne } gnutls_transport_set_ptr (session, - (gnutls_transport_ptr_t) (long) sock); + (gnutls_transport_ptr_t) (long) priv->sock); /* Perform the TLS handshake. */ again: @@ -1075,7 +1135,7 @@ negotiate_gnutls_on_connection (virConne } /* Verify certificate. */ - if (verify_certificate (conn, session, hostname) == -1) { + if (verify_certificate (conn, priv, session) == -1) { fprintf (stderr, "remote_internal: failed to verify peer's certificate\n"); if (!no_verify) return NULL; @@ -1110,8 +1170,8 @@ negotiate_gnutls_on_connection (virConne static int verify_certificate (virConnectPtr conn ATTRIBUTE_UNUSED, - gnutls_session_t session, - const char *hostname) + struct private_data *priv, + gnutls_session_t session) { int ret; unsigned int status; @@ -1189,14 +1249,14 @@ verify_certificate (virConnectPtr conn A } if (i == 0) { - if (!gnutls_x509_crt_check_hostname (cert, hostname)) { + if (!gnutls_x509_crt_check_hostname (cert, priv->hostname)) { __virRaiseError (conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, - VIR_ERR_ERROR, hostname, NULL, NULL, + VIR_ERR_ERROR, priv->hostname, NULL, NULL, 0, 0, "Certificate's owner does not match the hostname (%s)", - hostname); + priv->hostname); gnutls_x509_crt_deinit (cert); return -1; } @@ -1218,8 +1278,14 @@ doRemoteClose (virConnectPtr conn, struc return -1; /* Close socket. */ - if (priv->uses_tls && priv->session) + if (priv->uses_tls && priv->session) { gnutls_bye (priv->session, GNUTLS_SHUT_RDWR); + gnutls_deinit (priv->session); + } +#if HAVE_SASL + if (priv->saslconn) + sasl_dispose (&priv->saslconn); +#endif close (priv->sock); if (priv->pid > 0) { @@ -1230,6 +1296,9 @@ doRemoteClose (virConnectPtr conn, struc continue; } while (reap != -1 && reap != priv->pid); } + + /* Free hostname copy */ + if (priv->hostname) free (priv->hostname); /* See comment for remoteType. */ if (priv->type) free (priv->type); @@ -2751,6 +2820,298 @@ remoteNetworkSetAutostart (virNetworkPtr /*----------------------------------------------------------------------*/ +static int +remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open) +{ + struct remote_auth_list_ret ret; + int err; + + memset(&ret, 0, sizeof ret); + err = call (conn, priv, + REMOTE_CALL_IN_OPEN | REMOTE_CALL_QUIET_MISSING_RPC, + REMOTE_PROC_AUTH_LIST, + (xdrproc_t) xdr_void, (char *) NULL, + (xdrproc_t) xdr_remote_auth_list_ret, (char *) &ret); + if (err == -2) /* Missing RPC - old server - ignore */ + return 0; + + if (err < 0) + return -1; + + if (ret.types.types_len == 0) + return 0; + + switch (ret.types.types_val[0]) { +#if HAVE_SASL + case REMOTE_AUTH_SASL: + if (remoteAuthSASL(conn, priv, in_open) < 0) { + free(ret.types.types_val); + return -1; + } + break; +#endif + + case REMOTE_AUTH_NONE: + /* Nothing todo, hurrah ! */ + break; + + default: + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "unsupported authentication type %d", ret.types.types_val[0]); + free(ret.types.types_val); + return -1; + } + + free(ret.types.types_val); + + return 0; +} + + + +#if HAVE_SASL +/* + * NB, keep in sync with similar method in qemud/remote.c + */ +static char *addrToString(struct sockaddr_storage *sa, socklen_t salen) +{ + char host[1024], port[20]; + char *addr; + int err; + + if ((err = getnameinfo((struct sockaddr *)sa, salen, + host, sizeof(host), + port, sizeof(port), + NI_NUMERICHOST | NI_NUMERICSERV)) != 0) { + __virRaiseError (NULL, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_NO_MEMORY, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Cannot resolve address %d: %s", err, gai_strerror(err)); + return NULL; + } + + addr = malloc(strlen(host) + 1 + strlen(port) + 1); + if (!addr) { + __virRaiseError (NULL, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_NO_MEMORY, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "address"); + return NULL; + } + + strcpy(addr, host); + strcat(addr, ";"); + strcat(addr, port); + return addr; +} + + +/* Perform the SASL authentication process + * + * XXX negotiate a session encryption layer for non-TLS sockets + * XXX fetch credentials from a libvirt client app callback + * XXX max packet size spec + * XXX better mechanism negotiation ? Ask client app ? + */ +static int +remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open) +{ + sasl_conn_t *saslconn = NULL; + remote_auth_sasl_init_ret iret; + remote_auth_sasl_start_args sargs; + remote_auth_sasl_start_ret sret; + remote_auth_sasl_step_args pargs; + remote_auth_sasl_step_ret pret; + const char *clientout; + char *serverin; + unsigned int clientoutlen, serverinlen; + const char *mech; + int err, complete; + struct sockaddr_storage sa; + socklen_t salen; + char *localAddr, *remoteAddr; + + remoteDebug(priv, "Client initialize SASL authentication"); + /* Sets up the SASL library as a whole */ + err = sasl_client_init(NULL); + if (err != SASL_OK) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "failed to initialize SASL library: %d (%s)", + err, sasl_errstring(err, NULL, NULL)); + return -1; + } + + /* Get local address in form IPADDR:PORT */ + salen = sizeof(sa); + if (getsockname(priv->sock, (struct sockaddr*)&sa, &salen) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "failed to get sock address %d (%s)", + errno, strerror(errno)); + return -1; + } + if ((localAddr = addrToString(&sa, salen)) == NULL) { + return -1; + } + + /* Get remote address in form IPADDR:PORT */ + salen = sizeof(sa); + if (getpeername(priv->sock, (struct sockaddr*)&sa, &salen) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "failed to get peer address %d (%s)", + errno, strerror(errno)); + free(localAddr); + return -1; + } + if ((remoteAddr = addrToString(&sa, salen)) == NULL) { + free(localAddr); + return -1; + } + + /* Setup a handle for being a client */ + err = sasl_client_new("libvirt", + priv->hostname, + localAddr, + remoteAddr, + NULL, /* XXX callbacks */ + SASL_SUCCESS_DATA, + &saslconn); + free(localAddr); + free(remoteAddr); + if (err != SASL_OK) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to create SASL client context: %d (%s)", + err, sasl_errstring(err, NULL, NULL)); + return -1; + } + + /* First call is to inquire about supported mechanisms in the server */ + memset (&iret, 0, sizeof iret); + if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_INIT, + (xdrproc_t) xdr_void, (char *)NULL, + (xdrproc_t) xdr_remote_auth_sasl_init_ret, (char *) &iret) != 0) { + sasl_dispose(&saslconn); + return -1; /* virError already set by call */ + } + + + /* Start the auth negotiation on the client end first */ + remoteDebug(priv, "Client start negotiation mechlist '%s'", iret.mechlist); + err = sasl_client_start(saslconn, + iret.mechlist, + NULL, /* XXX interactions */ + &clientout, + &clientoutlen, + &mech); + if (err != SASL_OK && err != SASL_CONTINUE) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to start SASL negotiation: %d (%s)", + err, sasl_errdetail(saslconn)); + free(iret.mechlist); + sasl_dispose(&saslconn); + return -1; + } + free(iret.mechlist); + + if (clientoutlen > REMOTE_AUTH_SASL_DATA_MAX) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "SASL negotiation data too long: %d bytes", clientoutlen); + sasl_dispose(&saslconn); + return -1; + } + /* NB, distinction of NULL vs "" is *critical* in SASL */ + memset(&sargs, 0, sizeof sargs); + sargs.nil = clientout ? 0 : 1; + sargs.data.data_val = (char*)clientout; + sargs.data.data_len = clientoutlen; + sargs.mech = (char*)mech; + remoteDebug(priv, "Server start negotiation with mech %s. Data %d bytes %p", mech, clientoutlen, clientout); + + /* Now send the initial auth data to the server */ + memset (&sret, 0, sizeof sret); + if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_START, + (xdrproc_t) xdr_remote_auth_sasl_start_args, (char *) &sargs, + (xdrproc_t) xdr_remote_auth_sasl_start_ret, (char *) &sret) != 0) { + sasl_dispose(&saslconn); + return -1; /* virError already set by call */ + } + + complete = sret.complete; + /* NB, distinction of NULL vs "" is *critical* in SASL */ + serverin = sret.nil ? NULL : sret.data.data_val; + serverinlen = sret.data.data_len; + remoteDebug(priv, "Client step result complete: %d. Data %d bytes %p", + complete, serverinlen, serverin); + + /* Loop-the-loop... + * Even if the server has completed, the client must *always* do at least one step + * in this loop to verify the server isn't lieing about something. Mutual auth */ + for (;;) { + err = sasl_client_step(saslconn, + serverin, + serverinlen, + NULL, /* XXX interactions */ + &clientout, + &clientoutlen); + if (serverin) free(serverin); + if (err != SASL_OK && err != SASL_CONTINUE) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed SASL step: %d (%s)", + err, sasl_errdetail(saslconn)); + sasl_dispose(&saslconn); + return -1; + } + remoteDebug(priv, "Client step result %d. Data %d bytes %p", err, clientoutlen, clientout); + + /* Previous server call showed completion & we're now locally complete too */ + if (complete && err == SASL_OK) + break; + + /* Not done, prepare to talk with the server for another iteration */ + /* NB, distinction of NULL vs "" is *critical* in SASL */ + memset(&pargs, 0, sizeof pargs); + pargs.nil = clientout ? 0 : 1; + pargs.data.data_val = (char*)clientout; + pargs.data.data_len = clientoutlen; + remoteDebug(priv, "Server step with %d bytes %p", clientoutlen, clientout); + + memset (&pret, 0, sizeof pret); + if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_STEP, + (xdrproc_t) xdr_remote_auth_sasl_step_args, (char *) &pargs, + (xdrproc_t) xdr_remote_auth_sasl_step_ret, (char *) &pret) != 0) { + sasl_dispose(&saslconn); + return -1; /* virError already set by call */ + } + + complete = pret.complete; + /* NB, distinction of NULL vs "" is *critical* in SASL */ + serverin = pret.nil ? NULL : pret.data.data_val; + serverinlen = pret.data.data_len; + + remoteDebug(priv, "Client step result complete: %d. Data %d bytes %p", + complete, serverinlen, serverin); + + /* This server call shows complete, and earlier client step was OK */ + if (complete && err == SASL_OK) { + if (serverin) free(serverin); + break; + } + } + + remoteDebug(priv, "SASL authentication complete"); + /* XXX keep this around for wire encoding */ + sasl_dispose(&saslconn); + return 0; +} +#endif /* HAVE_SASL */ + +/*----------------------------------------------------------------------*/ + static int really_write (virConnectPtr conn, struct private_data *priv, int in_open, char *bytes, int len); static int really_read (virConnectPtr conn, struct private_data *priv, @@ -2768,7 +3129,7 @@ static int really_read (virConnectPtr co */ static int call (virConnectPtr conn, struct private_data *priv, - int in_open /* if we are in virConnectOpen */, + int flags /* if we are in virConnectOpen */, int proc_nr, xdrproc_t args_filter, char *args, xdrproc_t ret_filter, char *ret) @@ -2793,13 +3154,13 @@ call (virConnectPtr conn, struct private /* Serialise header followed by args. */ xdrmem_create (&xdr, buffer, sizeof buffer, XDR_ENCODE); if (!xdr_remote_message_header (&xdr, &hdr)) { - error (in_open ? NULL : conn, + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "xdr_remote_message_header"); return -1; } if (!(*args_filter) (&xdr, args)) { - error (in_open ? NULL : conn, VIR_ERR_RPC, "marshalling args"); + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "marshalling args"); return -1; } @@ -2815,23 +3176,23 @@ call (virConnectPtr conn, struct private /* Encode the length word. */ xdrmem_create (&xdr, buffer2, sizeof buffer2, XDR_ENCODE); if (!xdr_int (&xdr, &len)) { - error (in_open ? NULL : conn, VIR_ERR_RPC, "xdr_int (length word)"); + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "xdr_int (length word)"); return -1; } xdr_destroy (&xdr); /* Send length word followed by header+args. */ - if (really_write (conn, priv, in_open, buffer2, sizeof buffer2) == -1 || - really_write (conn, priv, in_open, buffer, len-4) == -1) + if (really_write (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer2, sizeof buffer2) == -1 || + really_write (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer, len-4) == -1) return -1; /* Read and deserialise length word. */ - if (really_read (conn, priv, in_open, buffer2, sizeof buffer2) == -1) + if (really_read (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer2, sizeof buffer2) == -1) return -1; xdrmem_create (&xdr, buffer2, sizeof buffer2, XDR_DECODE); if (!xdr_int (&xdr, &len)) { - error (in_open ? NULL : conn, + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "xdr_int (length word, reply)"); return -1; } @@ -2841,33 +3202,33 @@ call (virConnectPtr conn, struct private len -= 4; if (len < 0 || len > REMOTE_MESSAGE_MAX) { - error (in_open ? NULL : conn, + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "packet received from server too large"); return -1; } /* Read reply header and what follows (either a ret or an error). */ - if (really_read (conn, priv, in_open, buffer, len) == -1) + if (really_read (conn, priv, flags & REMOTE_CALL_IN_OPEN, buffer, len) == -1) return -1; /* Deserialise reply header. */ xdrmem_create (&xdr, buffer, len, XDR_DECODE); if (!xdr_remote_message_header (&xdr, &hdr)) { - error (in_open ? NULL : conn, + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "xdr_remote_message_header (reply)"); return -1; } /* Check program, version, etc. are what we expect. */ if (hdr.prog != REMOTE_PROGRAM) { - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown program (received %x, expected %x)", hdr.prog, REMOTE_PROGRAM); return -1; } if (hdr.vers != REMOTE_PROTOCOL_VERSION) { - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown protocol version (received %x, expected %x)", hdr.vers, REMOTE_PROTOCOL_VERSION); @@ -2879,21 +3240,21 @@ call (virConnectPtr conn, struct private * message being received at this point. */ if (hdr.proc != proc_nr) { - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown procedure (received %x, expected %x)", hdr.proc, proc_nr); return -1; } if (hdr.direction != REMOTE_REPLY) { - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown direction (received %x, expected %x)", hdr.direction, REMOTE_REPLY); return -1; } if (hdr.serial != serial) { - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown serial (received %x, expected %x)", hdr.serial, serial); @@ -2907,7 +3268,7 @@ call (virConnectPtr conn, struct private switch (hdr.status) { case REMOTE_OK: if (!(*ret_filter) (&xdr, ret)) { - error (in_open ? NULL : conn, VIR_ERR_RPC, "unmarshalling ret"); + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "unmarshalling ret"); return -1; } xdr_destroy (&xdr); @@ -2916,17 +3277,26 @@ call (virConnectPtr conn, struct private case REMOTE_ERROR: memset (&rerror, 0, sizeof rerror); if (!xdr_remote_error (&xdr, &rerror)) { - error (in_open ? NULL : conn, + error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, VIR_ERR_RPC, "unmarshalling remote_error"); return -1; } xdr_destroy (&xdr); - server_error (in_open ? NULL : conn, &rerror); + /* See if caller asked us to keep quiet about missing RPCs + * eg for interop with older servers */ + if (flags & REMOTE_CALL_QUIET_MISSING_RPC && + rerror.domain == VIR_FROM_REMOTE && + rerror.code == VIR_ERR_RPC && + rerror.level == VIR_ERR_ERROR && + STREQLEN(*rerror.message, "unknown procedure", 17)) { + return -2; + } + server_error (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, &rerror); xdr_free ((xdrproc_t) xdr_remote_error, (char *) &rerror); return -1; default: - __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + __virRaiseError (flags & REMOTE_CALL_IN_OPEN ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_RPC, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "unknown status (received %x)", hdr.status); diff -r 1c3780349e89 src/virsh.c --- a/src/virsh.c Wed Nov 28 12:02:28 2007 -0500 +++ b/src/virsh.c Thu Nov 29 09:24:10 2007 -0500 @@ -4525,8 +4525,10 @@ vshInit(vshControl * ctl) * vshConnectionUsability, except ones which don't need a connection * such as "help". */ - if (!ctl->conn) + if (!ctl->conn) { vshError(ctl, FALSE, _("failed to connect to the hypervisor")); + return FALSE; + } return TRUE; } diff -r 1c3780349e89 src/virterror.c --- a/src/virterror.c Wed Nov 28 12:02:28 2007 -0500 +++ b/src/virterror.c Thu Nov 29 09:24:10 2007 -0500 @@ -671,6 +671,12 @@ __virErrorMsg(virErrorNumber error, cons else errmsg = _("invalid MAC adress: %s"); break; + case VIR_ERR_AUTH_FAILED: + if (info == NULL) + errmsg = _("authentication failed"); + else + errmsg = _("authentication failed: %s"); + break; } return (errmsg); } diff -r 1c3780349e89 tests/Makefile.am --- a/tests/Makefile.am Wed Nov 28 12:02:28 2007 -0500 +++ b/tests/Makefile.am Thu Nov 29 09:24:10 2007 -0500 @@ -17,6 +17,7 @@ INCLUDES = \ -I$(top_srcdir)/src \ $(LIBXML_CFLAGS) \ $(GNUTLS_CFLAGS) \ + $(SASL_CFLAGS) \ -D_XOPEN_SOURCE=600 -D_POSIX_C_SOURCE=199506L \ -DGETTEXT_PACKAGE=\"$(PACKAGE)\" \ $(COVERAGE_CFLAGS) \ @@ -27,6 +28,7 @@ LDADDS = \ @STATIC_BINARIES@ \ $(LIBXML_LIBS) \ $(GNUTLS_LIBS) \ + $(SASL_LIBS) \ $(WARN_CFLAGS) \ $(LIBVIRT) \ $(COVERAGE_LDFLAGS) -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

This patch provides the ability to configure what authentication mechanism is used on each socket - UNIX RW, UNIX RO, TCP, and TLS sockets - all can have independant settings. By default the UNIX & TLS sockets have no auth, and the TCP socket has SASL auth enabled. The /etc/libvirt/libvirtd.conf file lets you override these options. There is also a new sasl_allowed_username_list = ["admin"] config param to let you whitelist the users you want to allow. This supports use of wildcards. The username is dependnat on the SASL auth mechanism. For DIGEST-MD5 it will be plain usernames, for Kerberos it will be a username + realm, eg admin EXAMPLE COM After discussion with Rich, I also remove the tls_allowed_ip_list for whitelisting source IP addresses. This was a) not protecting us because it was only checked after the TLS handshake - thus allowing trivial DOS attack b) much easier to handle via tcp wrappers, or IPtables. c) only ever checked for the TLS socket d) IP addresses are easily spoofed. If summary, if you're using a real authentication mechanism, this is only useful for protecting against DOS attacks & that's better done by iptables. Makefile.am | 12 - internal.h | 4 libvirtd.conf | 143 ++++++++++++---- qemud.c | 379 ++++++++++++++++++++++--------------------- remote.c | 290 ++++++++++++++++++++++++-------- remote_dispatch_prototypes.h | 138 +++++++-------- remote_generate_stubs.pl | 5 7 files changed, 602 insertions(+), 369 deletions(-) diff -r f28fe18bd7f5 qemud/Makefile.am --- a/qemud/Makefile.am Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/Makefile.am Thu Nov 29 09:51:32 2007 -0500 @@ -101,14 +101,14 @@ remote.c: remote_dispatch_prototypes.h \ remote_dispatch_localvars.h \ remote_dispatch_proc_switch.h -remote_dispatch_prototypes.h: remote_generate_stubs.pl remote_protocol.x - perl -w remote_generate_stubs.pl -i remote_protocol.x > $@ +remote_dispatch_prototypes.h: $(srcdir)/remote_generate_stubs.pl remote_protocol.x + perl -w $(srcdir)/remote_generate_stubs.pl -i $(srcdir)/remote_protocol.x > $@ -remote_dispatch_localvars.h: remote_generate_stubs.pl remote_protocol.x - perl -w remote_generate_stubs.pl -v remote_protocol.x > $@ +remote_dispatch_localvars.h: $(srcdir)/remote_generate_stubs.pl remote_protocol.x + perl -w $(srcdir)/remote_generate_stubs.pl -v $(srcdir)/remote_protocol.x > $@ -remote_dispatch_proc_switch.h: remote_generate_stubs.pl remote_protocol.x - perl -w remote_generate_stubs.pl -w remote_protocol.x > $@ +remote_dispatch_proc_switch.h: $(srcdir)/remote_generate_stubs.pl remote_protocol.x + perl -w $(srcdir)/remote_generate_stubs.pl -w $(srcdir)/remote_protocol.x > $@ if LIBVIRT_INIT_SCRIPTS_RED_HAT install-init: libvirtd.init diff -r f28fe18bd7f5 qemud/internal.h --- a/qemud/internal.h Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/internal.h Thu Nov 29 09:51:32 2007 -0500 @@ -109,6 +109,7 @@ struct qemud_client { const char *saslEncoded; unsigned int saslEncodedLength; unsigned int saslEncodedOffset; + char *saslUsername; #endif unsigned int incomingSerial; @@ -151,6 +152,9 @@ struct qemud_server { #ifdef HAVE_AVAHI struct libvirtd_mdns *mdns; #endif +#if HAVE_SASL + char **saslUsernameWhitelist; +#endif }; void qemudLog(int priority, const char *fmt, ...) diff -r f28fe18bd7f5 qemud/libvirtd.conf --- a/qemud/libvirtd.conf Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/libvirtd.conf Thu Nov 29 09:51:32 2007 -0500 @@ -2,6 +2,11 @@ # # For further information consult http://libvirt.org/format.html + +################################################################# +# +# Network connectivitiy controls +# # Flag listening for secure TLS connections on the public TCP/IP port. # NB, must pass the --listen flag to the libvirtd process for this to @@ -17,7 +22,9 @@ # NB, must pass the --listen flag to the libvirtd process for this to # have any effect. # -# NB, this is insecure. Do not use except for development. +# Using the TCP socket requires SASL authentication by default. Only +# SASL mechanisms which support data encryption are allowed. This is +# DIGEST_MD5 and GSSAPI (Kerberos5) # # This is disabled by default, uncomment this to enable it. # listen_tcp = 1 @@ -53,6 +60,10 @@ # mdns_name "Virtualization Host Joe Demo" +################################################################# +# +# UNIX socket access controls +# # Set the UNIX domain socket group ownership. This can be used to # allow a 'trusted' set of users access to management capabilities @@ -73,8 +84,88 @@ # # Default allows only root. If setting group ownership may want to # relax this to: -# unix_sock_rw_perms "octal-perms" "0770" - +# unix_sock_rw_perms "0770" + + + +################################################################# +# +# Authentication. +# +# - none: do not perform auth checks. If you can connect to the +# socket you are allowed. This is suitable if there are +# restrictions on connecting to the socket (eg, UNIX +# socket permissions), or if there is a lower layer in +# the network providing auth (eg, TLS/x509 certificates) +# +# - sasl: use SASL infrastructure. The actual auth scheme is then +# controlled from /etc/sasl2/libvirt.conf. For the TCP +# socket only GSSAPI & DIGEST-MD5 mechanisms will be used. +# For non-TCP or TLS sockets, any scheme is allowed. +# + +# Set an authentication scheme for UNIX read-only sockets +# By default socket permissions allow anyone to connect +# +# To restrict monitoring of domains you may wish to enable +# an authentication mechanism here +# auth_unix_ro = "none" + +# Set an authentication scheme for UNIX read-write sockets +# By default socket permissions only allow root. +# +# If the unix_sock_rw_perms are changed you may wish to enable +# an authentication mechanism here +# auth_unix_rw = "none" + +# Change the authentication scheme for TCP sockets. +# +# If you don't enable SASL, then all TCP traffic is cleartext. +# Don't do this outside of a dev/test scenario. For real world +# use, always enable SASL and use the GSSAPI or DIGEST-MD5 +# mechanism in /etc/sasl2/libvirt.conf +# auth_tcp = "sasl" + +# Change the authentication scheme for TLS sockets. +# +# TLS sockets already have encryption provided by the TLS +# layer, and limited authentication is done by certificates +# +# It is possible to make use of any SASL authentication +# mechanism as well, by using 'sasl' for this option +# auth_tls = "none" + + + +################################################################# +# +# TLS x509 certificate configuration +# + + +# Override the default server key file path +# +# key_file "/etc/pki/libvirt/private/serverkey.pem" + +# Override the default server certificate file path +# +# cert_file "/etc/pki/libvirt/servercert.pem" + +# Override the default CA certificate path +# +# ca_file "/etc/pki/CA/cacert.pem" + +# Specify a certificate revocation list. +# +# Defaults to not using a CRL, uncomment to enable it +# crl_file "/etc/pki/CA/crl.pem" + + + +################################################################# +# +# Authorization controls +# # Flag to disable verification of client certificates @@ -87,31 +178,6 @@ # verification - make sure an IP whitelist is set # tls_no_verify_certificate 1 -# Flag to disable verification of client IP address -# -# Client IP address will be verified against the CommonName field -# of the x509 certificate. This has minimal security benefit since -# it is easy to spoof source IP. -# -# Uncommenting this will disable verification -# tls_no_verify_address 1 - -# Override the default server key file path -# -# key_file "/etc/pki/libvirt/private/serverkey.pem" - -# Override the default server certificate file path -# -# cert_file "/etc/pki/libvirt/servercert.pem" - -# Override the default CA certificate path -# -# ca_file "/etc/pki/CA/cacert.pem" - -# Specify a certificate revocation list. -# -# Defaults to not using a CRL, uncomment to enable it -# crl_file "/etc/pki/CA/crl.pem" # A whitelist of allowed x509 Distinguished Names # This list may contain wildcards such as @@ -127,15 +193,20 @@ # tls_allowed_dn_list ["DN1", "DN2"] -# A whitelist of allowed client IP addresses -# -# This list may contain wildcards such as 192.168.* See the POSIX fnmatch -# function for the format of the wildcards. +# A whitelist of allowed SASL usernames. The format for usernames +# depends on the SASL authentication mechanism. Kerberos usernames +# look like username@REALM +# +# This list may contain wildcards such as +# +# "*@EXAMPLE.COM" +# +# See the POSIX fnmatch function for the format of the wildcards. # # NB If this is an empty list, no client can connect, so comment out # entirely rather than using empty list to disable these checks # -# By default, no IP's are checked. This can be IPv4 or IPv6 addresses -# tls_allowed_ip_list ["ip1", "ip2", "ip3"] - - +# By default, no Username's are checked +# sasl_allowed_username_list ["joe@EXAMPLE.COM", "fred@EXAMPLE.COM" ] + + diff -r f28fe18bd7f5 qemud/qemud.c --- a/qemud/qemud.c Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/qemud.c Thu Nov 29 09:51:32 2007 -0500 @@ -77,15 +77,23 @@ static int unix_sock_rw_perms = 0700; /* static int unix_sock_rw_perms = 0700; /* Allow user only */ static int unix_sock_ro_perms = 0777; /* Allow world */ + +static int auth_unix_rw = REMOTE_AUTH_NONE; +static int auth_unix_ro = REMOTE_AUTH_NONE; +#if HAVE_SASL +static int auth_tcp = REMOTE_AUTH_SASL; +#else +static int auth_tcp = REMOTE_AUTH_NONE; +#endif +static int auth_tls = REMOTE_AUTH_NONE; + #ifdef HAVE_AVAHI static int mdns_adv = 1; static const char *mdns_name = NULL; #endif static int tls_no_verify_certificate = 0; -static int tls_no_verify_address = 0; -static const char **tls_allowed_ip_list = 0; -static const char **tls_allowed_dn_list = 0; +static char **tls_allowed_dn_list = 0; static const char *key_file = LIBVIRT_SERVERKEY; static const char *cert_file = LIBVIRT_SERVERCERT; @@ -450,7 +458,7 @@ static int qemudWritePidFile(const char } static int qemudListenUnix(struct qemud_server *server, - const char *path, int readonly) { + const char *path, int readonly, int auth) { struct qemud_socket *sock = calloc(1, sizeof(struct qemud_socket)); struct sockaddr_un addr; mode_t oldmask; @@ -464,6 +472,7 @@ static int qemudListenUnix(struct qemud_ sock->readonly = readonly; sock->port = -1; sock->type = QEMUD_SOCK_TYPE_UNIX; + sock->auth = auth; if ((sock->fd = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) { qemudLog(QEMUD_ERR, "Failed to create socket: %s", @@ -701,6 +710,27 @@ static int qemudInitPaths(struct qemud_s static struct qemud_server *qemudInitialize(int sigread) { struct qemud_server *server; + + if (!(server = calloc(1, sizeof(struct qemud_server)))) { + qemudLog(QEMUD_ERR, "Failed to allocate struct qemud_server"); + return NULL; + } + + server->sigread = sigread; + + __virEventRegisterImpl(virEventAddHandleImpl, + virEventUpdateHandleImpl, + virEventRemoveHandleImpl, + virEventAddTimeoutImpl, + virEventUpdateTimeoutImpl, + virEventRemoveTimeoutImpl); + + virStateInitialize(); + + return server; +} + +static struct qemud_server *qemudNetworkInit(struct qemud_server *server) { struct qemud_socket *sock; char sockname[PATH_MAX]; char roSockname[PATH_MAX]; @@ -708,56 +738,39 @@ static struct qemud_server *qemudInitial int err; #endif /* HAVE_SASL */ - if (!(server = calloc(1, sizeof(struct qemud_server)))) { - qemudLog(QEMUD_ERR, "Failed to allocate struct qemud_server"); - return NULL; - } - - /* We don't have a dom-0, so start from 1 */ - server->sigread = sigread; - roSockname[0] = '\0'; if (qemudInitPaths(server, sockname, roSockname, PATH_MAX) < 0) goto cleanup; - if (qemudListenUnix(server, sockname, 0) < 0) + if (qemudListenUnix(server, sockname, 0, auth_unix_rw) < 0) goto cleanup; - if (roSockname[0] != '\0' && qemudListenUnix(server, roSockname, 1) < 0) + if (roSockname[0] != '\0' && qemudListenUnix(server, roSockname, 1, auth_unix_ro) < 0) goto cleanup; - __virEventRegisterImpl(virEventAddHandleImpl, - virEventUpdateHandleImpl, - virEventRemoveHandleImpl, - virEventAddTimeoutImpl, - virEventUpdateTimeoutImpl, - virEventRemoveTimeoutImpl); - - virStateInitialize(); - #if HAVE_SASL - if ((err = sasl_server_init(NULL, "libvirt")) != SASL_OK) { - qemudLog(QEMUD_ERR, "Failed to initialize SASL authentication %s", - sasl_errstring(err, NULL, NULL)); - goto cleanup; + if (auth_unix_rw == REMOTE_AUTH_SASL || + auth_unix_ro == REMOTE_AUTH_SASL || + auth_tcp == REMOTE_AUTH_SASL || + auth_tls == REMOTE_AUTH_SASL) { + if ((err = sasl_server_init(NULL, "libvirt")) != SASL_OK) { + qemudLog(QEMUD_ERR, "Failed to initialize SASL authentication %s", + sasl_errstring(err, NULL, NULL)); + goto cleanup; + } } #endif if (ipsock) { -#if HAVE_SASL - if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP, REMOTE_AUTH_SASL) < 0) + if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP, auth_tcp) < 0) goto cleanup; -#else - if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP, REMOTE_AUTH_NONE) < 0) - goto cleanup; -#endif if (listen_tls) { if (remoteInitializeGnuTLS () < 0) goto cleanup; - if (remoteListenTCP (server, tls_port, QEMUD_SOCK_TYPE_TLS, REMOTE_AUTH_NONE) < 0) + if (remoteListenTCP (server, tls_port, QEMUD_SOCK_TYPE_TLS, auth_tls) < 0) goto cleanup; } } @@ -859,7 +872,7 @@ remoteCheckDN (gnutls_x509_crt_t cert) { char name[256]; size_t namesize = sizeof name; - const char **wildcards; + char **wildcards; int err; err = gnutls_x509_crt_get_dn (cert, name, &namesize); @@ -977,53 +990,11 @@ static int static int remoteCheckAccess (struct qemud_client *client) { - char addr[NI_MAXHOST]; - const char **wildcards; - int found, err; - /* Verify client certificate. */ if (remoteCheckCertificate (client->tlssession) == -1) { qemudLog (QEMUD_ERR, "remoteCheckCertificate: failed to verify client's certificate"); if (!tls_no_verify_certificate) return -1; else qemudLog (QEMUD_INFO, "remoteCheckCertificate: tls_no_verify_certificate is set so the bad certificate is ignored"); - } - - /*----- IP address check, similar to tcp wrappers -----*/ - - /* Convert IP address to printable string (eg. "127.0.0.1" or "::1"). */ - err = getnameinfo ((struct sockaddr *) &client->addr, client->addrlen, - addr, sizeof addr, NULL, 0, - NI_NUMERICHOST); - if (err != 0) { - qemudLog (QEMUD_ERR, "getnameinfo: %s", gai_strerror (err)); - return -1; - } - - /* Verify the client is on the list of allowed clients. - * - * NB: No tls_allowed_ip_list in config file means anyone can access. - * If tls_allowed_ip_list is in the config file but empty, means no - * one can access (not particularly useful, but it's what the sysadmin - * would expect). - */ - wildcards = tls_allowed_ip_list; - if (wildcards) { - found = 0; - - while (*wildcards) { - if (fnmatch (*wildcards, addr, 0) == 0) { - found = 1; - break; - } - wildcards++; - } - } else - found = 1; - - if (!found) { - qemudLog (QEMUD_ERR, "remoteCheckAccess: client's IP address (%s) is not on the list of allowed clients (tls_allowed_ip_list)", addr); - if (!tls_no_verify_address) return -1; - else qemudLog (QEMUD_INFO, "remoteCheckAccess: tls_no_verify_address is set so the client's IP address is ignored"); } /* Checks have succeeded. Write a '\1' byte back to the client to @@ -1148,6 +1119,7 @@ static void qemudDispatchClientFailure(s #if HAVE_SASL if (client->saslconn) sasl_dispose(&client->saslconn); + if (client->saslUsername) free(client->saslUsername); #endif if (client->tlssession) gnutls_deinit (client->tlssession); close(client->fd); @@ -1649,17 +1621,114 @@ static void qemudCleanup(struct qemud_se sock = next; } - + if (server->saslUsernameWhitelist) { + char **list = server->saslUsernameWhitelist; + while (*list) { + if (*list) + free(*list); + list++; + } + } virStateCleanup(); free(server); +} + + +static int remoteConfigGetStringList(virConfPtr conf, const char *key, char ***list, const char *filename) { + virConfValuePtr p; + + p = virConfGetValue (conf, key); + if (p) { + switch (p->type) { + case VIR_CONF_STRING: + *list = malloc (2 * sizeof (char *)); + if (*list == NULL) { + qemudLog (QEMUD_ERR, "failed to allocate memory for %s config list", key); + return -1; + } + (*list)[0] = strdup (p->str); + (*list)[1] = 0; + if ((*list)[0] == NULL) { + qemudLog (QEMUD_ERR, "failed to allocate memory for %s config list value", key); + free(*list); + return -1; + } + break; + + case VIR_CONF_LIST: { + int i, len = 0; + virConfValuePtr pp; + for (pp = p->list; pp; pp = pp->next) + len++; + *list = + calloc (1+len, sizeof (char *)); + if (*list == NULL) { + qemudLog (QEMUD_ERR, "failed to allocate memory for %s config list", key); + return -1; + } + for (i = 0, pp = p->list; pp; ++i, pp = pp->next) { + if (pp->type != VIR_CONF_STRING) { + qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: %s: should be a string or list of strings\n", filename, key); + return -1; + } + (*list)[i] = strdup (pp->str); + if ((*list)[i] == NULL) { + for (i = 0 ; i < len ; i++) + if ((*list)[i]) free((*list)[i]); + free(*list); + qemudLog (QEMUD_ERR, "failed to allocate memory for %s config list value", key); + return -1; + } + + } + (*list)[i] = 0; + break; + } + + default: + qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: %s: should be a string or list of strings\n", filename, key); + return -1; + } + } + + return 0; +} + +static int remoteConfigGetAuth(virConfPtr conf, const char *key, int *auth, const char *filename) { + virConfValuePtr p; + + p = virConfGetValue (conf, key); + if (!p) + return 0; + + if (p->type != VIR_CONF_STRING) { + qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: %s: should be a string\n", filename, key); + return -1; + } + + if (!p->str) + return 0; + + if (STREQ(p->str, "none")) { + *auth = REMOTE_AUTH_NONE; +#if HAVE_SASL + } else if (STREQ(p->str, "sasl")) { + *auth = REMOTE_AUTH_SASL; +#endif + } else { + qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: %s: unsupported auth %s\n", filename, key, p->str); + return -1; + } + + return 0; } /* Read the config file if it exists. * Only used in the remote case, hence the name. */ static int -remoteReadConfigFile (const char *filename) +remoteReadConfigFile (struct qemud_server *server, const char *filename) { virConfPtr conf; @@ -1695,6 +1764,15 @@ remoteReadConfigFile (const char *filena p = virConfGetValue (conf, "tcp_port"); CHECK_TYPE ("tcp_port", VIR_CONF_STRING); tcp_port = p ? strdup (p->str) : tcp_port; + + if (remoteConfigGetAuth(conf, "auth_unix_rw", &auth_unix_rw, filename) < 0) + return -1; + if (remoteConfigGetAuth(conf, "auth_unix_ro", &auth_unix_ro, filename) < 0) + return -1; + if (remoteConfigGetAuth(conf, "auth_tcp", &auth_tcp, filename) < 0) + return -1; + if (remoteConfigGetAuth(conf, "auth_tls", &auth_tls, filename) < 0) + return -1; p = virConfGetValue (conf, "unix_sock_group"); CHECK_TYPE ("unix_sock_group", VIR_CONF_STRING); @@ -1743,10 +1821,6 @@ remoteReadConfigFile (const char *filena CHECK_TYPE ("tls_no_verify_certificate", VIR_CONF_LONG); tls_no_verify_certificate = p ? p->l : tls_no_verify_certificate; - p = virConfGetValue (conf, "tls_no_verify_address"); - CHECK_TYPE ("tls_no_verify_address", VIR_CONF_LONG); - tls_no_verify_address = p ? p->l : tls_no_verify_address; - p = virConfGetValue (conf, "key_file"); CHECK_TYPE ("key_file", VIR_CONF_STRING); key_file = p ? strdup (p->str) : key_file; @@ -1763,71 +1837,11 @@ remoteReadConfigFile (const char *filena CHECK_TYPE ("crl_file", VIR_CONF_STRING); crl_file = p ? strdup (p->str) : crl_file; - p = virConfGetValue (conf, "tls_allowed_dn_list"); - if (p) { - switch (p->type) { - case VIR_CONF_STRING: - tls_allowed_dn_list = malloc (2 * sizeof (char *)); - tls_allowed_dn_list[0] = strdup (p->str); - tls_allowed_dn_list[1] = 0; - break; - - case VIR_CONF_LIST: { - int i, len = 0; - virConfValuePtr pp; - for (pp = p->list; pp; pp = p->next) - len++; - tls_allowed_dn_list = - malloc ((1+len) * sizeof (char *)); - for (i = 0, pp = p->list; pp; ++i, pp = p->next) { - if (pp->type != VIR_CONF_STRING) { - qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: tls_allowed_dn_list: should be a string or list of strings\n", filename); - return -1; - } - tls_allowed_dn_list[i] = strdup (pp->str); - } - tls_allowed_dn_list[i] = 0; - break; - } - - default: - qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: tls_allowed_dn_list: should be a string or list of strings\n", filename); - return -1; - } - } - - p = virConfGetValue (conf, "tls_allowed_ip_list"); - if (p) { - switch (p->type) { - case VIR_CONF_STRING: - tls_allowed_ip_list = malloc (2 * sizeof (char *)); - tls_allowed_ip_list[0] = strdup (p->str); - tls_allowed_ip_list[1] = 0; - break; - - case VIR_CONF_LIST: { - int i, len = 0; - virConfValuePtr pp; - for (pp = p->list; pp; pp = p->next) - len++; - tls_allowed_ip_list = - malloc ((1+len) * sizeof (char *)); - for (i = 0, pp = p->list; pp; ++i, pp = p->next) { - if (pp->type != VIR_CONF_STRING) { - qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: tls_allowed_ip_list: should be a string or list of strings\n", filename); - return -1; - } - tls_allowed_ip_list[i] = strdup (pp->str); - } - tls_allowed_ip_list[i] = 0; - break; - } - - default: - qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: tls_allowed_ip_list: should be a string or list of strings\n", filename); - return -1; - } - } + if (remoteConfigGetStringList(conf, "tls_allowed_dn_list", &tls_allowed_dn_list, filename) < 0) + return -1; + + if (remoteConfigGetStringList(conf, "sasl_allowed_username_list", &server->saslUsernameWhitelist, filename) < 0) + return -1; virConfFree (conf); return 0; @@ -1950,13 +1964,6 @@ int main(int argc, char **argv) { } } - /* Read the config file (if it exists). */ - if (remoteReadConfigFile (remote_config_file) < 0) - goto error1; - - if (godaemon) - openlog("libvirtd", 0, 0); - if (pipe(sigpipe) < 0 || qemudSetNonBlock(sigpipe[0]) < 0 || qemudSetNonBlock(sigpipe[1]) < 0) { @@ -1964,8 +1971,38 @@ int main(int argc, char **argv) { strerror(errno)); goto error1; } - sigwrite = sigpipe[1]; + + if (!(server = qemudInitialize(sigpipe[0]))) { + ret = 2; + goto error1; + } + + /* Read the config file (if it exists). */ + if (remoteReadConfigFile (server, remote_config_file) < 0) + goto error1; + + if (godaemon) { + int pid; + openlog("libvirtd", 0, 0); + pid = qemudGoDaemon(); + if (pid < 0) { + qemudLog(QEMUD_ERR, "Failed to fork as daemon: %s", + strerror(errno)); + goto error1; + } + if (pid > 0) + goto out; + + /* Choose the name of the PID file. */ + if (!pid_file) { + if (REMOTE_PID_FILE[0] != '\0') + pid_file = REMOTE_PID_FILE; + } + + if (pid_file && qemudWritePidFile (pid_file) < 0) + goto error1; + } sig_action.sa_handler = sig_handler; sig_action.sa_flags = 0; @@ -1979,31 +2016,6 @@ int main(int argc, char **argv) { sig_action.sa_handler = SIG_IGN; sigaction(SIGPIPE, &sig_action, NULL); - - if (godaemon) { - int pid = qemudGoDaemon(); - if (pid < 0) { - qemudLog(QEMUD_ERR, "Failed to fork as daemon: %s", - strerror(errno)); - goto error1; - } - if (pid > 0) - goto out; - - /* Choose the name of the PID file. */ - if (!pid_file) { - if (REMOTE_PID_FILE[0] != '\0') - pid_file = REMOTE_PID_FILE; - } - - if (pid_file && qemudWritePidFile (pid_file) < 0) - goto error1; - } - - if (!(server = qemudInitialize(sigpipe[0]))) { - ret = 2; - goto error2; - } if (virEventAddHandleImpl(sigpipe[0], POLLIN, @@ -2011,6 +2023,11 @@ int main(int argc, char **argv) { server) < 0) { qemudLog(QEMUD_ERR, "Failed to register callback for signal pipe"); ret = 3; + goto error2; + } + + if (!(server = qemudNetworkInit(server))) { + ret = 2; goto error2; } diff -r f28fe18bd7f5 qemud/remote.c --- a/qemud/remote.c Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/remote.c Thu Nov 29 09:51:32 2007 -0500 @@ -44,6 +44,7 @@ #include <getopt.h> #include <ctype.h> #include <assert.h> +#include <fnmatch.h> #include <libvirt/virterror.h> @@ -65,14 +66,18 @@ static void make_nonnull_network (remote #include "remote_dispatch_prototypes.h" -typedef int (*dispatch_fn) (struct qemud_client *client, remote_message_header *req, char *args, char *ret); +typedef int (*dispatch_fn) (struct qemud_server *server, + struct qemud_client *client, + remote_message_header *req, + char *args, + char *ret); /* This function gets called from qemud when it detects an incoming * remote protocol message. At this point, client->buffer contains * the full call message (including length word which we skip). */ void -remoteDispatchClientRequest (struct qemud_server *server ATTRIBUTE_UNUSED, +remoteDispatchClientRequest (struct qemud_server *server, struct qemud_client *client) { XDR xdr; @@ -158,7 +163,7 @@ remoteDispatchClientRequest (struct qemu xdr_destroy (&xdr); /* Call function. */ - rv = fn (client, &req, args, ret); + rv = fn (server, client, &req, args, ret); xdr_free (args_filter, args); /* Dispatch function must return -2, -1 or 0. Anything else is @@ -398,7 +403,8 @@ remoteDispatchError (struct qemud_client /*----- Functions. -----*/ static int -remoteDispatchOpen (struct qemud_client *client, remote_message_header *req, +remoteDispatchOpen (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, struct remote_open_args *args, void *ret ATTRIBUTE_UNUSED) { const char *name; @@ -437,7 +443,8 @@ remoteDispatchOpen (struct qemud_client } static int -remoteDispatchClose (struct qemud_client *client, remote_message_header *req, +remoteDispatchClose (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, void *ret ATTRIBUTE_UNUSED) { int rv; @@ -450,7 +457,8 @@ remoteDispatchClose (struct qemud_client } static int -remoteDispatchSupportsFeature (struct qemud_client *client, remote_message_header *req, +remoteDispatchSupportsFeature (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_supports_feature_args *args, remote_supports_feature_ret *ret) { CHECK_CONN(client); @@ -462,7 +470,8 @@ remoteDispatchSupportsFeature (struct qe } static int -remoteDispatchGetType (struct qemud_client *client, remote_message_header *req, +remoteDispatchGetType (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_get_type_ret *ret) { const char *type; @@ -484,7 +493,8 @@ remoteDispatchGetType (struct qemud_clie } static int -remoteDispatchGetVersion (struct qemud_client *client, +remoteDispatchGetVersion (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_get_version_ret *ret) @@ -500,7 +510,8 @@ remoteDispatchGetVersion (struct qemud_c } static int -remoteDispatchGetHostname (struct qemud_client *client, +remoteDispatchGetHostname (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_get_hostname_ret *ret) @@ -516,7 +527,8 @@ remoteDispatchGetHostname (struct qemud_ } static int -remoteDispatchGetMaxVcpus (struct qemud_client *client, +remoteDispatchGetMaxVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_get_max_vcpus_args *args, remote_get_max_vcpus_ret *ret) @@ -532,7 +544,8 @@ remoteDispatchGetMaxVcpus (struct qemud_ } static int -remoteDispatchNodeGetInfo (struct qemud_client *client, +remoteDispatchNodeGetInfo (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_node_get_info_ret *ret) @@ -556,7 +569,8 @@ remoteDispatchNodeGetInfo (struct qemud_ } static int -remoteDispatchGetCapabilities (struct qemud_client *client, +remoteDispatchGetCapabilities (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_get_capabilities_ret *ret) @@ -572,7 +586,8 @@ remoteDispatchGetCapabilities (struct qe } static int -remoteDispatchDomainGetSchedulerType (struct qemud_client *client, +remoteDispatchDomainGetSchedulerType (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_type_args *args, remote_domain_get_scheduler_type_ret *ret) @@ -601,7 +616,8 @@ remoteDispatchDomainGetSchedulerType (st } static int -remoteDispatchDomainGetSchedulerParameters (struct qemud_client *client, +remoteDispatchDomainGetSchedulerParameters (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_parameters_args *args, remote_domain_get_scheduler_parameters_ret *ret) @@ -687,7 +703,8 @@ remoteDispatchDomainGetSchedulerParamete } static int -remoteDispatchDomainSetSchedulerParameters (struct qemud_client *client, +remoteDispatchDomainSetSchedulerParameters (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_set_scheduler_parameters_args *args, void *ret ATTRIBUTE_UNUSED) @@ -747,7 +764,8 @@ remoteDispatchDomainSetSchedulerParamete } static int -remoteDispatchDomainBlockStats (struct qemud_client *client, +remoteDispatchDomainBlockStats (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_block_stats_args *args, remote_domain_block_stats_ret *ret) @@ -777,7 +795,8 @@ remoteDispatchDomainBlockStats (struct q } static int -remoteDispatchDomainInterfaceStats (struct qemud_client *client, +remoteDispatchDomainInterfaceStats (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_interface_stats_args *args, remote_domain_interface_stats_ret *ret) @@ -810,7 +829,8 @@ remoteDispatchDomainInterfaceStats (stru } static int -remoteDispatchDomainAttachDevice (struct qemud_client *client, +remoteDispatchDomainAttachDevice (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_attach_device_args *args, void *ret ATTRIBUTE_UNUSED) @@ -833,7 +853,8 @@ remoteDispatchDomainAttachDevice (struct } static int -remoteDispatchDomainCreate (struct qemud_client *client, +remoteDispatchDomainCreate (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_create_args *args, void *ret ATTRIBUTE_UNUSED) @@ -856,7 +877,8 @@ remoteDispatchDomainCreate (struct qemud } static int -remoteDispatchDomainCreateLinux (struct qemud_client *client, +remoteDispatchDomainCreateLinux (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_create_linux_args *args, remote_domain_create_linux_ret *ret) @@ -874,7 +896,8 @@ remoteDispatchDomainCreateLinux (struct } static int -remoteDispatchDomainDefineXml (struct qemud_client *client, +remoteDispatchDomainDefineXml (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_define_xml_args *args, remote_domain_define_xml_ret *ret) @@ -892,7 +915,8 @@ remoteDispatchDomainDefineXml (struct qe } static int -remoteDispatchDomainDestroy (struct qemud_client *client, +remoteDispatchDomainDestroy (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_destroy_args *args, void *ret ATTRIBUTE_UNUSED) @@ -913,7 +937,8 @@ remoteDispatchDomainDestroy (struct qemu } static int -remoteDispatchDomainDetachDevice (struct qemud_client *client, +remoteDispatchDomainDetachDevice (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_detach_device_args *args, void *ret ATTRIBUTE_UNUSED) @@ -937,7 +962,8 @@ remoteDispatchDomainDetachDevice (struct } static int -remoteDispatchDomainDumpXml (struct qemud_client *client, +remoteDispatchDomainDumpXml (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_dump_xml_args *args, remote_domain_dump_xml_ret *ret) @@ -962,7 +988,8 @@ remoteDispatchDomainDumpXml (struct qemu } static int -remoteDispatchDomainGetAutostart (struct qemud_client *client, +remoteDispatchDomainGetAutostart (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_autostart_args *args, remote_domain_get_autostart_ret *ret) @@ -985,7 +1012,8 @@ remoteDispatchDomainGetAutostart (struct } static int -remoteDispatchDomainGetInfo (struct qemud_client *client, +remoteDispatchDomainGetInfo (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_info_args *args, remote_domain_get_info_ret *ret) @@ -1017,7 +1045,8 @@ remoteDispatchDomainGetInfo (struct qemu } static int -remoteDispatchDomainGetMaxMemory (struct qemud_client *client, +remoteDispatchDomainGetMaxMemory (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_max_memory_args *args, remote_domain_get_max_memory_ret *ret) @@ -1041,7 +1070,8 @@ remoteDispatchDomainGetMaxMemory (struct } static int -remoteDispatchDomainGetMaxVcpus (struct qemud_client *client, +remoteDispatchDomainGetMaxVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_max_vcpus_args *args, remote_domain_get_max_vcpus_ret *ret) @@ -1065,7 +1095,8 @@ remoteDispatchDomainGetMaxVcpus (struct } static int -remoteDispatchDomainGetOsType (struct qemud_client *client, +remoteDispatchDomainGetOsType (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_os_type_args *args, remote_domain_get_os_type_ret *ret) @@ -1090,7 +1121,8 @@ remoteDispatchDomainGetOsType (struct qe } static int -remoteDispatchDomainGetVcpus (struct qemud_client *client, +remoteDispatchDomainGetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_get_vcpus_args *args, remote_domain_get_vcpus_ret *ret) @@ -1154,7 +1186,8 @@ remoteDispatchDomainGetVcpus (struct qem } static int -remoteDispatchDomainMigratePrepare (struct qemud_client *client, +remoteDispatchDomainMigratePrepare (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_migrate_prepare_args *args, remote_domain_migrate_prepare_ret *ret) @@ -1189,7 +1222,8 @@ remoteDispatchDomainMigratePrepare (stru } static int -remoteDispatchDomainMigratePerform (struct qemud_client *client, +remoteDispatchDomainMigratePerform (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_migrate_perform_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1218,7 +1252,8 @@ remoteDispatchDomainMigratePerform (stru } static int -remoteDispatchDomainMigrateFinish (struct qemud_client *client, +remoteDispatchDomainMigrateFinish (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_migrate_finish_args *args, remote_domain_migrate_finish_ret *ret) @@ -1239,7 +1274,8 @@ remoteDispatchDomainMigrateFinish (struc } static int -remoteDispatchListDefinedDomains (struct qemud_client *client, +remoteDispatchListDefinedDomains (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_list_defined_domains_args *args, remote_list_defined_domains_ret *ret) @@ -1264,7 +1300,8 @@ remoteDispatchListDefinedDomains (struct } static int -remoteDispatchDomainLookupById (struct qemud_client *client, +remoteDispatchDomainLookupById (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_id_args *args, remote_domain_lookup_by_id_ret *ret) @@ -1281,7 +1318,8 @@ remoteDispatchDomainLookupById (struct q } static int -remoteDispatchDomainLookupByName (struct qemud_client *client, +remoteDispatchDomainLookupByName (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_name_args *args, remote_domain_lookup_by_name_ret *ret) @@ -1298,7 +1336,8 @@ remoteDispatchDomainLookupByName (struct } static int -remoteDispatchDomainLookupByUuid (struct qemud_client *client, +remoteDispatchDomainLookupByUuid (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_uuid_args *args, remote_domain_lookup_by_uuid_ret *ret) @@ -1315,7 +1354,8 @@ remoteDispatchDomainLookupByUuid (struct } static int -remoteDispatchNumOfDefinedDomains (struct qemud_client *client, +remoteDispatchNumOfDefinedDomains (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_num_of_defined_domains_ret *ret) @@ -1329,7 +1369,8 @@ remoteDispatchNumOfDefinedDomains (struc } static int -remoteDispatchDomainPinVcpu (struct qemud_client *client, +remoteDispatchDomainPinVcpu (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_pin_vcpu_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1362,7 +1403,8 @@ remoteDispatchDomainPinVcpu (struct qemu } static int -remoteDispatchDomainReboot (struct qemud_client *client, +remoteDispatchDomainReboot (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_reboot_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1385,7 +1427,8 @@ remoteDispatchDomainReboot (struct qemud } static int -remoteDispatchDomainRestore (struct qemud_client *client, +remoteDispatchDomainRestore (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_restore_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1399,7 +1442,8 @@ remoteDispatchDomainRestore (struct qemu } static int -remoteDispatchDomainResume (struct qemud_client *client, +remoteDispatchDomainResume (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_resume_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1422,7 +1466,8 @@ remoteDispatchDomainResume (struct qemud } static int -remoteDispatchDomainSave (struct qemud_client *client, +remoteDispatchDomainSave (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_save_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1445,7 +1490,8 @@ remoteDispatchDomainSave (struct qemud_c } static int -remoteDispatchDomainCoreDump (struct qemud_client *client, +remoteDispatchDomainCoreDump (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_core_dump_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1468,7 +1514,8 @@ remoteDispatchDomainCoreDump (struct qem } static int -remoteDispatchDomainSetAutostart (struct qemud_client *client, +remoteDispatchDomainSetAutostart (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_set_autostart_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1491,7 +1538,8 @@ remoteDispatchDomainSetAutostart (struct } static int -remoteDispatchDomainSetMaxMemory (struct qemud_client *client, +remoteDispatchDomainSetMaxMemory (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_set_max_memory_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1514,7 +1562,8 @@ remoteDispatchDomainSetMaxMemory (struct } static int -remoteDispatchDomainSetMemory (struct qemud_client *client, +remoteDispatchDomainSetMemory (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_set_memory_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1537,7 +1586,8 @@ remoteDispatchDomainSetMemory (struct qe } static int -remoteDispatchDomainSetVcpus (struct qemud_client *client, +remoteDispatchDomainSetVcpus (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_set_vcpus_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1560,7 +1610,8 @@ remoteDispatchDomainSetVcpus (struct qem } static int -remoteDispatchDomainShutdown (struct qemud_client *client, +remoteDispatchDomainShutdown (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_shutdown_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1583,7 +1634,8 @@ remoteDispatchDomainShutdown (struct qem } static int -remoteDispatchDomainSuspend (struct qemud_client *client, +remoteDispatchDomainSuspend (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_suspend_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1606,7 +1658,8 @@ remoteDispatchDomainSuspend (struct qemu } static int -remoteDispatchDomainUndefine (struct qemud_client *client, +remoteDispatchDomainUndefine (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_domain_undefine_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1629,7 +1682,8 @@ remoteDispatchDomainUndefine (struct qem } static int -remoteDispatchListDefinedNetworks (struct qemud_client *client, +remoteDispatchListDefinedNetworks (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_list_defined_networks_args *args, remote_list_defined_networks_ret *ret) @@ -1654,7 +1708,8 @@ remoteDispatchListDefinedNetworks (struc } static int -remoteDispatchListDomains (struct qemud_client *client, +remoteDispatchListDomains (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_list_domains_args *args, remote_list_domains_ret *ret) @@ -1678,7 +1733,8 @@ remoteDispatchListDomains (struct qemud_ } static int -remoteDispatchListNetworks (struct qemud_client *client, +remoteDispatchListNetworks (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_list_networks_args *args, remote_list_networks_ret *ret) @@ -1703,7 +1759,8 @@ remoteDispatchListNetworks (struct qemud } static int -remoteDispatchNetworkCreate (struct qemud_client *client, +remoteDispatchNetworkCreate (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_create_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1726,7 +1783,8 @@ remoteDispatchNetworkCreate (struct qemu } static int -remoteDispatchNetworkCreateXml (struct qemud_client *client, +remoteDispatchNetworkCreateXml (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_create_xml_args *args, remote_network_create_xml_ret *ret) @@ -1743,7 +1801,8 @@ remoteDispatchNetworkCreateXml (struct q } static int -remoteDispatchNetworkDefineXml (struct qemud_client *client, +remoteDispatchNetworkDefineXml (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_define_xml_args *args, remote_network_define_xml_ret *ret) @@ -1760,7 +1819,8 @@ remoteDispatchNetworkDefineXml (struct q } static int -remoteDispatchNetworkDestroy (struct qemud_client *client, +remoteDispatchNetworkDestroy (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_destroy_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1783,7 +1843,8 @@ remoteDispatchNetworkDestroy (struct qem } static int -remoteDispatchNetworkDumpXml (struct qemud_client *client, +remoteDispatchNetworkDumpXml (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_dump_xml_args *args, remote_network_dump_xml_ret *ret) @@ -1808,7 +1869,8 @@ remoteDispatchNetworkDumpXml (struct qem } static int -remoteDispatchNetworkGetAutostart (struct qemud_client *client, +remoteDispatchNetworkGetAutostart (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_get_autostart_args *args, remote_network_get_autostart_ret *ret) @@ -1831,7 +1893,8 @@ remoteDispatchNetworkGetAutostart (struc } static int -remoteDispatchNetworkGetBridgeName (struct qemud_client *client, +remoteDispatchNetworkGetBridgeName (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_get_bridge_name_args *args, remote_network_get_bridge_name_ret *ret) @@ -1856,7 +1919,8 @@ remoteDispatchNetworkGetBridgeName (stru } static int -remoteDispatchNetworkLookupByName (struct qemud_client *client, +remoteDispatchNetworkLookupByName (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_name_args *args, remote_network_lookup_by_name_ret *ret) @@ -1873,7 +1937,8 @@ remoteDispatchNetworkLookupByName (struc } static int -remoteDispatchNetworkLookupByUuid (struct qemud_client *client, +remoteDispatchNetworkLookupByUuid (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_uuid_args *args, remote_network_lookup_by_uuid_ret *ret) @@ -1890,7 +1955,8 @@ remoteDispatchNetworkLookupByUuid (struc } static int -remoteDispatchNetworkSetAutostart (struct qemud_client *client, +remoteDispatchNetworkSetAutostart (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_set_autostart_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1913,7 +1979,8 @@ remoteDispatchNetworkSetAutostart (struc } static int -remoteDispatchNetworkUndefine (struct qemud_client *client, +remoteDispatchNetworkUndefine (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_network_undefine_args *args, void *ret ATTRIBUTE_UNUSED) @@ -1936,7 +2003,8 @@ remoteDispatchNetworkUndefine (struct qe } static int -remoteDispatchNumOfDefinedNetworks (struct qemud_client *client, +remoteDispatchNumOfDefinedNetworks (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_num_of_defined_networks_ret *ret) @@ -1950,7 +2018,8 @@ remoteDispatchNumOfDefinedNetworks (stru } static int -remoteDispatchNumOfDomains (struct qemud_client *client, +remoteDispatchNumOfDomains (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_num_of_domains_ret *ret) @@ -1964,7 +2033,8 @@ remoteDispatchNumOfDomains (struct qemud } static int -remoteDispatchNumOfNetworks (struct qemud_client *client, +remoteDispatchNumOfNetworks (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_num_of_networks_ret *ret) @@ -1979,7 +2049,8 @@ remoteDispatchNumOfNetworks (struct qemu static int -remoteDispatchAuthList (struct qemud_client *client, +remoteDispatchAuthList (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req ATTRIBUTE_UNUSED, void *args ATTRIBUTE_UNUSED, remote_auth_list_ret *ret) @@ -2034,7 +2105,8 @@ static char *addrToString(struct qemud_c * XXX callbacks for stuff like password verification ? */ static int -remoteDispatchAuthSaslInit (struct qemud_client *client, +remoteDispatchAuthSaslInit (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_auth_sasl_init_ret *ret) @@ -2223,11 +2295,67 @@ remoteSASLCheckSSF (struct qemud_client return 0; } +static int +remoteSASLCheckAccess (struct qemud_server *server, + struct qemud_client *client, + remote_message_header *req) { + const void *val; + int err; + char **wildcards; + + err = sasl_getprop(client->saslconn, SASL_USERNAME, &val); + if (err != SASL_OK) { + qemudLog(QEMUD_ERR, "cannot query SASL username on connection %d (%s)", + err, sasl_errstring(err, NULL, NULL)); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -1; + } + if (val == NULL) { + qemudLog(QEMUD_ERR, "no client username was found"); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -1; + } + REMOTE_DEBUG("SASL client username %s", (const char *)val); + + client->saslUsername = strdup((const char*)val); + if (client->saslUsername == NULL) { + qemudLog(QEMUD_ERR, "out of memory copying username"); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -1; + } + + /* If the list is not set, allow any DN. */ + wildcards = server->saslUsernameWhitelist; + if (!wildcards) + return 0; /* No ACL, allow all */ + + while (*wildcards) { + if (fnmatch (*wildcards, client->saslUsername, 0) == 0) + return 0; /* Allowed */ + wildcards++; + } + + /* Denied */ + qemudLog(QEMUD_ERR, "SASL client %s not allowed in whitelist", client->saslUsername); + remoteDispatchFailAuth(client, req); + sasl_dispose(&client->saslconn); + client->saslconn = NULL; + return -1; +} + + /* * This starts the SASL authentication negotiation. */ static int -remoteDispatchAuthSaslStart (struct qemud_client *client, +remoteDispatchAuthSaslStart (struct qemud_server *server, + struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args, remote_auth_sasl_start_ret *ret) @@ -2291,6 +2419,10 @@ remoteDispatchAuthSaslStart (struct qemu if (remoteSASLCheckSSF(client, req) < 0) return -2; + /* Check username whitelist ACL */ + if (remoteSASLCheckAccess(server, client, req) < 0) + return -2; + REMOTE_DEBUG("Authentication successful %d", client->fd); ret->complete = 1; client->auth = REMOTE_AUTH_NONE; @@ -2301,7 +2433,8 @@ remoteDispatchAuthSaslStart (struct qemu static int -remoteDispatchAuthSaslStep (struct qemud_client *client, +remoteDispatchAuthSaslStep (struct qemud_server *server, + struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args, remote_auth_sasl_step_ret *ret) @@ -2365,6 +2498,10 @@ remoteDispatchAuthSaslStep (struct qemud if (remoteSASLCheckSSF(client, req) < 0) return -2; + /* Check username whitelist ACL */ + if (remoteSASLCheckAccess(server, client, req) < 0) + return -2; + REMOTE_DEBUG("Authentication successful %d", client->fd); ret->complete = 1; client->auth = REMOTE_AUTH_NONE; @@ -2376,7 +2513,8 @@ remoteDispatchAuthSaslStep (struct qemud #else /* HAVE_SASL */ static int -remoteDispatchAuthSaslInit (struct qemud_client *client, +remoteDispatchAuthSaslInit (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, void *args ATTRIBUTE_UNUSED, remote_auth_sasl_init_ret *ret ATTRIBUTE_UNUSED) @@ -2387,7 +2525,8 @@ remoteDispatchAuthSaslInit (struct qemud } static int -remoteDispatchAuthSaslStart (struct qemud_client *client, +remoteDispatchAuthSaslStart (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args ATTRIBUTE_UNUSED, remote_auth_sasl_start_ret *ret ATTRIBUTE_UNUSED) @@ -2398,7 +2537,8 @@ remoteDispatchAuthSaslStart (struct qemu } static int -remoteDispatchAuthSaslStep (struct qemud_client *client, +remoteDispatchAuthSaslStep (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args ATTRIBUTE_UNUSED, remote_auth_sasl_step_ret *ret ATTRIBUTE_UNUSED) diff -r f28fe18bd7f5 qemud/remote_dispatch_prototypes.h --- a/qemud/remote_dispatch_prototypes.h Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/remote_dispatch_prototypes.h Thu Nov 29 09:51:32 2007 -0500 @@ -2,72 +2,72 @@ * Do not edit this file. Any changes you make will be lost. */ -static int remoteDispatchAuthList (struct qemud_client *client, remote_message_header *req, void *args, remote_auth_list_ret *ret); -static int remoteDispatchAuthSaslInit (struct qemud_client *client, remote_message_header *req, void *args, remote_auth_sasl_init_ret *ret); -static int remoteDispatchAuthSaslStart (struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args, remote_auth_sasl_start_ret *ret); -static int remoteDispatchAuthSaslStep (struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args, remote_auth_sasl_step_ret *ret); -static int remoteDispatchClose (struct qemud_client *client, remote_message_header *req, void *args, void *ret); -static int remoteDispatchDomainAttachDevice (struct qemud_client *client, remote_message_header *req, remote_domain_attach_device_args *args, void *ret); -static int remoteDispatchDomainBlockStats (struct qemud_client *client, remote_message_header *req, remote_domain_block_stats_args *args, remote_domain_block_stats_ret *ret); -static int remoteDispatchDomainCoreDump (struct qemud_client *client, remote_message_header *req, remote_domain_core_dump_args *args, void *ret); -static int remoteDispatchDomainCreate (struct qemud_client *client, remote_message_header *req, remote_domain_create_args *args, void *ret); -static int remoteDispatchDomainCreateLinux (struct qemud_client *client, remote_message_header *req, remote_domain_create_linux_args *args, remote_domain_create_linux_ret *ret); -static int remoteDispatchDomainDefineXml (struct qemud_client *client, remote_message_header *req, remote_domain_define_xml_args *args, remote_domain_define_xml_ret *ret); -static int remoteDispatchDomainDestroy (struct qemud_client *client, remote_message_header *req, remote_domain_destroy_args *args, void *ret); -static int remoteDispatchDomainDetachDevice (struct qemud_client *client, remote_message_header *req, remote_domain_detach_device_args *args, void *ret); -static int remoteDispatchDomainDumpXml (struct qemud_client *client, remote_message_header *req, remote_domain_dump_xml_args *args, remote_domain_dump_xml_ret *ret); -static int remoteDispatchDomainGetAutostart (struct qemud_client *client, remote_message_header *req, remote_domain_get_autostart_args *args, remote_domain_get_autostart_ret *ret); -static int remoteDispatchDomainGetInfo (struct qemud_client *client, remote_message_header *req, remote_domain_get_info_args *args, remote_domain_get_info_ret *ret); -static int remoteDispatchDomainGetMaxMemory (struct qemud_client *client, remote_message_header *req, remote_domain_get_max_memory_args *args, remote_domain_get_max_memory_ret *ret); -static int remoteDispatchDomainGetMaxVcpus (struct qemud_client *client, remote_message_header *req, remote_domain_get_max_vcpus_args *args, remote_domain_get_max_vcpus_ret *ret); -static int remoteDispatchDomainGetOsType (struct qemud_client *client, remote_message_header *req, remote_domain_get_os_type_args *args, remote_domain_get_os_type_ret *ret); -static int remoteDispatchDomainGetSchedulerParameters (struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_parameters_args *args, remote_domain_get_scheduler_parameters_ret *ret); -static int remoteDispatchDomainGetSchedulerType (struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_type_args *args, remote_domain_get_scheduler_type_ret *ret); -static int remoteDispatchDomainGetVcpus (struct qemud_client *client, remote_message_header *req, remote_domain_get_vcpus_args *args, remote_domain_get_vcpus_ret *ret); -static int remoteDispatchDomainInterfaceStats (struct qemud_client *client, remote_message_header *req, remote_domain_interface_stats_args *args, remote_domain_interface_stats_ret *ret); -static int remoteDispatchDomainLookupById (struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_id_args *args, remote_domain_lookup_by_id_ret *ret); -static int remoteDispatchDomainLookupByName (struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_name_args *args, remote_domain_lookup_by_name_ret *ret); -static int remoteDispatchDomainLookupByUuid (struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_uuid_args *args, remote_domain_lookup_by_uuid_ret *ret); -static int remoteDispatchDomainMigrateFinish (struct qemud_client *client, remote_message_header *req, remote_domain_migrate_finish_args *args, remote_domain_migrate_finish_ret *ret); -static int remoteDispatchDomainMigratePerform (struct qemud_client *client, remote_message_header *req, remote_domain_migrate_perform_args *args, void *ret); -static int remoteDispatchDomainMigratePrepare (struct qemud_client *client, remote_message_header *req, remote_domain_migrate_prepare_args *args, remote_domain_migrate_prepare_ret *ret); -static int remoteDispatchDomainPinVcpu (struct qemud_client *client, remote_message_header *req, remote_domain_pin_vcpu_args *args, void *ret); -static int remoteDispatchDomainReboot (struct qemud_client *client, remote_message_header *req, remote_domain_reboot_args *args, void *ret); -static int remoteDispatchDomainRestore (struct qemud_client *client, remote_message_header *req, remote_domain_restore_args *args, void *ret); -static int remoteDispatchDomainResume (struct qemud_client *client, remote_message_header *req, remote_domain_resume_args *args, void *ret); -static int remoteDispatchDomainSave (struct qemud_client *client, remote_message_header *req, remote_domain_save_args *args, void *ret); -static int remoteDispatchDomainSetAutostart (struct qemud_client *client, remote_message_header *req, remote_domain_set_autostart_args *args, void *ret); -static int remoteDispatchDomainSetMaxMemory (struct qemud_client *client, remote_message_header *req, remote_domain_set_max_memory_args *args, void *ret); -static int remoteDispatchDomainSetMemory (struct qemud_client *client, remote_message_header *req, remote_domain_set_memory_args *args, void *ret); -static int remoteDispatchDomainSetSchedulerParameters (struct qemud_client *client, remote_message_header *req, remote_domain_set_scheduler_parameters_args *args, void *ret); -static int remoteDispatchDomainSetVcpus (struct qemud_client *client, remote_message_header *req, remote_domain_set_vcpus_args *args, void *ret); -static int remoteDispatchDomainShutdown (struct qemud_client *client, remote_message_header *req, remote_domain_shutdown_args *args, void *ret); -static int remoteDispatchDomainSuspend (struct qemud_client *client, remote_message_header *req, remote_domain_suspend_args *args, void *ret); -static int remoteDispatchDomainUndefine (struct qemud_client *client, remote_message_header *req, remote_domain_undefine_args *args, void *ret); -static int remoteDispatchGetCapabilities (struct qemud_client *client, remote_message_header *req, void *args, remote_get_capabilities_ret *ret); -static int remoteDispatchGetHostname (struct qemud_client *client, remote_message_header *req, void *args, remote_get_hostname_ret *ret); -static int remoteDispatchGetMaxVcpus (struct qemud_client *client, remote_message_header *req, remote_get_max_vcpus_args *args, remote_get_max_vcpus_ret *ret); -static int remoteDispatchGetType (struct qemud_client *client, remote_message_header *req, void *args, remote_get_type_ret *ret); -static int remoteDispatchGetVersion (struct qemud_client *client, remote_message_header *req, void *args, remote_get_version_ret *ret); -static int remoteDispatchListDefinedDomains (struct qemud_client *client, remote_message_header *req, remote_list_defined_domains_args *args, remote_list_defined_domains_ret *ret); -static int remoteDispatchListDefinedNetworks (struct qemud_client *client, remote_message_header *req, remote_list_defined_networks_args *args, remote_list_defined_networks_ret *ret); -static int remoteDispatchListDomains (struct qemud_client *client, remote_message_header *req, remote_list_domains_args *args, remote_list_domains_ret *ret); -static int remoteDispatchListNetworks (struct qemud_client *client, remote_message_header *req, remote_list_networks_args *args, remote_list_networks_ret *ret); -static int remoteDispatchNetworkCreate (struct qemud_client *client, remote_message_header *req, remote_network_create_args *args, void *ret); -static int remoteDispatchNetworkCreateXml (struct qemud_client *client, remote_message_header *req, remote_network_create_xml_args *args, remote_network_create_xml_ret *ret); -static int remoteDispatchNetworkDefineXml (struct qemud_client *client, remote_message_header *req, remote_network_define_xml_args *args, remote_network_define_xml_ret *ret); -static int remoteDispatchNetworkDestroy (struct qemud_client *client, remote_message_header *req, remote_network_destroy_args *args, void *ret); -static int remoteDispatchNetworkDumpXml (struct qemud_client *client, remote_message_header *req, remote_network_dump_xml_args *args, remote_network_dump_xml_ret *ret); -static int remoteDispatchNetworkGetAutostart (struct qemud_client *client, remote_message_header *req, remote_network_get_autostart_args *args, remote_network_get_autostart_ret *ret); -static int remoteDispatchNetworkGetBridgeName (struct qemud_client *client, remote_message_header *req, remote_network_get_bridge_name_args *args, remote_network_get_bridge_name_ret *ret); -static int remoteDispatchNetworkLookupByName (struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_name_args *args, remote_network_lookup_by_name_ret *ret); -static int remoteDispatchNetworkLookupByUuid (struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_uuid_args *args, remote_network_lookup_by_uuid_ret *ret); -static int remoteDispatchNetworkSetAutostart (struct qemud_client *client, remote_message_header *req, remote_network_set_autostart_args *args, void *ret); -static int remoteDispatchNetworkUndefine (struct qemud_client *client, remote_message_header *req, remote_network_undefine_args *args, void *ret); -static int remoteDispatchNodeGetInfo (struct qemud_client *client, remote_message_header *req, void *args, remote_node_get_info_ret *ret); -static int remoteDispatchNumOfDefinedDomains (struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_defined_domains_ret *ret); -static int remoteDispatchNumOfDefinedNetworks (struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_defined_networks_ret *ret); -static int remoteDispatchNumOfDomains (struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_domains_ret *ret); -static int remoteDispatchNumOfNetworks (struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_networks_ret *ret); -static int remoteDispatchOpen (struct qemud_client *client, remote_message_header *req, remote_open_args *args, void *ret); -static int remoteDispatchSupportsFeature (struct qemud_client *client, remote_message_header *req, remote_supports_feature_args *args, remote_supports_feature_ret *ret); +static int remoteDispatchAuthList (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_auth_list_ret *ret); +static int remoteDispatchAuthSaslInit (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_auth_sasl_init_ret *ret); +static int remoteDispatchAuthSaslStart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args, remote_auth_sasl_start_ret *ret); +static int remoteDispatchAuthSaslStep (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args, remote_auth_sasl_step_ret *ret); +static int remoteDispatchClose (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, void *ret); +static int remoteDispatchDomainAttachDevice (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_attach_device_args *args, void *ret); +static int remoteDispatchDomainBlockStats (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_block_stats_args *args, remote_domain_block_stats_ret *ret); +static int remoteDispatchDomainCoreDump (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_core_dump_args *args, void *ret); +static int remoteDispatchDomainCreate (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_create_args *args, void *ret); +static int remoteDispatchDomainCreateLinux (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_create_linux_args *args, remote_domain_create_linux_ret *ret); +static int remoteDispatchDomainDefineXml (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_define_xml_args *args, remote_domain_define_xml_ret *ret); +static int remoteDispatchDomainDestroy (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_destroy_args *args, void *ret); +static int remoteDispatchDomainDetachDevice (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_detach_device_args *args, void *ret); +static int remoteDispatchDomainDumpXml (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_dump_xml_args *args, remote_domain_dump_xml_ret *ret); +static int remoteDispatchDomainGetAutostart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_autostart_args *args, remote_domain_get_autostart_ret *ret); +static int remoteDispatchDomainGetInfo (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_info_args *args, remote_domain_get_info_ret *ret); +static int remoteDispatchDomainGetMaxMemory (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_max_memory_args *args, remote_domain_get_max_memory_ret *ret); +static int remoteDispatchDomainGetMaxVcpus (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_max_vcpus_args *args, remote_domain_get_max_vcpus_ret *ret); +static int remoteDispatchDomainGetOsType (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_os_type_args *args, remote_domain_get_os_type_ret *ret); +static int remoteDispatchDomainGetSchedulerParameters (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_parameters_args *args, remote_domain_get_scheduler_parameters_ret *ret); +static int remoteDispatchDomainGetSchedulerType (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_scheduler_type_args *args, remote_domain_get_scheduler_type_ret *ret); +static int remoteDispatchDomainGetVcpus (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_get_vcpus_args *args, remote_domain_get_vcpus_ret *ret); +static int remoteDispatchDomainInterfaceStats (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_interface_stats_args *args, remote_domain_interface_stats_ret *ret); +static int remoteDispatchDomainLookupById (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_id_args *args, remote_domain_lookup_by_id_ret *ret); +static int remoteDispatchDomainLookupByName (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_name_args *args, remote_domain_lookup_by_name_ret *ret); +static int remoteDispatchDomainLookupByUuid (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_lookup_by_uuid_args *args, remote_domain_lookup_by_uuid_ret *ret); +static int remoteDispatchDomainMigrateFinish (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_migrate_finish_args *args, remote_domain_migrate_finish_ret *ret); +static int remoteDispatchDomainMigratePerform (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_migrate_perform_args *args, void *ret); +static int remoteDispatchDomainMigratePrepare (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_migrate_prepare_args *args, remote_domain_migrate_prepare_ret *ret); +static int remoteDispatchDomainPinVcpu (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_pin_vcpu_args *args, void *ret); +static int remoteDispatchDomainReboot (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_reboot_args *args, void *ret); +static int remoteDispatchDomainRestore (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_restore_args *args, void *ret); +static int remoteDispatchDomainResume (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_resume_args *args, void *ret); +static int remoteDispatchDomainSave (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_save_args *args, void *ret); +static int remoteDispatchDomainSetAutostart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_set_autostart_args *args, void *ret); +static int remoteDispatchDomainSetMaxMemory (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_set_max_memory_args *args, void *ret); +static int remoteDispatchDomainSetMemory (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_set_memory_args *args, void *ret); +static int remoteDispatchDomainSetSchedulerParameters (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_set_scheduler_parameters_args *args, void *ret); +static int remoteDispatchDomainSetVcpus (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_set_vcpus_args *args, void *ret); +static int remoteDispatchDomainShutdown (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_shutdown_args *args, void *ret); +static int remoteDispatchDomainSuspend (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_suspend_args *args, void *ret); +static int remoteDispatchDomainUndefine (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_domain_undefine_args *args, void *ret); +static int remoteDispatchGetCapabilities (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_get_capabilities_ret *ret); +static int remoteDispatchGetHostname (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_get_hostname_ret *ret); +static int remoteDispatchGetMaxVcpus (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_get_max_vcpus_args *args, remote_get_max_vcpus_ret *ret); +static int remoteDispatchGetType (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_get_type_ret *ret); +static int remoteDispatchGetVersion (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_get_version_ret *ret); +static int remoteDispatchListDefinedDomains (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_list_defined_domains_args *args, remote_list_defined_domains_ret *ret); +static int remoteDispatchListDefinedNetworks (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_list_defined_networks_args *args, remote_list_defined_networks_ret *ret); +static int remoteDispatchListDomains (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_list_domains_args *args, remote_list_domains_ret *ret); +static int remoteDispatchListNetworks (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_list_networks_args *args, remote_list_networks_ret *ret); +static int remoteDispatchNetworkCreate (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_create_args *args, void *ret); +static int remoteDispatchNetworkCreateXml (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_create_xml_args *args, remote_network_create_xml_ret *ret); +static int remoteDispatchNetworkDefineXml (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_define_xml_args *args, remote_network_define_xml_ret *ret); +static int remoteDispatchNetworkDestroy (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_destroy_args *args, void *ret); +static int remoteDispatchNetworkDumpXml (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_dump_xml_args *args, remote_network_dump_xml_ret *ret); +static int remoteDispatchNetworkGetAutostart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_get_autostart_args *args, remote_network_get_autostart_ret *ret); +static int remoteDispatchNetworkGetBridgeName (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_get_bridge_name_args *args, remote_network_get_bridge_name_ret *ret); +static int remoteDispatchNetworkLookupByName (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_name_args *args, remote_network_lookup_by_name_ret *ret); +static int remoteDispatchNetworkLookupByUuid (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_lookup_by_uuid_args *args, remote_network_lookup_by_uuid_ret *ret); +static int remoteDispatchNetworkSetAutostart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_set_autostart_args *args, void *ret); +static int remoteDispatchNetworkUndefine (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_network_undefine_args *args, void *ret); +static int remoteDispatchNodeGetInfo (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_node_get_info_ret *ret); +static int remoteDispatchNumOfDefinedDomains (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_defined_domains_ret *ret); +static int remoteDispatchNumOfDefinedNetworks (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_defined_networks_ret *ret); +static int remoteDispatchNumOfDomains (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_domains_ret *ret); +static int remoteDispatchNumOfNetworks (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_num_of_networks_ret *ret); +static int remoteDispatchOpen (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_open_args *args, void *ret); +static int remoteDispatchSupportsFeature (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_supports_feature_args *args, remote_supports_feature_ret *ret); diff -r f28fe18bd7f5 qemud/remote_generate_stubs.pl --- a/qemud/remote_generate_stubs.pl Thu Nov 29 09:47:39 2007 -0500 +++ b/qemud/remote_generate_stubs.pl Thu Nov 29 09:51:32 2007 -0500 @@ -93,7 +93,7 @@ elsif ($opt_i) { elsif ($opt_i) { my @keys = sort (keys %calls); foreach (@keys) { - print "static int remoteDispatch$calls{$_}->{ProcName} (struct qemud_client *client, remote_message_header *req, $calls{$_}->{args} *args, $calls{$_}->{ret} *ret);\n"; + print "static int remoteDispatch$calls{$_}->{ProcName} (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, $calls{$_}->{args} *args, $calls{$_}->{ret} *ret);\n"; } } @@ -196,7 +196,8 @@ elsif ($opt_s) { my $retvoid = $ret eq "void"; print "static int\n"; - print "remoteDispatch$calls{$_}->{ProcName} (struct qemud_client *client,\n"; + print "remoteDispatch$calls{$_}->{ProcName} (struct qemud_server *server,\n"; + print " struct qemud_client *client,\n"; print " remote_message_header *req,\n"; print " remote_get_max_vcpus_args *args,\n"; print " remote_get_max_vcpus_ret *ret)\n"; -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

This patch adds support for an PolicyKit authentication mechanism. This was previously described here: http://www.redhat.com/archives/libvir-list/2007-September/msg00168.html If PolicyKit is compiled in, then the UNIX domain sockets have their default settings changed to make sure of PolicyKit. Thus, when PolicyKit is enabled, both the RO & RW sockets are mode 0777. PolicyKit is then called upon client connect to decide whether to allow the client to gain access. The policyfile is shipped in /usr/share/PolicyKit/policy and has default settings to mimic current non-PolicyKit access. If making a read-only connection, any application will be granted access by default. If making a read-write connection, applications will need to authenticate against policykit by providing the user's own password. This is akin to 'sudo' style auth. The credentials persist until the user logs out. The file in /etc/PolicyKit/PolicyKit.conf can be used by the local sysadmin to override the default policy on a per-host basis. eg, they could restrict access to the read-only connections, or open up the read-write connections to more apps. See 'man PolicyKit.conf' for more info. The configure script will check for PolicyKit using pkg-config and only enable it if actually present. So any OS without PolicyKit will not be impacted by this patch. b/qemud/libvirtd.policy | 42 +++++++++++ configure.in | 25 ++++++ libvirt.spec.in | 3 qemud/Makefile.am | 11 ++ qemud/internal.h | 7 + qemud/libvirtd.conf | 18 +++- qemud/qemud.c | 37 +++++++++ qemud/remote.c | 135 +++++++++++++++++++++++++++++++++++- qemud/remote_dispatch_localvars.h | 1 qemud/remote_dispatch_proc_switch.h | 6 + qemud/remote_dispatch_prototypes.h | 1 qemud/remote_protocol.c | 9 ++ qemud/remote_protocol.h | 9 ++ qemud/remote_protocol.x | 10 ++ src/remote_internal.c | 35 +++++++++ 15 files changed, 340 insertions(+), 9 deletions(-) diff -r 40e7c976f974 configure.in --- a/configure.in Thu Nov 29 09:51:32 2007 -0500 +++ b/configure.in Thu Nov 29 10:02:52 2007 -0500 @@ -25,6 +25,7 @@ LIBXML_REQUIRED="2.5.0" LIBXML_REQUIRED="2.5.0" GNUTLS_REQUIRED="1.0.25" AVAHI_REQUIRED="0.6.0" +POLKIT_REQUIRED="0.6" dnl Checks for programs. AC_PROG_CC @@ -388,6 +389,25 @@ AC_SUBST(SASL_LIBS) AC_SUBST(SASL_LIBS) +dnl PolicyKit library +POLKIT_CFLAGS= +POLKIT_LIBS= +AC_ARG_WITH(polkit, + [ --with-polkit use PolicyKit for UNIX socket access checks], + [], + [with_polkit=check]) + +if test "$with_polkit" = "check"; then + PKG_CHECK_EXISTS(polkit-dbus >= $POLKIT_REQUIRED, [with_polkit=yes], [with_polkit=no]) +fi + +if test "$with_polkit" = "yes"; then + PKG_CHECK_MODULES(POLKIT, polkit-dbus >= $POLKIT_REQUIRED) + AC_DEFINE_UNQUOTED(HAVE_POLKIT, 1, [use PolicyKit for UNIX socket access checks]) +fi +AM_CONDITIONAL(HAVE_POLKIT, [test "$with_polkit" = "yes"]) +AC_SUBST(POLKIT_CFLAGS) +AC_SUBST(POLKIT_LIBS) dnl Avahi library AC_ARG_WITH(avahi, @@ -608,6 +628,11 @@ else else AC_MSG_NOTICE([ avahi: no]) fi +if test "$with_polkit" = "yes" ; then +AC_MSG_NOTICE([ polkit: $POLKIT_CFLAGS $POLKIT_LIBS]) +else +AC_MSG_NOTICE([ polkit: no]) +fi AC_MSG_NOTICE([]) AC_MSG_NOTICE([Miscellaneous]) AC_MSG_NOTICE([]) diff -r 40e7c976f974 libvirt.spec.in --- a/libvirt.spec.in Thu Nov 29 09:51:32 2007 -0500 +++ b/libvirt.spec.in Thu Nov 29 10:02:52 2007 -0500 @@ -18,6 +18,7 @@ Requires: iptables Requires: iptables Requires: cyrus-sasl Requires: cyrus-sasl-gssapi +Requires: PolicyKit BuildRequires: xen-devel BuildRequires: libxml2-devel BuildRequires: readline-devel @@ -29,6 +30,7 @@ BuildRequires: bridge-utils BuildRequires: bridge-utils BuildRequires: qemu BuildRequires: cyrus-sasl-devel +BuildRequires: PolicyKit-devel Obsoletes: libvir ExclusiveArch: i386 x86_64 ia64 @@ -141,6 +143,7 @@ fi %{_datadir}/libvirt/networks/default.xml %dir %{_localstatedir}/run/libvirt/ %dir %{_localstatedir}/lib/libvirt/ +%{_datadir}/PolicyKit/policy/libvirtd.policy %dir %attr(0700, root, root) %{_localstatedir}/log/libvirt/qemu/ %attr(4755, root, root) %{_libexecdir}/libvirt_proxy %attr(0755, root, root) %{_sbindir}/libvirtd diff -r 40e7c976f974 qemud/Makefile.am --- a/qemud/Makefile.am Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/Makefile.am Thu Nov 29 10:02:52 2007 -0500 @@ -30,15 +30,24 @@ libvirtd_CFLAGS = \ libvirtd_CFLAGS = \ -I$(top_srcdir)/include -I$(top_builddir)/include \ $(LIBXML_CFLAGS) $(GNUTLS_CFLAGS) $(SASL_CFLAGS) \ + $(POLKIT_CFLAGS) \ $(WARN_CFLAGS) -DLOCAL_STATE_DIR="\"$(localstatedir)\"" \ -DSYSCONF_DIR="\"$(sysconfdir)\"" \ -DQEMUD_PID_FILE="\"$(QEMUD_PID_FILE)\"" \ -DREMOTE_PID_FILE="\"$(REMOTE_PID_FILE)\"" \ -DGETTEXT_PACKAGE=\"$(PACKAGE)\" -libvirtd_LDFLAGS = $(WARN_CFLAGS) $(LIBXML_LIBS) $(GNUTLS_LIBS) $(SASL_LIBS) +libvirtd_LDFLAGS = $(WARN_CFLAGS) $(LIBXML_LIBS) $(GNUTLS_LIBS) $(SASL_LIBS) \ + $(POLKIT_LIBS) libvirtd_DEPENDENCIES = ../src/libvirt.la libvirtd_LDADD = ../src/libvirt.la + + +if HAVE_POLKIT +policydir = $(datadir)/PolicyKit/policy +policy_DATA = libvirtd.policy +endif +EXTRA_DIST += libvirtd.policy if HAVE_AVAHI libvirtd_SOURCES += mdns.c mdns.h diff -r 40e7c976f974 qemud/internal.h --- a/qemud/internal.h Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/internal.h Thu Nov 29 10:02:52 2007 -0500 @@ -30,6 +30,10 @@ #include "../src/gnutls_1_0_compat.h" #if HAVE_SASL #include <sasl/sasl.h> +#endif + +#ifdef HAVE_POLKIT +#include <dbus/dbus.h> #endif #ifdef HAVE_SYS_SYSLIMITS_H @@ -155,6 +159,9 @@ struct qemud_server { #if HAVE_SASL char **saslUsernameWhitelist; #endif +#if HAVE_POLKIT + DBusConnection *sysbus; +#endif }; void qemudLog(int priority, const char *fmt, ...) diff -r 40e7c976f974 qemud/libvirtd.conf --- a/qemud/libvirtd.conf Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/libvirtd.conf Thu Nov 29 10:02:52 2007 -0500 @@ -82,8 +82,11 @@ # Set the UNIX socket permissions for the R/W socket. This is used # for full management of VMs # -# Default allows only root. If setting group ownership may want to -# relax this to: +# Default allows only root. If PolicyKit is enabled on the socket, +# the default will change to allow everyone (eg, 0777) +# +# If not using PolicyKit and setting group ownership for access +# control then you may want to relax this to: # unix_sock_rw_perms "0770" @@ -103,7 +106,12 @@ # socket only GSSAPI & DIGEST-MD5 mechanisms will be used. # For non-TCP or TLS sockets, any scheme is allowed. # - +# - polkit: use PolicyKit to authenticate. This is only suitable +# for use on the UNIX sockets. The default policy will +# require a user to supply their own password to gain +# full read/write access (aka sudo like), while anyone +# is allowed read/only access. +# # Set an authentication scheme for UNIX read-only sockets # By default socket permissions allow anyone to connect # @@ -112,7 +120,9 @@ # auth_unix_ro = "none" # Set an authentication scheme for UNIX read-write sockets -# By default socket permissions only allow root. +# By default socket permissions only allow root. If PolicyKit +# support was compiled into libvirt, the default will be to +# use 'polkit' auth. # # If the unix_sock_rw_perms are changed you may wish to enable # an authentication mechanism here diff -r 40e7c976f974 qemud/libvirtd.policy --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/qemud/libvirtd.policy Thu Nov 29 10:02:52 2007 -0500 @@ -0,0 +1,42 @@ +<!DOCTYPE policyconfig PUBLIC + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd"> + +<!-- +Policy definitions for libvirt daemon + +Copyright (c) 2007 Daniel P. Berrange <berrange redhat com> + +libvirt is licensed to you under the GNU Lesser General Public License +version 2. See COPYING for details. + +NOTE: If you make changes to this file, make sure to validate the file +using the polkit-policy-file-validate(1) tool. Changes made to this +file are instantly applied. +--> + +<policyconfig> + <action id="org.libvirt.unix.monitor"> + <description>Monitor local virtualized systems</description> + <message>System policy prevents monitoring of local virtualized systems</message> + <defaults> + <!-- Any program can use libvirt in read-only mode for monitoring, + even if not part of a session --> + <allow_any>yes</allow_any> + <allow_inactive>yes</allow_inactive> + <allow_active>yes</allow_active> + </defaults> + </action> + + <action id="org.libvirt.unix.manage"> + <description>Manage local virtualized systems</description> + <message>System policy prevents management of local virtualized systems</message> + <defaults> + <!-- Only a program in the active host session can use libvirt in + read-write mode for management, and we require user password --> + <allow_any>no</allow_any> + <allow_inactive>no</allow_inactive> + <allow_active>auth_self_keep_session</allow_active> + </defaults> + </action> +</policyconfig> \ No newline at end of file diff -r 40e7c976f974 qemud/qemud.c --- a/qemud/qemud.c Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/qemud.c Thu Nov 29 10:02:52 2007 -0500 @@ -77,9 +77,14 @@ static int unix_sock_rw_perms = 0700; /* static int unix_sock_rw_perms = 0700; /* Allow user only */ static int unix_sock_ro_perms = 0777; /* Allow world */ - +#if HAVE_POLKIT +static int auth_unix_rw = REMOTE_AUTH_POLKIT; +static int auth_unix_ro = REMOTE_AUTH_POLKIT; +#else static int auth_unix_rw = REMOTE_AUTH_NONE; static int auth_unix_ro = REMOTE_AUTH_NONE; +#endif + #if HAVE_SASL static int auth_tcp = REMOTE_AUTH_SASL; #else @@ -762,6 +767,21 @@ static struct qemud_server *qemudNetwork } #endif +#ifdef HAVE_POLKIT + if (auth_unix_rw == REMOTE_AUTH_POLKIT || + auth_unix_ro == REMOTE_AUTH_POLKIT) { + DBusError derr; + dbus_error_init(&derr); + server->sysbus = dbus_bus_get(DBUS_BUS_SYSTEM, &derr); + if (!(server->sysbus)) { + qemudLog(QEMUD_ERR, "Failed to connect to system bus for PolicyKit auth: %s", + derr.message); + dbus_error_free(&derr); + goto cleanup; + } + } +#endif + if (ipsock) { if (listen_tcp && remoteListenTCP (server, tcp_port, QEMUD_SOCK_TYPE_TCP, auth_tcp) < 0) goto cleanup; @@ -829,6 +849,10 @@ static struct qemud_server *qemudNetwork sock = sock->next; } +#ifdef HAVE_POLKIT + if (server->sysbus) + dbus_connection_unref(server->sysbus); +#endif free(server); } return NULL; @@ -1716,6 +1740,10 @@ static int remoteConfigGetAuth(virConfPt } else if (STREQ(p->str, "sasl")) { *auth = REMOTE_AUTH_SASL; #endif +#if HAVE_POLKIT + } else if (STREQ(p->str, "polkit")) { + *auth = REMOTE_AUTH_POLKIT; +#endif } else { qemudLog (QEMUD_ERR, "remoteReadConfigFile: %s: %s: unsupported auth %s\n", filename, key, p->str); return -1; @@ -1767,6 +1795,13 @@ remoteReadConfigFile (struct qemud_serve if (remoteConfigGetAuth(conf, "auth_unix_rw", &auth_unix_rw, filename) < 0) return -1; +#if HAVE_POLKIT + /* Change default perms to be wide-open if PolicyKit is enabled. + * Admin can always override in config file + */ + if (auth_unix_rw == REMOTE_AUTH_POLKIT) + unix_sock_rw_perms = 0777; +#endif if (remoteConfigGetAuth(conf, "auth_unix_ro", &auth_unix_ro, filename) < 0) return -1; if (remoteConfigGetAuth(conf, "auth_tcp", &auth_tcp, filename) < 0) diff -r 40e7c976f974 qemud/remote.c --- a/qemud/remote.c Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote.c Thu Nov 29 10:02:52 2007 -0500 @@ -46,6 +46,11 @@ #include <assert.h> #include <fnmatch.h> +#ifdef HAVE_POLKIT +#include <polkit/polkit.h> +#include <polkit-dbus/polkit-dbus.h> +#endif + #include <libvirt/virterror.h> #include "internal.h" @@ -132,7 +137,8 @@ remoteDispatchClientRequest (struct qemu if (req.proc != REMOTE_PROC_AUTH_LIST && req.proc != REMOTE_PROC_AUTH_SASL_INIT && req.proc != REMOTE_PROC_AUTH_SASL_START && - req.proc != REMOTE_PROC_AUTH_SASL_STEP + req.proc != REMOTE_PROC_AUTH_SASL_STEP && + req.proc != REMOTE_PROC_AUTH_POLKIT ) { remoteDispatchError (client, &req, "authentication required"); xdr_destroy (&xdr); @@ -2550,6 +2556,133 @@ remoteDispatchAuthSaslStep (struct qemud #endif /* HAVE_SASL */ +#if HAVE_POLKIT +static int qemudGetSocketIdentity(int fd, uid_t *uid, pid_t *pid) { +#ifdef SO_PEERCRED + struct ucred cr; + unsigned int cr_len = sizeof (cr); + + if (getsockopt (fd, SOL_SOCKET, SO_PEERCRED, &cr, &cr_len) < 0) { + qemudLog(QEMUD_ERR, "Failed to verify client credentials: %s", strerror(errno)); + return -1; + } + + *pid = cr.pid; + *uid = cr.uid; +#else + /* XXX Many more OS support UNIX socket credentials we could port to. See dbus ....*/ +#error "UNIX socket credentials not supported/implemented on this platform yet..." +#endif + return 0; +} + + +static int +remoteDispatchAuthPolkit (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, + remote_message_header *req, + void *args ATTRIBUTE_UNUSED, + remote_auth_polkit_ret *ret) +{ + pid_t callerPid; + uid_t callerUid; + + REMOTE_DEBUG("Start PolicyKit auth %d", client->fd); + if (client->auth != REMOTE_AUTH_POLKIT) { + qemudLog(QEMUD_ERR, "client tried invalid PolicyKit init request"); + remoteDispatchFailAuth(client, req); + return -2; + } + + if (qemudGetSocketIdentity(client->fd, &callerUid, &callerPid) < 0) { + qemudLog(QEMUD_ERR, "cannot get peer socket identity"); + remoteDispatchFailAuth(client, req); + return -2; + } + + /* Only do policy checks for non-root - allow root user + through with no checks, as a fail-safe - root can easily + change policykit policy anyway, so its pointless trying + to restrict root */ + if (callerUid == 0) { + qemudLog(QEMUD_INFO, "Allowing PID %d running as root", callerPid); + ret->complete = 1; + client->auth = REMOTE_AUTH_NONE; + } else { + PolKitCaller *pkcaller = NULL; + PolKitAction *pkaction = NULL; + PolKitContext *pkcontext = NULL; + PolKitError *pkerr; + PolKitResult pkresult; + DBusError err; + const char *action = client->readonly ? + "org.libvirt.unix.monitor" : + "org.libvirt.unix.manage"; + + qemudLog(QEMUD_INFO, "Checking PID %d running as %d", callerPid, callerUid); + dbus_error_init(&err); + if (!(pkcaller = polkit_caller_new_from_pid(server->sysbus, callerPid, &err))) { + qemudLog(QEMUD_ERR, "Failed to lookup policy kit caller: %s", err.message); + dbus_error_free(&err); + remoteDispatchFailAuth(client, req); + return -2; + } + + if (!(pkaction = polkit_action_new())) { + qemudLog(QEMUD_ERR, "Failed to create polkit action %s\n", strerror(errno)); + polkit_caller_unref(pkcaller); + remoteDispatchFailAuth(client, req); + return -2; + } + polkit_action_set_action_id(pkaction, action); + + if (!(pkcontext = polkit_context_new()) || + !polkit_context_init(pkcontext, &pkerr)) { + qemudLog(QEMUD_ERR, "Failed to create polkit context %s\n", + pkerr ? polkit_error_get_error_message(pkerr) : strerror(errno)); + if (pkerr) + polkit_error_free(pkerr); + polkit_caller_unref(pkcaller); + polkit_action_unref(pkaction); + dbus_error_free(&err); + remoteDispatchFailAuth(client, req); + return -2; + } + + pkresult = polkit_context_can_caller_do_action(pkcontext, pkaction, pkcaller); + polkit_context_unref(pkcontext); + polkit_caller_unref(pkcaller); + polkit_action_unref(pkaction); + if (pkresult != POLKIT_RESULT_YES) { + qemudLog(QEMUD_ERR, "Policy kit denied action %s from pid %d, uid %d, result: %s\n", + action, callerPid, callerUid, polkit_result_to_string_representation(pkresult)); + remoteDispatchFailAuth(client, req); + return -2; + } + qemudLog(QEMUD_INFO, "Policy allowed action %s from pid %d, uid %d, result %s", + action, callerPid, callerUid, polkit_result_to_string_representation(pkresult)); + ret->complete = 1; + client->auth = REMOTE_AUTH_NONE; + } + + return 0; +} + +#else /* HAVE_POLKIT */ + +static int +remoteDispatchAuthPolkitInit (struct qemud_server *server ATTRIBUTE_UNUSED, + struct qemud_client *client, + remote_message_header *req, + void *args ATTRIBUTE_UNUSED, + remote_auth_polkit_ret *ret ATTRIBUTE_UNUSED) +{ + qemudLog(QEMUD_ERR, "client tried unsupported PolicyKit init request"); + remoteDispatchFailAuth(client, req); + return -1; +} +#endif /* HAVE_POLKIT */ + /*----- Helpers. -----*/ /* get_nonnull_domain and get_nonnull_network turn an on-wire diff -r 40e7c976f974 qemud/remote_dispatch_localvars.h --- a/qemud/remote_dispatch_localvars.h Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_dispatch_localvars.h Thu Nov 29 10:02:52 2007 -0500 @@ -37,6 +37,7 @@ remote_domain_create_linux_args lv_remot remote_domain_create_linux_args lv_remote_domain_create_linux_args; remote_domain_create_linux_ret lv_remote_domain_create_linux_ret; remote_domain_set_scheduler_parameters_args lv_remote_domain_set_scheduler_parameters_args; +remote_auth_polkit_ret lv_remote_auth_polkit_ret; remote_auth_sasl_start_args lv_remote_auth_sasl_start_args; remote_auth_sasl_start_ret lv_remote_auth_sasl_start_ret; remote_domain_interface_stats_args lv_remote_domain_interface_stats_args; diff -r 40e7c976f974 qemud/remote_dispatch_proc_switch.h --- a/qemud/remote_dispatch_proc_switch.h Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_dispatch_proc_switch.h Thu Nov 29 10:02:52 2007 -0500 @@ -8,6 +8,12 @@ case REMOTE_PROC_AUTH_LIST: ret = (char *) &lv_remote_auth_list_ret; memset (&lv_remote_auth_list_ret, 0, sizeof lv_remote_auth_list_ret); break; +case REMOTE_PROC_AUTH_POLKIT: + fn = (dispatch_fn) remoteDispatchAuthPolkit; + ret_filter = (xdrproc_t) xdr_remote_auth_polkit_ret; + ret = (char *) &lv_remote_auth_polkit_ret; + memset (&lv_remote_auth_polkit_ret, 0, sizeof lv_remote_auth_polkit_ret); + break; case REMOTE_PROC_AUTH_SASL_INIT: fn = (dispatch_fn) remoteDispatchAuthSaslInit; ret_filter = (xdrproc_t) xdr_remote_auth_sasl_init_ret; diff -r 40e7c976f974 qemud/remote_dispatch_prototypes.h --- a/qemud/remote_dispatch_prototypes.h Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_dispatch_prototypes.h Thu Nov 29 10:02:52 2007 -0500 @@ -3,6 +3,7 @@ */ static int remoteDispatchAuthList (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_auth_list_ret *ret); +static int remoteDispatchAuthPolkit (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_auth_polkit_ret *ret); static int remoteDispatchAuthSaslInit (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, void *args, remote_auth_sasl_init_ret *ret); static int remoteDispatchAuthSaslStart (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_auth_sasl_start_args *args, remote_auth_sasl_start_ret *ret); static int remoteDispatchAuthSaslStep (struct qemud_server *server, struct qemud_client *client, remote_message_header *req, remote_auth_sasl_step_args *args, remote_auth_sasl_step_ret *ret); diff -r 40e7c976f974 qemud/remote_protocol.c --- a/qemud/remote_protocol.c Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_protocol.c Thu Nov 29 10:02:52 2007 -0500 @@ -1309,6 +1309,15 @@ xdr_remote_auth_sasl_step_ret (XDR *xdrs } bool_t +xdr_remote_auth_polkit_ret (XDR *xdrs, remote_auth_polkit_ret *objp) +{ + + if (!xdr_int (xdrs, &objp->complete)) + return FALSE; + return TRUE; +} + +bool_t xdr_remote_procedure (XDR *xdrs, remote_procedure *objp) { diff -r 40e7c976f974 qemud/remote_protocol.h --- a/qemud/remote_protocol.h Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_protocol.h Thu Nov 29 10:02:52 2007 -0500 @@ -68,6 +68,7 @@ enum remote_auth_type { enum remote_auth_type { REMOTE_AUTH_NONE = 0, REMOTE_AUTH_SASL = 1, + REMOTE_AUTH_POLKIT = 2, }; typedef enum remote_auth_type remote_auth_type; @@ -719,6 +720,11 @@ struct remote_auth_sasl_step_ret { } data; }; typedef struct remote_auth_sasl_step_ret remote_auth_sasl_step_ret; + +struct remote_auth_polkit_ret { + int complete; +}; +typedef struct remote_auth_polkit_ret remote_auth_polkit_ret; #define REMOTE_PROGRAM 0x20008086 #define REMOTE_PROTOCOL_VERSION 1 @@ -792,6 +798,7 @@ enum remote_procedure { REMOTE_PROC_AUTH_SASL_INIT = 67, REMOTE_PROC_AUTH_SASL_START = 68, REMOTE_PROC_AUTH_SASL_STEP = 69, + REMOTE_PROC_AUTH_POLKIT = 70, }; typedef enum remote_procedure remote_procedure; @@ -935,6 +942,7 @@ extern bool_t xdr_remote_auth_sasl_star extern bool_t xdr_remote_auth_sasl_start_ret (XDR *, remote_auth_sasl_start_ret*); extern bool_t xdr_remote_auth_sasl_step_args (XDR *, remote_auth_sasl_step_args*); extern bool_t xdr_remote_auth_sasl_step_ret (XDR *, remote_auth_sasl_step_ret*); +extern bool_t xdr_remote_auth_polkit_ret (XDR *, remote_auth_polkit_ret*); extern bool_t xdr_remote_procedure (XDR *, remote_procedure*); extern bool_t xdr_remote_message_direction (XDR *, remote_message_direction*); extern bool_t xdr_remote_message_status (XDR *, remote_message_status*); @@ -1054,6 +1062,7 @@ extern bool_t xdr_remote_auth_sasl_start extern bool_t xdr_remote_auth_sasl_start_ret (); extern bool_t xdr_remote_auth_sasl_step_args (); extern bool_t xdr_remote_auth_sasl_step_ret (); +extern bool_t xdr_remote_auth_polkit_ret (); extern bool_t xdr_remote_procedure (); extern bool_t xdr_remote_message_direction (); extern bool_t xdr_remote_message_status (); diff -r 40e7c976f974 qemud/remote_protocol.x --- a/qemud/remote_protocol.x Thu Nov 29 09:51:32 2007 -0500 +++ b/qemud/remote_protocol.x Thu Nov 29 10:02:52 2007 -0500 @@ -132,7 +132,8 @@ struct remote_error { /* Authentication types available thus far.... */ enum remote_auth_type { REMOTE_AUTH_NONE = 0, - REMOTE_AUTH_SASL = 1 + REMOTE_AUTH_SASL = 1, + REMOTE_AUTH_POLKIT = 2 }; @@ -654,6 +655,10 @@ struct remote_auth_sasl_step_ret { int complete; int nil; char data<REMOTE_AUTH_SASL_DATA_MAX>; +}; + +struct remote_auth_polkit_ret { + int complete; }; /*----- Protocol. -----*/ @@ -731,7 +736,8 @@ enum remote_procedure { REMOTE_PROC_AUTH_LIST = 66, REMOTE_PROC_AUTH_SASL_INIT = 67, REMOTE_PROC_AUTH_SASL_START = 68, - REMOTE_PROC_AUTH_SASL_STEP = 69 + REMOTE_PROC_AUTH_SASL_STEP = 69, + REMOTE_PROC_AUTH_POLKIT = 70 }; /* Custom RPC structure. */ diff -r 40e7c976f974 src/remote_internal.c --- a/src/remote_internal.c Thu Nov 29 09:51:32 2007 -0500 +++ b/src/remote_internal.c Thu Nov 29 10:02:52 2007 -0500 @@ -115,6 +115,9 @@ static int remoteAuthenticate (virConnec #if HAVE_SASL static int remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open); #endif +#if HAVE_POLKIT +static int remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open); +#endif /* HAVE_POLKIT */ static void error (virConnectPtr conn, virErrorNumber code, const char *info); static void server_error (virConnectPtr conn, remote_error *err); static virDomainPtr get_nonnull_domain (virConnectPtr conn, remote_nonnull_domain domain); @@ -2854,6 +2857,15 @@ remoteAuthenticate (virConnectPtr conn, break; #endif +#if HAVE_POLKIT + case REMOTE_AUTH_POLKIT: + if (remoteAuthPolkit(conn, priv, in_open) < 0) { + free(ret.types.types_val); + return -1; + } + break; +#endif + case REMOTE_AUTH_NONE: /* Nothing todo, hurrah ! */ break; @@ -3443,6 +3455,29 @@ really_write_sasl (virConnectPtr conn, s return really_write_buf(conn, priv, in_open, output, outputlen); } #endif + + +#if HAVE_POLKIT +/* Perform the PolicyKit authentication process + */ +static int +remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open) +{ + remote_auth_polkit_ret ret; + + remoteDebug(priv, "Client initialize PolicyKit authentication"); + + memset (&ret, 0, sizeof ret); + if (call (conn, priv, in_open, REMOTE_PROC_AUTH_POLKIT, + (xdrproc_t) xdr_void, (char *)NULL, + (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { + return -1; /* virError already set by call */ + } + + remoteDebug(priv, "PolicyKit authentication complete"); + return 0; +} +#endif /* HAVE_POLKIT */ static int really_write (virConnectPtr conn, struct private_data *priv, -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

This patch implements internal driver API for authentication callbacks in the remote driver. It is basically a bunch of code to bridge from the libvirt public API for auth/credentials and the SASL equivalent API. The libvirt API is very close in style to the SASL API so it is a fairly mechanical mapping. It also adds support for the VIR_CRED_EXTERNAL credential when doing PolicyKit auth. As with Kerberos where you have to kinit externally, credentials for policykit are also setup externally. The application will typically via to org.gnome.PolicyKit.Manager via DBus to get authentication credentials. The VIR_CRED_EXTERNAL credential in libvirt is basically a prompt for the application to do this external setup process. We also add a global 'virConnectAuthPtrDefault' variable to the public API. This is a simple implementation of the authentication callbacks which is able to be used by any command line based applications. It will prompt on STDOUT, and read from STDIN. It is used by virsh as the default authentication callback implementation. The URI syntax for the remote driver is also extended to support a new parameter 'auth'. This lets the client app specifiy a preferred auth scheme it wants to use. It is possible for the server to support many auth schemes on a single socket, so this lets an app prioritize. With the SASL auth scheme it also lets the client app choose one of many SASL mechanisms. If 'auth' is omitted in the URI, the remote driver will just choose the first auth mechanism reported by the server. eg mandate use of PolicyKit qemu:///system?auth=polkit eg mandate use of SASL, with Kerberos qemu+tcp://somehost/system?auth=sasl.GSSAPI eg mandate use of SASL with username/password qemu+tcp://somehost/system?auth=sasl.DIGEST-MD5 include/libvirt/libvirt.h.in | 2 src/internal.h | 2 src/libvirt.c | 72 ++++++ src/libvirt_sym.version | 3 src/remote_internal.c | 477 ++++++++++++++++++++++++++++++++++--------- src/virsh.c | 8 6 files changed, 465 insertions(+), 99 deletions(-) diff -r 98599cfde033 include/libvirt/libvirt.h.in --- a/include/libvirt/libvirt.h.in Wed Nov 28 23:01:08 2007 -0500 +++ b/include/libvirt/libvirt.h.in Wed Nov 28 23:29:58 2007 -0500 @@ -342,6 +342,8 @@ struct _virConnectAuth { typedef struct _virConnectAuth virConnectAuth; typedef virConnectAuth *virConnectAuthPtr; + +extern virConnectAuthPtr virConnectAuthPtrDefault; /** * VIR_UUID_BUFLEN: diff -r 98599cfde033 src/internal.h --- a/src/internal.h Wed Nov 28 23:01:08 2007 -0500 +++ b/src/internal.h Wed Nov 28 23:29:58 2007 -0500 @@ -50,7 +50,9 @@ extern "C" { #define STRNEQ(a,b) (strcmp((a),(b)) != 0) #define STRCASENEQ(a,b) (strcasecmp((a),(b)) != 0) #define STREQLEN(a,b,n) (strncmp((a),(b),(n)) == 0) +#define STRCASEEQLEN(a,b,n) (strncasecmp((a),(b),(n)) == 0) #define STRNEQLEN(a,b,n) (strncmp((a),(b),(n)) != 0) +#define STRCASENEQLEN(a,b,n) (strncasecmp((a),(b),(n)) != 0) #ifndef __GNUC__ #define __FUNCTION__ __func__ diff -r 98599cfde033 src/libvirt.c --- a/src/libvirt.c Wed Nov 28 23:01:08 2007 -0500 +++ b/src/libvirt.c Wed Nov 28 23:29:58 2007 -0500 @@ -62,6 +62,78 @@ static int initialized = 0; #define DEBUG0 #define DEBUG(fs,...) #endif /* !ENABLE_DEBUG */ + +static int virConnectAuthCallbackDefault(virConnectCredentialPtr cred, + unsigned int ncred, + void *cbdata ATTRIBUTE_UNUSED) { + int i; + + for (i = 0 ; i < ncred ; i++) { + char buf[1024]; + char *bufptr = buf; + + printf("%s:", cred[i].prompt); + fflush(stdout); + switch (cred[i].type) { + case VIR_CRED_USERNAME: + case VIR_CRED_AUTHNAME: + case VIR_CRED_ECHOPROMPT: + case VIR_CRED_REALM: + if (!fgets(buf, sizeof(buf), stdin)) { + return -1; + } + if (buf[strlen(buf)-1] == '\n') + buf[strlen(buf)-1] = '\0'; + break; + + case VIR_CRED_PASSPHRASE: + case VIR_CRED_NOECHOPROMPT: + bufptr = getpass(""); + break; + } + + if (STREQ(bufptr, "") && cred[i].defresult) + cred[i].result = strdup(cred[i].defresult); + else + cred[i].result = strdup(bufptr); + if (!cred[i].result) + return -1; + cred[i].resultlen = strlen(cred[i].result); + } + + return 0; +} + +/* Don't typically want VIR_CRED_USERNAME. It enables you to authenticate + * as one user, and act as another. It just results in annoying + * prompts for the username twice & is very rarely what you want + */ +static int virConnectCredTypeDefault[] = { + VIR_CRED_AUTHNAME, + VIR_CRED_ECHOPROMPT, + VIR_CRED_REALM, + VIR_CRED_PASSPHRASE, + VIR_CRED_NOECHOPROMPT, +}; + +static virConnectAuth virConnectAuthDefault = { + virConnectCredTypeDefault, + sizeof(virConnectCredTypeDefault)/sizeof(int), + virConnectAuthCallbackDefault, + NULL, +}; + +/* + * virConnectAuthPtrDefault + * + * A default implementation of the authentication callbacks. This + * implementation is suitable for command line based tools. It will + * prompt for username, passwords, realm and one time keys as needed. + * It will print on STDOUT, and read from STDIN. If this is not + * suitable for the application's needs an alternative implementation + * should be provided. + */ +virConnectAuthPtr virConnectAuthPtrDefault = &virConnectAuthDefault; /** * virInitialize: diff -r 98599cfde033 src/libvirt_sym.version --- a/src/libvirt_sym.version Wed Nov 28 23:01:08 2007 -0500 +++ b/src/libvirt_sym.version Wed Nov 28 23:29:58 2007 -0500 @@ -3,6 +3,9 @@ virInitialize; virConnectOpen; virConnectOpenReadOnly; + virConnectOpenAuth; + virConnectAuthPtrDefault; + virConnectClose; virConnectGetType; virConnectGetVersion; diff -r 98599cfde033 src/remote_internal.c --- a/src/remote_internal.c Wed Nov 28 23:01:08 2007 -0500 +++ b/src/remote_internal.c Wed Nov 28 23:29:58 2007 -0500 @@ -111,12 +111,15 @@ static int call (virConnectPtr conn, str int flags, int proc_nr, xdrproc_t args_filter, char *args, xdrproc_t ret_filter, char *ret); -static int remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open); +static int remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth, const char *authtype); #if HAVE_SASL -static int remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open); +static int remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth, const char *mech); #endif #if HAVE_POLKIT -static int remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open); +static int remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth); #endif /* HAVE_POLKIT */ static void error (virConnectPtr conn, virErrorNumber code, const char *info); static void server_error (virConnectPtr conn, remote_error *err); @@ -342,7 +345,7 @@ doRemoteOpen (virConnectPtr conn, * get freed in the failed: path. */ char *name = 0, *command = 0, *sockname = 0, *netcat = 0, *username = 0; - char *port = 0; + char *port = 0, *authtype = 0; int no_verify = 0, no_tty = 0; char **cmd_argv = 0; @@ -401,6 +404,10 @@ doRemoteOpen (virConnectPtr conn, } else if (strcasecmp (var->name, "socket") == 0) { sockname = strdup (var->value); if (!sockname) goto out_of_memory; + var->ignore = 1; + } else if (strcasecmp (var->name, "auth") == 0) { + authtype = strdup (var->value); + if (!authtype) goto out_of_memory; var->ignore = 1; } else if (strcasecmp (var->name, "netcat") == 0) { netcat = strdup (var->value); @@ -718,7 +725,7 @@ doRemoteOpen (virConnectPtr conn, /* Try and authenticate with server */ - if (remoteAuthenticate(conn, priv, 1) == -1) + if (remoteAuthenticate(conn, priv, 1, auth, authtype) == -1) goto failed; /* Finally we can call the remote side's open function. */ @@ -737,6 +744,7 @@ doRemoteOpen (virConnectPtr conn, if (name) free (name); if (command) free (command); if (sockname) free (sockname); + if (authtype) free (authtype); if (netcat) free (netcat); if (username) free (username); if (port) free (port); @@ -2833,10 +2841,11 @@ remoteNetworkSetAutostart (virNetworkPtr /*----------------------------------------------------------------------*/ static int -remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open) +remoteAuthenticate (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth, const char *authtype) { struct remote_auth_list_ret ret; - int err; + int err, type = REMOTE_AUTH_NONE; memset(&ret, 0, sizeof ret); err = call (conn, priv, @@ -2853,19 +2862,52 @@ remoteAuthenticate (virConnectPtr conn, if (ret.types.types_len == 0) return 0; - switch (ret.types.types_val[0]) { + if (authtype) { + int want, i; + if (STRCASEEQ(authtype, "sasl") || + STRCASEEQLEN(authtype, "sasl.", 5)) { + want = REMOTE_AUTH_SASL; + } else if (STRCASEEQ(authtype, "polkit")) { + want = REMOTE_AUTH_POLKIT; + } else { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "unknown authentication type %s", authtype); + return -1; + } + for (i = 0 ; i < ret.types.types_len ; i++) { + if (ret.types.types_val[i] == want) + type = want; + } + if (type == REMOTE_AUTH_NONE) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "requested authentication type %s rejected", authtype); + return -1; + } + } else { + type = ret.types.types_val[0]; + } + + switch (type) { #if HAVE_SASL - case REMOTE_AUTH_SASL: - if (remoteAuthSASL(conn, priv, in_open) < 0) { + case REMOTE_AUTH_SASL: { + const char *mech = NULL; + if (authtype && + STRCASEEQLEN(authtype, "sasl.", 5)) + mech = authtype + 5; + + if (remoteAuthSASL(conn, priv, in_open, auth, mech) < 0) { free(ret.types.types_val); return -1; } break; + } #endif #if HAVE_POLKIT case REMOTE_AUTH_POLKIT: - if (remoteAuthPolkit(conn, priv, in_open) < 0) { + if (remoteAuthPolkit(conn, priv, in_open, auth) < 0) { free(ret.types.types_val); return -1; } @@ -2926,13 +2968,174 @@ static char *addrToString(struct sockadd } +static int remoteAuthCredVir2SASL(int vircred) +{ + switch (vircred) { + case VIR_CRED_USERNAME: + return SASL_CB_USER; + + case VIR_CRED_AUTHNAME: + return SASL_CB_AUTHNAME; + + case VIR_CRED_LANGUAGE: + return SASL_CB_LANGUAGE; + + case VIR_CRED_CNONCE: + return SASL_CB_CNONCE; + + case VIR_CRED_PASSPHRASE: + return SASL_CB_PASS; + + case VIR_CRED_ECHOPROMPT: + return SASL_CB_ECHOPROMPT; + + case VIR_CRED_NOECHOPROMPT: + return SASL_CB_NOECHOPROMPT; + + case VIR_CRED_REALM: + return SASL_CB_GETREALM; + } + + return 0; +} + +static int remoteAuthCredSASL2Vir(int vircred) +{ + switch (vircred) { + case SASL_CB_USER: + return VIR_CRED_USERNAME; + + case SASL_CB_AUTHNAME: + return VIR_CRED_AUTHNAME; + + case SASL_CB_LANGUAGE: + return VIR_CRED_LANGUAGE; + + case SASL_CB_CNONCE: + return VIR_CRED_CNONCE; + + case SASL_CB_PASS: + return VIR_CRED_PASSPHRASE; + + case SASL_CB_ECHOPROMPT: + return VIR_CRED_ECHOPROMPT; + + case SASL_CB_NOECHOPROMPT: + return VIR_CRED_NOECHOPROMPT; + + case SASL_CB_GETREALM: + return VIR_CRED_REALM; + } + + return 0; +} + +/* + * @param credtype array of credential types client supports + * @param ncredtype size of credtype array + * @return the SASL callback structure, or NULL on error + * + * Build up the SASL callback structure. We register one callback for + * each credential type that the libvirt client indicated they support. + * We explicitly leav the callback function pointer at NULL though, + * because we don't actually want to get SASL callbacks triggered. + * Instead, we want the start/step functions to return SASL_INTERACT. + * This lets us give the libvirt client a list of all required + * credentials in one go, rather than triggering the callback one + * credential at a time, + */ +static sasl_callback_t *remoteAuthMakeCallbacks(int *credtype, int ncredtype) +{ + sasl_callback_t *cbs = calloc(ncredtype+1, sizeof (sasl_callback_t)); + int i, n; + if (!cbs) { + return NULL; + } + + for (i = 0, n = 0 ; i < ncredtype ; i++) { + int id = remoteAuthCredVir2SASL(credtype[i]); + if (id != 0) + cbs[n++].id = id; + /* Don't fill proc or context fields of sasl_callback_t + * because we want to use interactions instead */ + } + cbs[n].id = 0; + return cbs; +} + + +/* + * @param interact SASL interactions required + * @param cred populated with libvirt credential metadata + * @return the size of the cred array returned + * + * Builds up an array of libvirt credential structs, populating + * with data from the SASL interaction struct. These two structs + * are basically a 1-to-1 copy of each other. + */ +static int remoteAuthMakeCredentials(sasl_interact_t *interact, + virConnectCredentialPtr *cred) +{ + int ninteract; + if (!cred) + return -1; + + for (ninteract = 0 ; interact[ninteract].id != 0 ; ninteract++) + ; /* empty */ + + *cred = calloc(ninteract, sizeof(virConnectCredential)); + if (!*cred) + return -1; + + for (ninteract = 0 ; interact[ninteract].id != 0 ; ninteract++) { + (*cred)[ninteract].type = remoteAuthCredSASL2Vir(interact[ninteract].id); + if (!(*cred)[ninteract].type) { + free(*cred); + return -1; + } + if (interact[ninteract].challenge) + (*cred)[ninteract].challenge = interact[ninteract].challenge; + (*cred)[ninteract].prompt = interact[ninteract].prompt; + if (interact[ninteract].defresult) + (*cred)[ninteract].defresult = interact[ninteract].defresult; + (*cred)[ninteract].result = NULL; + } + + return ninteract; +} + +static void remoteAuthFreeCredentials(virConnectCredentialPtr cred, + int ncred) +{ + int i; + for (i = 0 ; i < ncred ; i++) + free(cred[i].result); + free(cred); +} + + +/* + * @param cred the populated libvirt credentials + * @param interact the SASL interactions to fill in results for + * + * Fills the SASL interactions with the result from the libvirt + * callbacks + */ +static void remoteAuthFillInteract(virConnectCredentialPtr cred, + sasl_interact_t *interact) +{ + int ninteract; + for (ninteract = 0 ; interact[ninteract].id != 0 ; ninteract++) { + interact[ninteract].result = cred[ninteract].result; + interact[ninteract].len = cred[ninteract].resultlen; + } +} + /* Perform the SASL authentication process - * - * XXX fetch credentials from a libvirt client app callback - * XXX better mechanism negotiation ? Ask client app ? */ static int -remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open) +remoteAuthSASL (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth, const char *wantmech) { sasl_conn_t *saslconn = NULL; sasl_security_properties_t secprops; @@ -2942,15 +3145,21 @@ remoteAuthSASL (virConnectPtr conn, stru remote_auth_sasl_step_args pargs; remote_auth_sasl_step_ret pret; const char *clientout; - char *serverin; + char *serverin = NULL; unsigned int clientoutlen, serverinlen; const char *mech; int err, complete; struct sockaddr_storage sa; socklen_t salen; - char *localAddr, *remoteAddr; + char *localAddr = NULL, *remoteAddr = NULL; const void *val; sasl_ssf_t ssf; + sasl_callback_t *saslcb = NULL; + sasl_interact_t *interact = NULL; + virConnectCredentialPtr cred = NULL; + int ncred = 0; + int ret = -1; + const char *mechlist; remoteDebug(priv, "Client initialize SASL authentication"); /* Sets up the SASL library as a whole */ @@ -2960,7 +3169,7 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "failed to initialize SASL library: %d (%s)", err, sasl_errstring(err, NULL, NULL)); - return -1; + goto cleanup; } /* Get local address in form IPADDR:PORT */ @@ -2970,11 +3179,10 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "failed to get sock address %d (%s)", errno, strerror(errno)); - return -1; - } - if ((localAddr = addrToString(&sa, salen)) == NULL) { - return -1; - } + goto cleanup; + } + if ((localAddr = addrToString(&sa, salen)) == NULL) + goto cleanup; /* Get remote address in form IPADDR:PORT */ salen = sizeof(sa); @@ -2983,30 +3191,29 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "failed to get peer address %d (%s)", errno, strerror(errno)); - free(localAddr); - return -1; - } - if ((remoteAddr = addrToString(&sa, salen)) == NULL) { - free(localAddr); - return -1; - } + goto cleanup; + } + if ((remoteAddr = addrToString(&sa, salen)) == NULL) + goto cleanup; + + if ((saslcb = remoteAuthMakeCallbacks(auth->credtype, auth->ncredtype)) == NULL) + goto cleanup; /* Setup a handle for being a client */ err = sasl_client_new("libvirt", priv->hostname, localAddr, remoteAddr, - NULL, /* XXX callbacks */ + saslcb, SASL_SUCCESS_DATA, &saslconn); - free(localAddr); - free(remoteAddr); + if (err != SASL_OK) { __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "Failed to create SASL client context: %d (%s)", err, sasl_errstring(err, NULL, NULL)); - return -1; + goto cleanup; } /* Initialize some connection props we care about */ @@ -3018,8 +3225,7 @@ remoteAuthSASL (virConnectPtr conn, stru __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "invalid cipher size for TLS session"); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } ssf *= 8; /* key size is bytes, sasl wants bits */ @@ -3030,8 +3236,7 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "cannot set external SSF %d (%s)", err, sasl_errstring(err, NULL, NULL)); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } } @@ -3050,36 +3255,70 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_INTERNAL_ERROR, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "cannot set security props %d (%s)", err, sasl_errstring(err, NULL, NULL)); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } /* First call is to inquire about supported mechanisms in the server */ memset (&iret, 0, sizeof iret); if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_INIT, (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_sasl_init_ret, (char *) &iret) != 0) { - sasl_dispose(&saslconn); - return -1; /* virError already set by call */ - } - - + (xdrproc_t) xdr_remote_auth_sasl_init_ret, (char *) &iret) != 0) + goto cleanup; + + + mechlist = iret.mechlist; + if (wantmech) { + if (strstr(mechlist, wantmech) == NULL) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "SASL mechanism %s not supported by server", wantmech); + free(iret.mechlist); + goto cleanup; + } + mechlist = wantmech; + } + restart: /* Start the auth negotiation on the client end first */ - remoteDebug(priv, "Client start negotiation mechlist '%s'", iret.mechlist); + remoteDebug(priv, "Client start negotiation mechlist '%s'", mechlist); err = sasl_client_start(saslconn, - iret.mechlist, - NULL, /* XXX interactions */ + mechlist, + &interact, &clientout, &clientoutlen, &mech); - if (err != SASL_OK && err != SASL_CONTINUE) { + if (err != SASL_OK && err != SASL_CONTINUE && err != SASL_INTERACT) { __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "Failed to start SASL negotiation: %d (%s)", err, sasl_errdetail(saslconn)); free(iret.mechlist); - sasl_dispose(&saslconn); - return -1; + goto cleanup; + } + + /* Need to gather some credentials from the client */ + if (err == SASL_INTERACT) { + if (cred) { + remoteAuthFreeCredentials(cred, ncred); + cred = NULL; + } + if ((ncred = + remoteAuthMakeCredentials(interact, &cred)) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to make auth credentials"); + free(iret.mechlist); + goto cleanup; + } + /* Run the authentication callback */ + if ((*(auth->cb))(cred, ncred, auth->cbdata) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to collect auth credentials"); + goto cleanup; + return -1; + } + remoteAuthFillInteract(cred, interact); + goto restart; } free(iret.mechlist); @@ -3087,8 +3326,7 @@ remoteAuthSASL (virConnectPtr conn, stru __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "SASL negotiation data too long: %d bytes", clientoutlen); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } /* NB, distinction of NULL vs "" is *critical* in SASL */ memset(&sargs, 0, sizeof sargs); @@ -3102,10 +3340,8 @@ remoteAuthSASL (virConnectPtr conn, stru memset (&sret, 0, sizeof sret); if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_START, (xdrproc_t) xdr_remote_auth_sasl_start_args, (char *) &sargs, - (xdrproc_t) xdr_remote_auth_sasl_start_ret, (char *) &sret) != 0) { - sasl_dispose(&saslconn); - return -1; /* virError already set by call */ - } + (xdrproc_t) xdr_remote_auth_sasl_start_ret, (char *) &sret) != 0) + goto cleanup; complete = sret.complete; /* NB, distinction of NULL vs "" is *critical* in SASL */ @@ -3118,20 +3354,48 @@ remoteAuthSASL (virConnectPtr conn, stru * Even if the server has completed, the client must *always* do at least one step * in this loop to verify the server isn't lieing about something. Mutual auth */ for (;;) { + restep: err = sasl_client_step(saslconn, serverin, serverinlen, - NULL, /* XXX interactions */ + &interact, &clientout, &clientoutlen); - if (serverin) free(serverin); - if (err != SASL_OK && err != SASL_CONTINUE) { + if (err != SASL_OK && err != SASL_CONTINUE && err != SASL_INTERACT) { __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "Failed SASL step: %d (%s)", err, sasl_errdetail(saslconn)); - sasl_dispose(&saslconn); - return -1; + goto cleanup; + } + /* Need to gather some credentials from the client */ + if (err == SASL_INTERACT) { + if (cred) { + remoteAuthFreeCredentials(cred, ncred); + cred = NULL; + } + if ((ncred = remoteAuthMakeCredentials(interact, &cred)) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to make auth credentials"); + goto cleanup; + return -1; + } + /* Run the authentication callback */ + if ((*(auth->cb))(cred, ncred, auth->cbdata) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to collect auth credentials"); + goto cleanup; + return -1; + } + remoteAuthFillInteract(cred, interact); + goto restep; + } + + if (serverin) { + free(serverin); + serverin = NULL; } remoteDebug(priv, "Client step result %d. Data %d bytes %p", err, clientoutlen, clientout); @@ -3150,10 +3414,8 @@ remoteAuthSASL (virConnectPtr conn, stru memset (&pret, 0, sizeof pret); if (call (conn, priv, in_open, REMOTE_PROC_AUTH_SASL_STEP, (xdrproc_t) xdr_remote_auth_sasl_step_args, (char *) &pargs, - (xdrproc_t) xdr_remote_auth_sasl_step_ret, (char *) &pret) != 0) { - sasl_dispose(&saslconn); - return -1; /* virError already set by call */ - } + (xdrproc_t) xdr_remote_auth_sasl_step_ret, (char *) &pret) != 0) + goto cleanup; complete = pret.complete; /* NB, distinction of NULL vs "" is *critical* in SASL */ @@ -3178,8 +3440,7 @@ remoteAuthSASL (virConnectPtr conn, stru VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "cannot query SASL ssf on connection %d (%s)", err, sasl_errstring(err, NULL, NULL)); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } ssf = *(const int *)val; remoteDebug(priv, "SASL SSF value %d", ssf); @@ -3187,16 +3448,65 @@ remoteAuthSASL (virConnectPtr conn, stru __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, "negotiation SSF %d was not strong enough", ssf); - sasl_dispose(&saslconn); - return -1; + goto cleanup; } } remoteDebug(priv, "SASL authentication complete"); priv->saslconn = saslconn; - return 0; + ret = 0; + + cleanup: + if (localAddr) free(localAddr); + if (remoteAddr) free(remoteAddr); + if (serverin) free(serverin); + + free(saslcb); + remoteAuthFreeCredentials(cred, ncred); + if (ret != 0 && saslconn) + sasl_dispose(&saslconn); + return ret; } #endif /* HAVE_SASL */ + + +#if HAVE_POLKIT +/* Perform the PolicyKit authentication process + */ +static int +remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open, + virConnectAuthPtr auth) +{ + remote_auth_polkit_ret ret; + virConnectCredential cred = { + VIR_CRED_EXTERNAL, + conn->flags & VIR_CONNECT_RO ? "org.libvirt.unix.monitor" : "org.libvirt.unix.manage", + "PolicyKit", + NULL, + NULL, + 0, + }; + remoteDebug(priv, "Client initialize PolicyKit authentication"); + + /* Run the authentication callback */ + if (auth && auth->cb && (*(auth->cb))(&cred, 1, auth->cbdata) < 0) { + __virRaiseError (in_open ? NULL : conn, NULL, NULL, VIR_FROM_REMOTE, + VIR_ERR_AUTH_FAILED, VIR_ERR_ERROR, NULL, NULL, NULL, 0, 0, + "Failed to collect auth credentials"); + return -1; + } + + memset (&ret, 0, sizeof ret); + if (call (conn, priv, in_open, REMOTE_PROC_AUTH_POLKIT, + (xdrproc_t) xdr_void, (char *)NULL, + (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { + return -1; /* virError already set by call */ + } + + remoteDebug(priv, "PolicyKit authentication complete"); + return 0; +} +#endif /* HAVE_POLKIT */ /*----------------------------------------------------------------------*/ @@ -3461,29 +3771,6 @@ really_write_sasl (virConnectPtr conn, s return really_write_buf(conn, priv, in_open, output, outputlen); } #endif - - -#if HAVE_POLKIT -/* Perform the PolicyKit authentication process - */ -static int -remoteAuthPolkit (virConnectPtr conn, struct private_data *priv, int in_open) -{ - remote_auth_polkit_ret ret; - - remoteDebug(priv, "Client initialize PolicyKit authentication"); - - memset (&ret, 0, sizeof ret); - if (call (conn, priv, in_open, REMOTE_PROC_AUTH_POLKIT, - (xdrproc_t) xdr_void, (char *)NULL, - (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) != 0) { - return -1; /* virError already set by call */ - } - - remoteDebug(priv, "PolicyKit authentication complete"); - return 0; -} -#endif /* HAVE_POLKIT */ static int really_write (virConnectPtr conn, struct private_data *priv, diff -r 98599cfde033 src/virsh.c --- a/src/virsh.c Wed Nov 28 23:01:08 2007 -0500 +++ b/src/virsh.c Wed Nov 28 23:29:58 2007 -0500 @@ -4516,10 +4516,10 @@ vshInit(vshControl * ctl) !strcasecmp(ctl->name, "xen")) && ctl->uid != 0) ctl->readonly = 1; - if (!ctl->readonly) - ctl->conn = virConnectOpen(ctl->name); - else - ctl->conn = virConnectOpenReadOnly(ctl->name); + ctl->conn = virConnectOpenAuth(ctl->name, + virConnectAuthPtrDefault, + ctl->readonly ? VIR_CONNECT_RO : 0); + /* This is not necessarily fatal. All the individual commands check * vshConnectionUsability, except ones which don't need a connection -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

This adds a binding for the virConnectOpenAuth() api in the python API. This allows a python function to be used as the callback. This short example code illustrates the use of the API from a python app which wants to support username/password credentials only. from getpass import getpass mydata = "Hello" def getCred(creds, data): print "yes" print str(creds) for cred in creds: print cred[1] + ": ", if cred[0] == libvirt.VIR_CRED_AUTHNAME: data = sys.stdin.readline() data = data[0:len(data)-1] cred[4] = data elif cred[0] == libvirt.VIR_CRED_PASSPHRASE: cred[4] = getpass("") else: return -1 return 0 uri = "qemu+tcp://localhost/system" conn = libvirt.openAuth(uri, [[libvirt.VIR_CRED_AUTHNAME, libvirt.VIR_CRED_PASSPHRASE], getCred, mydata], 0) print str(conn.listDefinedDomains()) python/libvir.c | 119 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ python/libvir.py | 6 ++ src/qemu_conf.c | 8 +-- 3 files changed, 129 insertions(+), 4 deletions(-) diff -r 8a79678f789f python/libvir.c --- a/python/libvir.c Wed Nov 28 23:01:30 2007 -0500 +++ b/python/libvir.c Wed Nov 28 23:29:40 2007 -0500 @@ -241,6 +241,124 @@ libvirt_virRegisterErrorHandler(ATTRIBUT return (py_retval); } +static int virConnectCredCallbackWrapper(virConnectCredentialPtr cred, + unsigned int ncred, + void *cbdata) { + PyObject *list; + PyObject *pycred; + PyObject *pyauth = (PyObject *)cbdata; + PyObject *pycbdata; + PyObject *pycb; + PyObject *pyret; + int ret = -1, i; + + LIBVIRT_ENSURE_THREAD_STATE; + + pycb = PyList_GetItem(pyauth, 1); + pycbdata = PyList_GetItem(pyauth, 2); + + list = PyTuple_New(2); + pycred = PyTuple_New(ncred); + for (i = 0 ; i < ncred ; i++) { + PyObject *pycreditem; + pycreditem = PyList_New(5); + Py_INCREF(Py_None); + PyTuple_SetItem(pycred, i, pycreditem); + PyList_SetItem(pycreditem, 0, PyInt_FromLong((long) cred[i].type)); + PyList_SetItem(pycreditem, 1, PyString_FromString(cred[i].prompt)); + if (cred[i].challenge) { + PyList_SetItem(pycreditem, 2, PyString_FromString(cred[i].challenge)); + } else { + Py_INCREF(Py_None); + PyList_SetItem(pycreditem, 2, Py_None); + } + if (cred[i].defresult) { + PyList_SetItem(pycreditem, 3, PyString_FromString(cred[i].defresult)); + } else { + Py_INCREF(Py_None); + PyList_SetItem(pycreditem, 3, Py_None); + } + PyList_SetItem(pycreditem, 4, Py_None); + } + + PyTuple_SetItem(list, 0, pycred); + Py_XINCREF(pycbdata); + PyTuple_SetItem(list, 1, pycbdata); + + PyErr_Clear(); + pyret = PyEval_CallObject(pycb, list); + if (PyErr_Occurred()) + goto cleanup; + + ret = PyLong_AsLong(pyret); + if (ret == 0) { + for (i = 0 ; i < ncred ; i++) { + PyObject *pycreditem; + PyObject *pyresult; + char *result = NULL; + pycreditem = PyTuple_GetItem(pycred, i); + pyresult = PyList_GetItem(pycreditem, 4); + if (pyresult != Py_None) + result = PyString_AsString(pyresult); + if (result != NULL) { + cred[i].result = strdup(result); + cred[i].resultlen = strlen(result); + } else { + cred[i].result = NULL; + cred[i].resultlen = 0; + } + } + } + + cleanup: + Py_XDECREF(list); + Py_XDECREF(pyret); + + LIBVIRT_RELEASE_THREAD_STATE; + + return ret; +} + + +static PyObject * +libvirt_virConnectOpenAuth(PyObject *self ATTRIBUTE_UNUSED, PyObject *args) { + PyObject *py_retval; + virConnectPtr c_retval; + char * name; + int flags; + PyObject *pyauth; + PyObject *pycredcb; + PyObject *pycredtype; + virConnectAuth auth; + + if (!PyArg_ParseTuple(args, (char *)"zOi:virConnectOpenAuth", &name, &pyauth, &flags)) + return(NULL); + + pycredtype = PyList_GetItem(pyauth, 0); + pycredcb = PyList_GetItem(pyauth, 1); + + auth.ncredtype = PyList_Size(pycredtype); + if (auth.ncredtype) { + int i; + auth.credtype = malloc(sizeof(int) * auth.ncredtype); + for (i = 0 ; i < auth.ncredtype ; i++) { + PyObject *val; + val = PyList_GetItem(pycredtype, i); + auth.credtype[i] = (int)PyLong_AsLong(val); + } + } + auth.cb = pycredcb ? virConnectCredCallbackWrapper : NULL; + auth.cbdata = pyauth; + + LIBVIRT_BEGIN_ALLOW_THREADS; + + c_retval = virConnectOpenAuth(name, &auth, flags); + LIBVIRT_END_ALLOW_THREADS; + py_retval = libvirt_virConnectPtrWrap((virConnectPtr) c_retval); + return(py_retval); +} + + /************************************************************************ * * * Wrappers for functions where generator fails * @@ -729,6 +847,7 @@ static PyMethodDef libvirtMethods[] = { #include "libvirt-export.c" {(char *) "virGetVersion", libvirt_virGetVersion, METH_VARARGS, NULL}, {(char *) "virDomainFree", libvirt_virDomainFree, METH_VARARGS, NULL}, + {(char *) "virConnectOpenAuth", libvirt_virConnectOpenAuth, METH_VARARGS, NULL}, {(char *) "virConnectClose", libvirt_virConnectClose, METH_VARARGS, NULL}, {(char *) "virConnectListDomainsID", libvirt_virConnectListDomainsID, METH_VARARGS, NULL}, {(char *) "virConnectListDefinedDomains", libvirt_virConnectListDefinedDomains, METH_VARARGS, NULL}, diff -r 8a79678f789f python/libvir.py --- a/python/libvir.py Wed Nov 28 23:01:30 2007 -0500 +++ b/python/libvir.py Wed Nov 28 23:29:40 2007 -0500 @@ -83,6 +83,12 @@ def registerErrorHandler(f, ctx): Returns 1 in case of success.""" return libvirtmod.virRegisterErrorHandler(f,ctx) +def openAuth(uri, auth, flags): + ret = libvirtmod.virConnectOpenAuth(uri, auth, flags) + if ret is None:raise libvirtError('virConnectOpenAuth() failed') + return virConnect(_obj=ret) + + # # Return library version. # diff -r 8a79678f789f src/qemu_conf.c --- a/src/qemu_conf.c Wed Nov 28 23:01:30 2007 -0500 +++ b/src/qemu_conf.c Wed Nov 28 23:29:40 2007 -0500 @@ -2667,7 +2667,7 @@ checkLinkPointsTo(const char *checkLink, char *p; strncpy(dir, checkLink, PATH_MAX); - dir[PATH_MAX] = '\0'; + dir[PATH_MAX-1] = '\0'; if (!(p = strrchr(dir, '/'))) { qemudLog(QEMUD_WARN, "Symlink path '%s' is not absolute", checkLink); @@ -2685,7 +2685,7 @@ checkLinkPointsTo(const char *checkLink, } strncpy(dest, tmp, PATH_MAX); - dest[PATH_MAX] = '\0'; + dest[PATH_MAX-1] = '\0'; } /* canonicalize both paths */ @@ -2693,14 +2693,14 @@ checkLinkPointsTo(const char *checkLink, qemudLog(QEMUD_WARN, "Failed to expand path '%s' :%s", dest, strerror(errno)); strncpy(real, dest, PATH_MAX); - real[PATH_MAX] = '\0'; + real[PATH_MAX-1] = '\0'; } if (!realpath(checkDest, checkReal)) { qemudLog(QEMUD_WARN, "Failed to expand path '%s' :%s", checkDest, strerror(errno)); strncpy(checkReal, checkDest, PATH_MAX); - checkReal[PATH_MAX] = '\0'; + checkReal[PATH_MAX-1] = '\0'; } /* compare */ -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|

Testing with valgrind found a number of memory leaks in all sorts of places in the drivers and virsh. When freeing a virConnect object, we don't clear any set virError object, potentially leaking the message strings. When removing IPtables rules we inexplicably strdup() one of the params to strcmp. We fail to free the TLS x509 certificate directory path when shutting down the QEMU driver When the remote driver gets an error back from the server for some reason it strdup()s the strings passed into the __virRaiseError function, and then fails to free them. When virsh shuts down it doesn't clear the global error variable, nor free its URI string, and sometimes fails to release the virConnectPtr object hash.c | 1 + iptables.c | 2 +- qemu_driver.c | 3 +++ remote_internal.c | 15 ++++----------- virsh.c | 15 +++++++++++---- 5 files changed, 20 insertions(+), 16 deletions(-) diff -r efdf8bc4ae07 src/hash.c --- a/src/hash.c Mon Nov 26 09:58:42 2007 -0500 +++ b/src/hash.c Mon Nov 26 10:20:17 2007 -0500 @@ -726,6 +726,7 @@ virFreeConnect(virConnectPtr conn) { virHashFree(conn->networks, (virHashDeallocator) virNetworkFreeName); if (conn->hashes_mux != NULL) xmlFreeMutex(conn->hashes_mux); + virResetError(&conn->err); free(conn); return(0); } diff -r efdf8bc4ae07 src/iptables.c --- a/src/iptables.c Mon Nov 26 09:58:42 2007 -0500 +++ b/src/iptables.c Mon Nov 26 10:20:17 2007 -0500 @@ -246,7 +246,7 @@ iptRulesRemove(iptRules *rules, int i; for (i = 0; i < rules->nrules; i++) - if (!strcmp(rules->rules[i].rule, strdup(rule))) + if (!strcmp(rules->rules[i].rule, rule)) break; if (i >= rules->nrules) diff -r efdf8bc4ae07 src/qemu_driver.c --- a/src/qemu_driver.c Mon Nov 26 09:58:42 2007 -0500 +++ b/src/qemu_driver.c Mon Nov 26 10:20:17 2007 -0500 @@ -338,6 +338,9 @@ qemudShutdown(void) { free(qemu_driver->networkConfigDir); if (qemu_driver->networkAutostartDir) free(qemu_driver->networkAutostartDir); + + if (qemu_driver->vncTLSx509certdir) + free(qemu_driver->vncTLSx509certdir); if (qemu_driver->brctl) brShutdown(qemu_driver->brctl); diff -r efdf8bc4ae07 src/remote_internal.c --- a/src/remote_internal.c Mon Nov 26 09:58:42 2007 -0500 +++ b/src/remote_internal.c Mon Nov 26 10:20:17 2007 -0500 @@ -3808,20 +3808,13 @@ server_error (virConnectPtr conn, remote dom = err->dom ? get_nonnull_domain (conn, *err->dom) : NULL; net = err->net ? get_nonnull_network (conn, *err->net) : NULL; - /* These strings are nullable. OK to ignore the return value - * of strdup since these strings are informational. - */ - char *str1 = err->str1 ? strdup (*err->str1) : NULL; - char *str2 = err->str2 ? strdup (*err->str2) : NULL; - char *str3 = err->str3 ? strdup (*err->str3) : NULL; - - char *message = err->message ? strdup (*err->message) : NULL; - __virRaiseError (conn, dom, net, err->domain, err->code, err->level, - str1, str2, str3, + err->str1 ? *err->str1 : NULL, + err->str2 ? *err->str2 : NULL, + err->str3 ? *err->str3 : NULL, err->int1, err->int2, - "%s", message); + "%s", err->message ? *err->message : NULL); } /* get_nonnull_domain and get_nonnull_network turn an on-wire diff -r efdf8bc4ae07 src/virsh.c --- a/src/virsh.c Mon Nov 26 09:58:42 2007 -0500 +++ b/src/virsh.c Mon Nov 26 10:20:17 2007 -0500 @@ -4779,7 +4779,8 @@ vshDeinit(vshControl * ctl) vshDeinit(vshControl * ctl) { vshCloseLogFile(ctl); - + if (ctl->name) + free(ctl->name); if (ctl->conn) { if (virConnectClose(ctl->conn) != 0) { ctl->conn = NULL; /* prevent recursive call from vshError() */ @@ -4787,6 +4788,8 @@ vshDeinit(vshControl * ctl) "failed to disconnect from the hypervisor"); } } + virResetLastError(); + return TRUE; } @@ -4984,11 +4987,15 @@ main(int argc, char **argv) ctl->name = strdup(defaultConn); } - if (!vshParseArgv(ctl, argc, argv)) + if (!vshParseArgv(ctl, argc, argv)) { + vshDeinit(ctl); exit(EXIT_FAILURE); - - if (!vshInit(ctl)) + } + + if (!vshInit(ctl)) { + vshDeinit(ctl); exit(EXIT_FAILURE); + } if (!ctl->imode) { ret = vshCommandRun(ctl, ctl->cmd); -- |=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=| |=- Perl modules: http://search.cpan.org/~danberr/ -=| |=- Projects: http://freshmeat.net/~danielpb/ -=| |=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|