From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1LXd74-0004YP-EN for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:04:26 -0500 Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1LXd73-0004Xn-58 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:04:25 -0500 Received: from [199.232.76.173] (port=37787 helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1LXd72-0004Xf-Ci for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:04:24 -0500 Received: from mx1.redhat.com ([66.187.233.31]:33521) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1LXd71-0007Lr-75 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 10:04:24 -0500 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id n1CF4MEQ026079 for ; Thu, 12 Feb 2009 10:04:22 -0500 Received: from file.fab.redhat.com (file.fab.redhat.com [10.33.63.6]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n1CF4NaU025459 for ; Thu, 12 Feb 2009 10:04:24 -0500 Received: from file.fab.redhat.com (localhost.localdomain [127.0.0.1]) by file.fab.redhat.com (8.13.1/8.13.1) with ESMTP id n1CF4LRL029668 for ; Thu, 12 Feb 2009 15:04:21 GMT Received: (from berrange@localhost) by file.fab.redhat.com (8.13.1/8.13.1/Submit) id n1CF4Ln3029664 for qemu-devel@nongnu.org; Thu, 12 Feb 2009 15:04:21 GMT Date: Thu, 12 Feb 2009 15:04:21 +0000 From: "Daniel P. Berrange" Subject: Re: [Qemu-devel] PATCH: 6/7: Support simple ACL for client authorization Message-ID: <20090212150421.GV9894@redhat.com> References: <20090212145302.GO9894@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20090212145302.GO9894@redhat.com> Reply-To: "Daniel P. Berrange" , qemu-devel@nongnu.org List-Id: qemu-devel.nongnu.org List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob At startup the ACLs currently default to an allow policy. The next patch will provide a way to load a pre-defined ACL when starting up Signed-off-by: Daniel P. Berrange Makefile | 6 +- b/acl.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 68 ++++++++++++++++++++++++ monitor.c | 80 ++++++++++++++++++++++++++++ vnc-auth-sasl.c | 19 +++++- vnc-auth-sasl.h | 4 + vnc-tls.c | 19 ++++++ vnc-tls.h | 3 + vnc.c | 14 ++++ 9 files changed, 363 insertions(+), 8 deletions(-) Daniel diff -r efb50f6c8c69 Makefile --- a/Makefile Thu Feb 12 12:33:38 2009 +0000 +++ b/Makefile Thu Feb 12 12:48:43 2009 +0000 @@ -144,7 +144,7 @@ endif ifdef CONFIG_CURSES OBJS+=curses.o endif -OBJS+=vnc.o d3des.o +OBJS+=vnc.o acl.o d3des.o ifdef CONFIG_VNC_TLS OBJS+=vnc-tls.o vnc-auth-vencrypt.o endif @@ -174,9 +174,11 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS) +acl.o: acl.h acl.c + vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h -vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h +vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h acl.h vnc.o: CFLAGS += $(CONFIG_VNC_TLS_CFLAGS) diff -r efb50f6c8c69 acl.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/acl.c Thu Feb 12 12:48:43 2009 +0000 @@ -0,0 +1,158 @@ +/* + * QEMU access control list management + * + * Copyright (C) 2009 Red Hat, Inc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + + +#include "qemu-common.h" +#include "sysemu.h" +#include "acl.h" +#include + + +static unsigned int nacls = 0; +static ACL **acls = NULL; + + + +ACL *qemu_acl_find(const char *aclname) +{ + int i; + for (i = 0 ; i < nacls ; i++) { + if (strcmp(acls[i]->aclname, aclname) == 0) + return acls[i]; + } + + return NULL; +} + +ACL *qemu_acl_init(const char *aclname) +{ + ACL *acl; + char *name; + + acl = qemu_acl_find(aclname); + if (acl) + return acl; + + name = strdup(aclname); + if (!name) + return NULL; + + acl = qemu_malloc(sizeof(*acl)); + acl->aclname = name; + acl->defaultDeny = 0; + acl->nentries = 0; + acl->entries = NULL; + + acls = qemu_realloc(acls, sizeof(*acls) * (nacls +1)); + acls[nacls] = acl; + nacls++; + + return acl; +} + +int qemu_acl_party_is_allowed(ACL *acl, + const char *party) +{ + int i; + + for (i = 0 ; i < acl->nentries ; i++) { + if (fnmatch(acl->entries[i].match, party, 0) == 0) + return acl->entries[i].deny ? 0 : 1; + } + + return acl->defaultDeny ? 0 : 1; +} + + +void qemu_acl_reset(ACL *acl) +{ + int i; + + for (i = 0 ; i < acl->nentries ; i++) { + free(acl->entries[i].match); + } + free(acl->entries); + acl->entries = NULL; + acl->nentries = 0; +} + + +int qemu_acl_append(ACL *acl, + int deny, + const char *match) +{ + char *m = strdup(match); + if (!m) + return -1; + + acl->entries = qemu_realloc(acl->entries, + sizeof(acl->entries[0]) * + (acl->nentries + 1)); + acl->entries[acl->nentries].match = m; + acl->entries[acl->nentries].deny = deny; + acl->nentries++; + + return acl->nentries; +} + + +int qemu_acl_insert(ACL *acl, + int deny, + const char *match, + int index) +{ + char *m; + + if (index < 0) + return -1; + if (index >= acl->nentries) + return qemu_acl_append(acl, deny, match); + + m = strdup(match); + if (!m) + return -1; + + acl->entries = qemu_realloc(acl->entries, + sizeof(acl->entries[0]) * + (acl->nentries + 1)); + + memmove(acl->entries + index + 1, + acl->entries + index, + sizeof(acl->entries[0]) * (acl->nentries - index)); + + acl->entries[index].match = m; + acl->entries[index].deny = deny; + acl->nentries++; + + return index; +} + + +/* + * Local variables: + * c-indent-level: 4 + * c-basic-offset: 4 + * tab-width: 8 + * End: + */ diff -r efb50f6c8c69 acl.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/acl.h Thu Feb 12 12:48:43 2009 +0000 @@ -0,0 +1,68 @@ +/* + * QEMU access control list management + * + * Copyright (C) 2009 Red Hat, Inc + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN + * THE SOFTWARE. + */ + +#ifndef __QEMU_ACL_H__ +#define __QEMU_ACL_H__ + +typedef struct ACLEntry ACLEntry; +typedef struct ACL ACL; + +struct ACLEntry { + char *match; + int deny; +}; + +struct ACL { + char *aclname; + unsigned int nentries; + ACLEntry *entries; + int defaultDeny; +}; + +ACL *qemu_acl_init(const char *aclname); + +ACL *qemu_acl_find(const char *aclname); + +int qemu_acl_party_is_allowed(ACL *acl, + const char *party); + +void qemu_acl_reset(ACL *acl); + +int qemu_acl_append(ACL *acl, + int deny, + const char *match); +int qemu_acl_insert(ACL *acl, + int deny, + const char *match, + int index); + +#endif /* __QEMU_ACL_H__ */ + +/* + * Local variables: + * c-indent-level: 4 + * c-basic-offset: 4 + * tab-width: 8 + * End: + */ diff -r efb50f6c8c69 monitor.c --- a/monitor.c Thu Feb 12 12:33:38 2009 +0000 +++ b/monitor.c Thu Feb 12 12:48:43 2009 +0000 @@ -39,6 +39,7 @@ #include "qemu-timer.h" #include "migration.h" #include "kvm.h" +#include "acl.h" //#define DEBUG //#define DEBUG_COMPLETION @@ -1425,6 +1426,70 @@ static void do_info_balloon(void) term_printf("balloon: actual=%d\n", (int)(actual >> 20)); } +static void do_acl(const char *command, + const char *aclname, + const char *match, + int has_index, + int index) +{ + ACL *acl; + + acl = qemu_acl_find(aclname); + if (!acl) { + term_printf("acl: unknown list '%s'\n", aclname); + return; + } + + if (strcmp(command, "show") == 0) { + int i; + term_printf("policy: %s\n", + acl->defaultDeny ? "deny" : "allow"); + for (i = 0 ; i < acl->nentries ; i++) { + term_printf("%d: %s %s\n", i, + acl->entries[i].deny ? "deny" : "allow", + acl->entries[i].match); + } + } else if (strcmp(command, "reset") == 0) { + qemu_acl_reset(acl); + term_printf("acl: removed all rules\n"); + } else if (strcmp(command, "policy") == 0) { + if (!match) { + term_printf("acl: missing policy parameter\n"); + return; + } + + if (strcmp(match, "allow") == 0) { + acl->defaultDeny = 0; + term_printf("acl: policy set to 'allow'\n"); + } else if (strcmp(match, "deny") == 0) { + acl->defaultDeny = 1; + term_printf("acl: policy set to 'deny'\n"); + } else { + term_printf("acl: unknown policy '%s', expected 'deny' or 'allow'\n", match); + } + } else if ((strcmp(command, "allow") == 0) || + (strcmp(command, "deny") == 0)) { + int deny = strcmp(command, "deny") == 0 ? 1 : 0; + int ret; + + if (!match) { + term_printf("acl: missing match parameter\n"); + return; + } + + if (has_index) + ret = qemu_acl_insert(acl, deny, match, index); + else + ret = qemu_acl_append(acl, deny, match); + if (ret < 0) + term_printf("acl: unable to add acl entry\n"); + else + term_printf("acl: added rule at position %d\n", ret); + } else { + term_printf("acl: unknown command '%s'\n", command); + } +} + /* Please update qemu-doc.texi when adding or changing commands */ static const term_cmd_t term_cmds[] = { { "help|?", "s?", do_help, @@ -1529,6 +1594,12 @@ static const term_cmd_t term_cmds[] = { "target", "request VM to change it's memory allocation (in MB)" }, { "set_link", "ss", do_set_link, "name [up|down]", "change the link status of a network adapter" }, + { "acl", "sss?i?", do_acl, " [] []\n", + "acl show vnc.username\n" + "acl policy vnc.username deny\n" + "acl allow vnc.username fred\n" + "acl deny vnc.username bob\n" + "acl reset vnc.username\n" }, { NULL, NULL, }, }; @@ -2891,3 +2962,12 @@ void monitor_readline(const char *prompt monitor_hd[i]->focus = old_focus[i]; } } + + +/* + * Local variables: + * c-indent-level: 4 + * c-basic-offset: 4 + * tab-width: 8 + * End: + */ diff -r efb50f6c8c69 vnc-auth-sasl.c --- a/vnc-auth-sasl.c Thu Feb 12 12:33:38 2009 +0000 +++ b/vnc-auth-sasl.c Thu Feb 12 12:48:43 2009 +0000 @@ -120,26 +120,37 @@ static int vnc_auth_sasl_check_access(Vn { const void *val; int err; + int allow; err = sasl_getprop(vs->sasl.conn, SASL_USERNAME, &val); if (err != SASL_OK) { - VNC_DEBUG("cannot query SASL username on connection %d (%s)\n", + VNC_DEBUG("cannot query SASL username on connection %d (%s), denying access\n", err, sasl_errstring(err, NULL, NULL)); return -1; } if (val == NULL) { - VNC_DEBUG("no client username was found\n"); + VNC_DEBUG("no client username was found, denying access\n"); return -1; } VNC_DEBUG("SASL client username %s\n", (const char *)val); vs->sasl.username = strdup((const char*)val); if (vs->sasl.username == NULL) { - VNC_DEBUG("out of memory copying username\n"); + VNC_DEBUG("out of memory copying username, denying access\n"); return -1; } - return 0; + if (vs->sasl.acl == NULL) { + VNC_DEBUG("unexpectedly missing ACL, denying access\n"); + return -1; + } + + allow = qemu_acl_party_is_allowed(vs->sasl.acl, vs->sasl.username); + + VNC_DEBUG("SASL client %s %s by ACL\n", + vs->sasl.username, + allow ? "allowed" : "denied"); + return allow ? 0 : -1; } static int vnc_auth_sasl_check_ssf(VncState *vs) diff -r efb50f6c8c69 vnc-auth-sasl.h --- a/vnc-auth-sasl.h Thu Feb 12 12:33:38 2009 +0000 +++ b/vnc-auth-sasl.h Thu Feb 12 12:48:43 2009 +0000 @@ -29,6 +29,8 @@ #include +#include "acl.h" + struct VncStateSASL { sasl_conn_t *conn; /* If we want to negotiate an SSF layer with client */ @@ -52,6 +54,8 @@ struct VncStateSASL { unsigned int encodedOffset; char *username; char *mechlist; + + ACL *acl; }; void vnc_sasl_client_cleanup(VncState *vs); diff -r efb50f6c8c69 vnc-tls.c --- a/vnc-tls.c Thu Feb 12 12:33:38 2009 +0000 +++ b/vnc-tls.c Thu Feb 12 12:48:43 2009 +0000 @@ -255,6 +255,25 @@ int vnc_tls_validate_certificate(struct gnutls_strerror (ret)); return -1; } + + if (vs->tls.x509verify) { + int allow; + if (!vs->tls.acl) { + VNC_DEBUG("unexpected missing acl, denying client\n"); + gnutls_x509_crt_deinit (cert); + return -1; + } + + allow = qemu_acl_party_is_allowed(vs->tls.acl, + vs->tls.dname); + + VNC_DEBUG("TLS x509 ACL check for %s is %s\n", + vs->tls.dname, allow ? "allowed" : "denied"); + if (!allow) { + gnutls_x509_crt_deinit (cert); + return -1; + } + } } gnutls_x509_crt_deinit (cert); diff -r efb50f6c8c69 vnc-tls.h --- a/vnc-tls.h Thu Feb 12 12:33:38 2009 +0000 +++ b/vnc-tls.h Thu Feb 12 12:48:43 2009 +0000 @@ -31,6 +31,8 @@ #include #include +#include "acl.h" + enum { VNC_WIREMODE_CLEAR, VNC_WIREMODE_TLS, @@ -38,6 +40,7 @@ enum { struct VncStateTLS { int x509verify; /* Non-zero if server requests & validates client cert */ + ACL *acl; /* Paths to x509 certs/keys */ char *x509cacert; diff -r efb50f6c8c69 vnc.c --- a/vnc.c Thu Feb 12 12:33:38 2009 +0000 +++ b/vnc.c Thu Feb 12 12:48:43 2009 +0000 @@ -29,6 +29,7 @@ #include "sysemu.h" #include "qemu_socket.h" #include "qemu-timer.h" +#include "acl.h" #define VNC_REFRESH_INTERVAL (1000 / 30) @@ -2072,6 +2073,10 @@ int vnc_display_open(DisplayState *ds, c #ifdef CONFIG_VNC_SASL } else if (strncmp(options, "sasl", 4) == 0) { sasl = 1; /* Require SASL auth */ + if (!(vs->sasl.acl = qemu_acl_init("vnc.username"))) { + fprintf(stderr, "Failed to create username ACL\n"); + exit(1); + } #endif #ifdef CONFIG_VNC_TLS } else if (strncmp(options, "tls", 3) == 0) { @@ -2079,8 +2084,13 @@ int vnc_display_open(DisplayState *ds, c } else if (strncmp(options, "x509", 4) == 0) { char *start, *end; x509 = 1; /* Require x509 certificates */ - if (strncmp(options, "x509verify", 10) == 0) - vs->tls.x509verify = 1; /* ...and verify client certs */ + if (strncmp(options, "x509verify", 10) == 0) { + vs->tls.x509verify = 1; /* ...and verify client certs */ + if (!(vs->tls.acl = qemu_acl_init("vnc.x509dname"))) { + fprintf(stderr, "Failed to create x509 dname ACL\n"); + exit(1); + } + } /* Now check for 'x509=/some/path' postfix * and use that to setup x509 certificate/key paths */ -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://ovirt.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|