From: Anthony Liguori <anthony@codemonkey.ws>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org
Subject: Re: [Qemu-devel] PATCH: 6/7: Support simple ACL for client authorization
Date: Sat, 14 Feb 2009 16:14:07 -0600 [thread overview]
Message-ID: <4997422F.5070107@codemonkey.ws> (raw)
In-Reply-To: <20090212150421.GV9894@redhat.com>
Daniel P. Berrange wrote:
> This patch introduces a generic internal API for access control lists
> to be used by network servers in QEMU. It adds support for checking
> these ACL in the VNC server, in two places. The first ACL is for the
> SASL authentication mechanism, checking the SASL username. This ACL
> is called 'vnc.username'. The second is for the TLS authentication
> mechanism, when x509 client certificates are turned on, checking against
> the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
>
> The internal API provides for an ACL with the following characteristics
>
> - A unique name, eg vnc.username, and vnc.x509dname.
> - A default policy, allow or deny
> - An ordered series of match rules, with allow or deny policy
>
> If none of the match rules apply, then the default policy is
> used.
>
> There is a monitor API to manipulate the ACLs, which I'll describe via
> examples
>
> (qemu) acl show vnc.username
> policy: allow
> (qemu) acl policy vnc.username denya
> acl: policy set to 'deny'
> (qemu) acl allow vnc.username fred
> acl: added rule at position 1
> (qemu) acl allow vnc.username bob
> acl: added rule at position 2
> (qemu) acl allow vnc.username joe 1
> acl: added rule at position 1
> (qemu) acl show vnc.username
> policy: deny
> 0: allow fred
> 1: allow joe
> 2: allow bob
>
> (qemu) acl show vnc.x509dname
> policy: allow
> (qemu) acl policy vnc.x509dname deny
> acl: policy set to 'deny'
> (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
> acl: added rule at position 1
> (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
> acl: added rule at position 2
> (qemu) acl show vnc.x509dname
> policy: deny
> 0: allow C=GB,O=ACME,L=London,CN=*
> 1: allow C=GB,O=ACME,L=Boston,CN=bob
>
> At startup the ACLs currently default to an allow policy. The
> next patch will provide a way to load a pre-defined ACL when
> starting up
>
>
> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
>
> Makefile | 6 +-
> b/acl.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
> b/acl.h | 68 ++++++++++++++++++++++++
> monitor.c | 80 ++++++++++++++++++++++++++++
> vnc-auth-sasl.c | 19 +++++-
> vnc-auth-sasl.h | 4 +
> vnc-tls.c | 19 ++++++
> vnc-tls.h | 3 +
> vnc.c | 14 ++++
> 9 files changed, 363 insertions(+), 8 deletions(-)
>
> Daniel
>
>
> diff -r efb50f6c8c69 Makefile
> --- a/Makefile Thu Feb 12 12:33:38 2009 +0000
> +++ b/Makefile Thu Feb 12 12:48:43 2009 +0000
> @@ -144,7 +144,7 @@ endif
> ifdef CONFIG_CURSES
> OBJS+=curses.o
> endif
> -OBJS+=vnc.o d3des.o
> +OBJS+=vnc.o acl.o d3des.o
> ifdef CONFIG_VNC_TLS
> OBJS+=vnc-tls.o vnc-auth-vencrypt.o
> endif
> @@ -174,9 +174,11 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h
>
> sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS)
>
> +acl.o: acl.h acl.c
> +
> vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h
>
> -vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h
> +vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h acl.h
>
> vnc.o: CFLAGS += $(CONFIG_VNC_TLS_CFLAGS)
>
> diff -r efb50f6c8c69 acl.c
> --- /dev/null Thu Jan 01 00:00:00 1970 +0000
> +++ b/acl.c Thu Feb 12 12:48:43 2009 +0000
> @@ -0,0 +1,158 @@
> +/*
> + * QEMU access control list management
> + *
> + * Copyright (C) 2009 Red Hat, Inc
> + *
> + * Permission is hereby granted, free of charge, to any person obtaining a copy
> + * of this software and associated documentation files (the "Software"), to deal
> + * in the Software without restriction, including without limitation the rights
> + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + * copies of the Software, and to permit persons to whom the Software is
> + * furnished to do so, subject to the following conditions:
> + *
> + * The above copyright notice and this permission notice shall be included in
> + * all copies or substantial portions of the Software.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> + * THE SOFTWARE.
> + */
> +
> +
> +#include "qemu-common.h"
> +#include "sysemu.h"
> +#include "acl.h"
> +#include <fnmatch.h>
> +
> +
> +static unsigned int nacls = 0;
> +static ACL **acls = NULL;
>
I'd prefer you make this a list (using sys-queue.h). An advantage would
be that you could support removing rules in the monitor as that seems
like an obvious feature.
BTW, there is a qemu_strdup and you don't have to check it's results.
Regards,
Anthony Liguori
next prev parent reply other threads:[~2009-02-14 22:14 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-02-12 14:53 [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server Daniel P. Berrange
2009-02-12 15:01 ` [Qemu-devel] PATCH: 1/7: Extend 'info vnc' output to show client Daniel P. Berrange
2009-02-13 18:30 ` Anthony Liguori
2009-02-15 11:43 ` Daniel P. Berrange
2009-02-15 18:22 ` Anthony Liguori
2009-02-18 21:10 ` [Qemu-devel] " Mike Day
2009-02-12 15:02 ` [Qemu-devel] PATCH: 2/7: Push VncState struct into vnc.h Daniel P. Berrange
2009-02-14 22:09 ` Anthony Liguori
2009-02-15 11:43 ` Daniel P. Berrange
2009-02-12 15:02 ` [Qemu-devel] PATCH: 3/7: Split out VNC TLS auth code to separate file Daniel P. Berrange
2009-02-12 15:03 ` [Qemu-devel] PATCH: 4/7: Add SASL authentication extension to VNC Daniel P. Berrange
2009-02-12 15:03 ` [Qemu-devel] PATCH: 5/7: Include auth credentials in 'info vnc' Daniel P. Berrange
2009-02-12 15:04 ` [Qemu-devel] PATCH: 6/7: Support simple ACL for client authorization Daniel P. Berrange
2009-02-14 22:14 ` Anthony Liguori [this message]
2009-02-12 15:04 ` [Qemu-devel] PATCH: 7/7: Add external persistent ACL file Daniel P. Berrange
2009-02-14 22:16 ` Anthony Liguori
2009-02-15 11:28 ` Daniel P. Berrange
2009-02-12 15:43 ` [Qemu-devel] PATCH: 0/7: Support SASL authentication in VNC server Daniel P. Berrange
2009-02-14 22:17 ` Anthony Liguori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4997422F.5070107@codemonkey.ws \
--to=anthony@codemonkey.ws \
--cc=berrange@redhat.com \
--cc=qemu-devel@nongnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).