From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LYSmV-0006bf-Vg
	for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:14:40 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LYSmT-0006bA-6m
	for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:14:39 -0500
Received: from [199.232.76.173] (port=40298 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LYSmT-0006b5-1W
	for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:14:37 -0500
Received: from el-out-1112.google.com ([209.85.162.180]:31486)
	by monty-python.gnu.org with esmtp (Exim 4.60)
	(envelope-from <anthony@codemonkey.ws>) id 1LYSmS-00031W-LO
	for qemu-devel@nongnu.org; Sat, 14 Feb 2009 17:14:36 -0500
Received: by el-out-1112.google.com with SMTP id y26so1292167ele.19
	for <qemu-devel@nongnu.org>; Sat, 14 Feb 2009 14:14:35 -0800 (PST)
Message-ID: <4997422F.5070107@codemonkey.ws>
Date: Sat, 14 Feb 2009 16:14:07 -0600
From: Anthony Liguori <anthony@codemonkey.ws>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] PATCH: 6/7: Support simple ACL for
	client	authorization
References: <20090212145302.GO9894@redhat.com>
	<20090212150421.GV9894@redhat.com>
In-Reply-To: <20090212150421.GV9894@redhat.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org

Daniel P. Berrange wrote:
> This patch introduces a generic internal API for access control lists
> to be used by network servers in QEMU. It adds support for checking
> these ACL in the VNC server, in two places. The first ACL is for the
> SASL authentication mechanism, checking the SASL username. This ACL
> is called 'vnc.username'. The second is for the TLS authentication
> mechanism, when x509 client certificates are turned on, checking against
> the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
>
> The internal API provides for an ACL with the following characteristics
>
>  - A unique name, eg  vnc.username, and vnc.x509dname.
>  - A default policy, allow or deny
>  - An ordered series of match rules, with allow or deny policy
>
> If none of the match rules apply, then the default policy is
> used.
>
> There is a monitor API to manipulate the ACLs, which I'll describe via
> examples
>
>   (qemu) acl show vnc.username
>   policy: allow
>   (qemu) acl policy vnc.username denya
>   acl: policy set to 'deny'
>   (qemu) acl allow vnc.username fred
>   acl: added rule at position 1
>   (qemu) acl allow vnc.username bob
>   acl: added rule at position 2
>   (qemu) acl allow vnc.username joe 1
>   acl: added rule at position 1
>   (qemu) acl show vnc.username
>   policy: deny
>   0: allow fred
>   1: allow joe
>   2: allow bob
>   


>   (qemu) acl show vnc.x509dname
>   policy: allow
>   (qemu) acl policy vnc.x509dname deny
>   acl: policy set to 'deny'
>   (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
>   acl: added rule at position 1
>   (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
>   acl: added rule at position 2
>   (qemu) acl show vnc.x509dname
>   policy: deny
>   0: allow C=GB,O=ACME,L=London,CN=*
>   1: allow C=GB,O=ACME,L=Boston,CN=bob
>
> At startup the ACLs currently default to an allow policy. The
> next patch will provide a way to load a pre-defined ACL when
> starting up
>
>
>    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>
>
>  Makefile        |    6 +-
>  b/acl.c         |  158 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  b/acl.h         |   68 ++++++++++++++++++++++++
>  monitor.c       |   80 ++++++++++++++++++++++++++++
>  vnc-auth-sasl.c |   19 +++++-
>  vnc-auth-sasl.h |    4 +
>  vnc-tls.c       |   19 ++++++
>  vnc-tls.h       |    3 +
>  vnc.c           |   14 ++++
>  9 files changed, 363 insertions(+), 8 deletions(-)
>
> Daniel
>
>
> diff -r efb50f6c8c69 Makefile
> --- a/Makefile	Thu Feb 12 12:33:38 2009 +0000
> +++ b/Makefile	Thu Feb 12 12:48:43 2009 +0000
> @@ -144,7 +144,7 @@ endif
>  ifdef CONFIG_CURSES
>  OBJS+=curses.o
>  endif
> -OBJS+=vnc.o d3des.o
> +OBJS+=vnc.o acl.o d3des.o
>  ifdef CONFIG_VNC_TLS
>  OBJS+=vnc-tls.o vnc-auth-vencrypt.o
>  endif
> @@ -174,9 +174,11 @@ sdl.o: sdl.c keymaps.h sdl_keysym.h
>  
>  sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS)
>  
> +acl.o: acl.h acl.c
> +
>  vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h
>  
> -vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h
> +vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h acl.h
>  
>  vnc.o: CFLAGS += $(CONFIG_VNC_TLS_CFLAGS)
>  
> diff -r efb50f6c8c69 acl.c
> --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
> +++ b/acl.c	Thu Feb 12 12:48:43 2009 +0000
> @@ -0,0 +1,158 @@
> +/*
> + * QEMU access control list management
> + *
> + * Copyright (C) 2009 Red Hat, Inc
> + *
> + * Permission is hereby granted, free of charge, to any person obtaining a copy
> + * of this software and associated documentation files (the "Software"), to deal
> + * in the Software without restriction, including without limitation the rights
> + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + * copies of the Software, and to permit persons to whom the Software is
> + * furnished to do so, subject to the following conditions:
> + *
> + * The above copyright notice and this permission notice shall be included in
> + * all copies or substantial portions of the Software.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
> + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
> + * THE SOFTWARE.
> + */
> +
> +
> +#include "qemu-common.h"
> +#include "sysemu.h"
> +#include "acl.h"
> +#include <fnmatch.h>
> +
> +
> +static unsigned int nacls = 0;
> +static ACL **acls = NULL;
>   

I'd prefer you make this a list (using sys-queue.h).  An advantage would 
be that you could support removing rules in the monitor as that seems 
like an obvious feature.

BTW, there is a qemu_strdup and you don't have to check it's results.

Regards,

Anthony Liguori