From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43)
	id 1LcoM8-0003mB-1C
	for qemu-devel@nongnu.org; Thu, 26 Feb 2009 17:05:24 -0500
Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43)
	id 1LcoM7-0003ll-9G
	for qemu-devel@nongnu.org; Thu, 26 Feb 2009 17:05:23 -0500
Received: from [199.232.76.173] (port=53747 helo=monty-python.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.43) id 1LcoM6-0003lh-Tj
	for qemu-devel@nongnu.org; Thu, 26 Feb 2009 17:05:22 -0500
Received: from e33.co.us.ibm.com ([32.97.110.151]:39803)
	by monty-python.gnu.org with esmtps
	(TLS-1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.60)
	(envelope-from <aliguori@us.ibm.com>) id 1LcoM6-0000U5-BA
	for qemu-devel@nongnu.org; Thu, 26 Feb 2009 17:05:22 -0500
Received: from d03relay02.boulder.ibm.com (d03relay02.boulder.ibm.com
	[9.17.195.227])
	by e33.co.us.ibm.com (8.13.1/8.13.1) with ESMTP id n1QM45R2028226
	for <qemu-devel@nongnu.org>; Thu, 26 Feb 2009 15:04:05 -0700
Received: from d03av02.boulder.ibm.com (d03av02.boulder.ibm.com [9.17.195.168])
	by d03relay02.boulder.ibm.com (8.13.8/8.13.8/NCO v9.2) with ESMTP id
	n1QM5KXh194238
	for <qemu-devel@nongnu.org>; Thu, 26 Feb 2009 15:05:20 -0700
Received: from d03av02.boulder.ibm.com (loopback [127.0.0.1])
	by d03av02.boulder.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id
	n1QM5Kl5012322
	for <qemu-devel@nongnu.org>; Thu, 26 Feb 2009 15:05:20 -0700
Message-ID: <49A7121E.9030901@us.ibm.com>
Date: Thu, 26 Feb 2009 16:05:18 -0600
From: Anthony Liguori <aliguori@us.ibm.com>
MIME-Version: 1.0
Subject: Re: [Qemu-devel] PATCH: 8/9: Support ACLs for controlling VNC access
References: <20090226113933.GA29854@redhat.com>
	<20090226115730.GN22494@redhat.com>
In-Reply-To: <20090226115730.GN22494@redhat.com>
Content-Type: multipart/mixed; boundary="------------020402020209020404050203"
Reply-To: qemu-devel@nongnu.org
List-Id: qemu-devel.nongnu.org
List-Unsubscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/pipermail/qemu-devel>
List-Post: <mailto:qemu-devel@nongnu.org>
List-Help: <mailto:qemu-devel-request@nongnu.org?subject=help>
List-Subscribe: <http://lists.nongnu.org/mailman/listinfo/qemu-devel>,
	<mailto:qemu-devel-request@nongnu.org?subject=subscribe>
To: "Daniel P. Berrange" <berrange@redhat.com>, qemu-devel@nongnu.org

This is a multi-part message in MIME format.
--------------020402020209020404050203
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Daniel P. Berrange wrote:
> This patch introduces a generic internal API for access control lists
> to be used by network servers in QEMU. It adds support for checking
> these ACL in the VNC server, in two places. The first ACL is for the
> SASL authentication mechanism, checking the SASL username. This ACL
> is called 'vnc.username'. The second is for the TLS authentication
> mechanism, when x509 client certificates are turned on, checking against
> the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
>
> The internal API provides for an ACL with the following characteristics
>
>  - A unique name, eg  vnc.username, and vnc.x509dname.
>  - A default policy, allow or deny
>  - An ordered series of match rules, with allow or deny policy
>
> If none of the match rules apply, then the default policy is
> used.
>
> There is a monitor API to manipulate the ACLs, which I'll describe via
> examples
>
>   (qemu) acl show vnc.username
>   policy: allow
>   (qemu) acl policy vnc.username denya
>   acl: policy set to 'deny'
>   (qemu) acl allow vnc.username fred
>   acl: added rule at position 1
>   (qemu) acl allow vnc.username bob
>   acl: added rule at position 2
>   (qemu) acl allow vnc.username joe 1
>   acl: added rule at position 1
>   (qemu) acl show vnc.username
>   policy: deny
>   0: allow fred
>   1: allow joe
>   2: allow bob
>
>
>   (qemu) acl show vnc.x509dname
>   policy: allow
>   (qemu) acl policy vnc.x509dname deny
>   acl: policy set to 'deny'
>   (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
>   acl: added rule at position 1
>   (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
>   acl: added rule at position 2
>   (qemu) acl show vnc.x509dname
>   policy: deny
>   0: allow C=GB,O=ACME,L=London,CN=*
>   1: allow C=GB,O=ACME,L=Boston,CN=bob
>
> At startup the ACLs currently default to an allow policy. The
> next patch will provide a way to load a pre-defined ACL when
> starting up
>
>
>  Makefile        |    6 +-
>  b/acl.c         |  168 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>  b/acl.h         |   74 ++++++++++++++++++++++++
>  monitor.c       |   95 +++++++++++++++++++++++++++++++
>  vnc-auth-sasl.c |   16 ++++-
>  vnc-auth-sasl.h |    7 ++
>  vnc-tls.c       |   19 ++++++
>  vnc-tls.h       |    3 +
>  vnc.c           |   14 ++++
>  vnc.h           |    3 +
>  10 files changed, 398 insertions(+), 7 deletions(-)
>
>    Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
>   

This breaks the build on win32.  Attached are the build log and config info.

Regards,

Anthony Liguori

--------------020402020209020404050203
Content-Type: text/plain;
 name="config-host.mak"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="config-host.mak"

# Automatically generated by configure - do not modify
# Configured with: '/home/anthony/git/qemu/configure' '--cross-prefix=i686-pc-mingw32-' '--target-list=x86_64-softmmu'
prefix=c:\\Program Files\\Qemu
bindir=${prefix}
mandir=${prefix}
datadir=${prefix}
docdir=${prefix}
MAKE=make
INSTALL=install
CC=i686-pc-mingw32-gcc
HOST_CC=gcc
AR=i686-pc-mingw32-ar
STRIP=i686-pc-mingw32-strip -s -R .comment -R .note
OS_CFLAGS=
OS_LDFLAGS=
ARCH_CFLAGS=-m32
ARCH_LDFLAGS=-m32
CFLAGS= -O2 -g -fno-strict-aliasing -Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes -Wstrict-prototypes -Wredundant-decls
LDFLAGS= -g -Wl,--warn-common
EXESUF=.exe
AIOLIBS=
ARCH=i386
CONFIG_WIN32=yes
CONFIG_GDBSTUB=yes
CONFIG_SLIRP=yes
CONFIG_AC97=yes
CONFIG_ES1370=yes
CONFIG_SB16=yes
CONFIG_VNC_TLS=yes
CONFIG_VNC_TLS_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include  
CONFIG_VNC_TLS_LIBS=-L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls  
VERSION=0.9.1
SRC_PATH=/home/anthony/git/qemu
VPATH=/home/anthony/git/qemu
TARGET_DIRS=x86_64-softmmu
CONFIG_SDL=yes
SDL_LIBS=-lmingw32 -lSDLmain -lSDL -mwindows
SDL_CFLAGS=-I/usr/i686-pc-mingw32/sys-root/mingw/include/SDL -D_GNU_SOURCE=1 -Dmain=SDL_main
INSTALL_BLOBS=yes
HOST_USB=stub
TOOLS=qemu-img$(EXESUF) 

--------------020402020209020404050203
Content-Type: text/plain;
 name="config-log"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="config-log"

Install prefix    c:\\Program Files\\Qemu
BIOS directory    c:\\Program Files\\Qemu
binary directory  c:\\Program Files\\Qemu
Source path       /home/anthony/git/qemu
C compiler        i686-pc-mingw32-gcc
Host C compiler   gcc
ARCH_CFLAGS       -m32
make              make
install           install
host CPU          i386
host big endian   no
target list       x86_64-softmmu
gprof enabled     no
sparse enabled    no
profiler          no
static build      no
-Werror enabled   no
SDL support       yes
SDL static link   yes
curses support    no
mingw32 support   yes
Audio drivers     
Extra audio cards ac97 es1370 sb16
Mixer emulation   no
VNC TLS support   yes
    TLS CFLAGS    -I/usr/i686-pc-mingw32/sys-root/mingw/include  
    TLS LIBS      -L/usr/i686-pc-mingw32/sys-root/mingw/lib -lgnutls  
VNC SASL support  no
kqemu support     yes
brlapi support    no
Documentation     no
NPTL support      no
vde support       no
AIO support       no
Install blobs     yes
KVM support       no - (linux/kvm.h: No such file or directory, #error Invalid KVM version, #error Missing KVM capability KVM_CAP_USER_MEMORY, #error Missing KVM capability KVM_CAP_SET_TSS_ADDR, #error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
fdt support       no

--------------020402020209020404050203--