qemu: error out when vnc vncTLSx509secretUUID is unsupported

Add a capability check to qemuDomainDefValidate and refuse to start a domain with VNC graphics if the TLS secret was set in qemu.conf and it's not supported. Note that qemuDomainSecretGraphicsPrepare does not generate any secret data if the capability is not present and qemuBuildTLSx509BackendProps is not called at all. Signed-off-by: Ján Tomko <jtomko@redhat.com> Reviewed-by: John Ferlan <jferlan@redhat.com>
2025-01-22 04:25:18 +00:00 · 2019-01-15 13:55:28 +01:00 · 2019-01-15 13:55:28 +01:00 · 4fb769f5e0
commit 4fb769f5e0
parent 2e2b0d69a9
1 changed files with 15 additions and 0 deletions
--- a/src/qemu/qemu_domain.c
+++ b/src/qemu/qemu_domain.c
@ -4112,8 +4112,10 @@ qemuDomainDefValidate(const virDomainDef *def,
                      void *opaque)
 {
    virQEMUDriverPtr driver = opaque;
+    virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver);
    virQEMUCapsPtr qemuCaps = NULL;
    int ret = -1;
+    size_t i;

    if (!(qemuCaps = virQEMUCapsCacheLookup(driver->qemuCapsCache,
                                            def->emulator)))
@ -4234,10 +4236,23 @@ qemuDomainDefValidate(const virDomainDef *def,
    if (qemuDomainDefValidateMemory(def, qemuCaps) < 0)
        goto cleanup;

+    if (cfg->vncTLS && cfg->vncTLSx509secretUUID &&
+        !virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_TLS_CREDS_X509)) {
+        for (i = 0; i < def->ngraphics; i++) {
+            if (def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC) {
+                virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s",
+                               _("encrypted VNC TLS keys are not supported with "
+                                 "this QEMU binary"));
+                goto cleanup;
+            }
+        }
+    }
+
    ret = 0;

 cleanup:
    virObjectUnref(qemuCaps);
+    virObjectUnref(cfg);
    return ret;
 }