From 4fb769f5e02833ecf6ad495af3f3c705364e2d2c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=A1n=20Tomko?= Date: Tue, 15 Jan 2019 13:55:28 +0100 Subject: [PATCH] qemu: error out when vnc vncTLSx509secretUUID is unsupported MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add a capability check to qemuDomainDefValidate and refuse to start a domain with VNC graphics if the TLS secret was set in qemu.conf and it's not supported. Note that qemuDomainSecretGraphicsPrepare does not generate any secret data if the capability is not present and qemuBuildTLSx509BackendProps is not called at all. Signed-off-by: Ján Tomko Reviewed-by: John Ferlan --- src/qemu/qemu_domain.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/qemu/qemu_domain.c b/src/qemu/qemu_domain.c index 22d93d56f9..32a43f2064 100644 --- a/src/qemu/qemu_domain.c +++ b/src/qemu/qemu_domain.c @@ -4112,8 +4112,10 @@ qemuDomainDefValidate(const virDomainDef *def, void *opaque) { virQEMUDriverPtr driver = opaque; + virQEMUDriverConfigPtr cfg = virQEMUDriverGetConfig(driver); virQEMUCapsPtr qemuCaps = NULL; int ret = -1; + size_t i; if (!(qemuCaps = virQEMUCapsCacheLookup(driver->qemuCapsCache, def->emulator))) @@ -4234,10 +4236,23 @@ qemuDomainDefValidate(const virDomainDef *def, if (qemuDomainDefValidateMemory(def, qemuCaps) < 0) goto cleanup; + if (cfg->vncTLS && cfg->vncTLSx509secretUUID && + !virQEMUCapsGet(qemuCaps, QEMU_CAPS_OBJECT_TLS_CREDS_X509)) { + for (i = 0; i < def->ngraphics; i++) { + if (def->graphics[i]->type == VIR_DOMAIN_GRAPHICS_TYPE_VNC) { + virReportError(VIR_ERR_CONFIG_UNSUPPORTED, "%s", + _("encrypted VNC TLS keys are not supported with " + "this QEMU binary")); + goto cleanup; + } + } + } + ret = 0; cleanup: virObjectUnref(qemuCaps); + virObjectUnref(cfg); return ret; }