External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 03:12:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add configuration options for permissions on daemon's admin socket

Browse Source 
This is not going to be very widely used, but for some corner cases and
easier (unsafe) debugging, it might be nice.

Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
This commit is contained in:
Martin Kletzander 2015-04-13 16:05:46 +02:00
parent 878bf2a3c9
commit beb0eda2e3
7 changed files with 94 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
daemon/libvirtd-config.c
View File

@ -1,7 +1,7 @@
/* /*
* libvirtd-config.c: daemon start of day, guest process & i/o management * libvirtd-config.c: daemon start of day, guest process & i/o management
* *
* Copyright (C) 2006-2012, 2014 Red Hat, Inc. * Copyright (C) 2006-2012, 2014, 2015 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange * Copyright (C) 2006 Daniel P. Berrange
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
@ -264,7 +264,8 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
if (VIR_STRDUP(data->unix_sock_rw_perms, if (VIR_STRDUP(data->unix_sock_rw_perms,
data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 || data->auth_unix_rw == REMOTE_AUTH_POLKIT ? "0777" : "0700") < 0 ||
VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0) VIR_STRDUP(data->unix_sock_ro_perms, "0777") < 0 ||
VIR_STRDUP(data->unix_sock_admin_perms, "0700") < 0)
goto error; goto error;
#if WITH_SASL #if WITH_SASL
@ -293,6 +294,16 @@ daemonConfigNew(bool privileged ATTRIBUTE_UNUSED)
data->keepalive_count = 5; data->keepalive_count = 5;
data->keepalive_required = 0; data->keepalive_required = 0;
data->admin_min_workers = 5;
data->admin_max_workers = 20;
data->admin_max_clients = 5000;
data->admin_max_queued_clients = 20;
data->admin_max_client_requests = 5;
data->admin_keepalive_interval = 5;
data->admin_keepalive_count = 5;
data->admin_keepalive_required = 0;
localhost = virGetHostname(); localhost = virGetHostname();
if (localhost == NULL) { if (localhost == NULL) {
/* we couldn't resolve the hostname; assume that we are /* we couldn't resolve the hostname; assume that we are
@ -337,6 +348,7 @@ daemonConfigFree(struct daemonConfig *data)
} }
VIR_FREE(data->access_drivers); VIR_FREE(data->access_drivers);
VIR_FREE(data->unix_sock_admin_perms);
VIR_FREE(data->unix_sock_ro_perms); VIR_FREE(data->unix_sock_ro_perms);
VIR_FREE(data->unix_sock_rw_perms); VIR_FREE(data->unix_sock_rw_perms);
VIR_FREE(data->unix_sock_group); VIR_FREE(data->unix_sock_group);
@ -404,6 +416,7 @@ daemonConfigLoadOptions(struct daemonConfig *data,
goto error; goto error;
GET_CONF_STR(conf, filename, unix_sock_group); GET_CONF_STR(conf, filename, unix_sock_group);
GET_CONF_STR(conf, filename, unix_sock_admin_perms);
GET_CONF_STR(conf, filename, unix_sock_ro_perms); GET_CONF_STR(conf, filename, unix_sock_ro_perms);
GET_CONF_STR(conf, filename, unix_sock_rw_perms); GET_CONF_STR(conf, filename, unix_sock_rw_perms);
@ -441,6 +454,12 @@ daemonConfigLoadOptions(struct daemonConfig *data,
GET_CONF_INT(conf, filename, max_requests); GET_CONF_INT(conf, filename, max_requests);
GET_CONF_UINT(conf, filename, max_client_requests); GET_CONF_UINT(conf, filename, max_client_requests);
GET_CONF_UINT(conf, filename, admin_min_workers);
GET_CONF_UINT(conf, filename, admin_max_workers);
GET_CONF_UINT(conf, filename, admin_max_clients);
GET_CONF_UINT(conf, filename, admin_max_queued_clients);
GET_CONF_UINT(conf, filename, admin_max_client_requests);
GET_CONF_UINT(conf, filename, audit_level); GET_CONF_UINT(conf, filename, audit_level);
GET_CONF_UINT(conf, filename, audit_logging); GET_CONF_UINT(conf, filename, audit_logging);
@ -454,6 +473,10 @@ daemonConfigLoadOptions(struct daemonConfig *data,
GET_CONF_UINT(conf, filename, keepalive_count); GET_CONF_UINT(conf, filename, keepalive_count);
GET_CONF_UINT(conf, filename, keepalive_required); GET_CONF_UINT(conf, filename, keepalive_required);
GET_CONF_INT(conf, filename, admin_keepalive_interval);
GET_CONF_UINT(conf, filename, admin_keepalive_count);
GET_CONF_UINT(conf, filename, admin_keepalive_required);
return 0; return 0;
error: error:

13
daemon/libvirtd-config.h
View File

@ -1,7 +1,7 @@
/* /*
* libvirtd-config.h: daemon start of day, guest process & i/o management * libvirtd-config.h: daemon start of day, guest process & i/o management
* *
* Copyright (C) 2006-2012 Red Hat, Inc. * Copyright (C) 2006-2012, 2015 Red Hat, Inc.
* Copyright (C) 2006 Daniel P. Berrange * Copyright (C) 2006 Daniel P. Berrange
* *
* This library is free software; you can redistribute it and/or * This library is free software; you can redistribute it and/or
@ -35,6 +35,7 @@ struct daemonConfig {
char *tls_port; char *tls_port;
char *tcp_port; char *tcp_port;
char *unix_sock_admin_perms;
char *unix_sock_ro_perms; char *unix_sock_ro_perms;
char *unix_sock_rw_perms; char *unix_sock_rw_perms;
char *unix_sock_group; char *unix_sock_group;
@ -81,6 +82,16 @@ struct daemonConfig {
int keepalive_interval; int keepalive_interval;
unsigned int keepalive_count; unsigned int keepalive_count;
int keepalive_required; int keepalive_required;
int admin_min_workers;
int admin_max_workers;
int admin_max_clients;
int admin_max_queued_clients;
int admin_max_client_requests;
int admin_keepalive_interval;
unsigned int admin_keepalive_count;
int admin_keepalive_required;
}; };

13
daemon/libvirtd.aug
View File

@ -35,6 +35,7 @@ module Libvirtd =
let sock_acl_entry = str_entry "unix_sock_group" let sock_acl_entry = str_entry "unix_sock_group"
| str_entry "unix_sock_ro_perms" | str_entry "unix_sock_ro_perms"
| str_entry "unix_sock_rw_perms" | str_entry "unix_sock_rw_perms"
| str_entry "unix_sock_admin_perms"
| str_entry "unix_sock_dir" | str_entry "unix_sock_dir"
let authentication_entry = str_entry "auth_unix_ro" let authentication_entry = str_entry "auth_unix_ro"
@ -62,6 +63,12 @@ module Libvirtd =
| int_entry "max_client_requests" | int_entry "max_client_requests"
| int_entry "prio_workers" | int_entry "prio_workers"
let admin_processing_entry = int_entry "admin_min_workers"
| int_entry "admin_max_workers"
| int_entry "admin_max_clients"
| int_entry "admin_max_queued_clients"
| int_entry "admin_max_client_requests"
let logging_entry = int_entry "log_level" let logging_entry = int_entry "log_level"
| str_entry "log_filters" | str_entry "log_filters"
| str_entry "log_outputs" | str_entry "log_outputs"
@ -74,6 +81,10 @@ module Libvirtd =
| int_entry "keepalive_count" | int_entry "keepalive_count"
| bool_entry "keepalive_required" | bool_entry "keepalive_required"
let admin_keepalive_entry = int_entry "admin_keepalive_interval"
| int_entry "admin_keepalive_count"
| bool_entry "admin_keepalive_required"
let misc_entry = str_entry "host_uuid" let misc_entry = str_entry "host_uuid"
(* Each enty in the config is one of the following three ... *) (* Each enty in the config is one of the following three ... *)
@ -83,9 +94,11 @@ module Libvirtd =
| certificate_entry | certificate_entry
| authorization_entry | authorization_entry
| processing_entry | processing_entry
| admin_processing_entry
| logging_entry | logging_entry
| auditing_entry | auditing_entry
| keepalive_entry | keepalive_entry
| admin_keepalive_entry
| misc_entry | misc_entry
let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ] let comment = [ label "#comment" . del /#[ \t]*/ "# " . store /([^ \t\n][^\n]*)?/ . del /\n/ "\n" ]
let empty = [ label "#empty" . eol ] let empty = [ label "#empty" . eol ]

24
daemon/libvirtd.conf
View File

@ -106,9 +106,17 @@
# control, then you may want to relax this too. # control, then you may want to relax this too.
#unix_sock_rw_perms = "0770" #unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to.
#unix_sock_admin_perms = "0700"
# Set the name of the directory in which sockets will be found/created. # Set the name of the directory in which sockets will be found/created.
#unix_sock_dir = "/var/run/libvirt" #unix_sock_dir = "/var/run/libvirt"
################################################################# #################################################################
# #
# Authentication. # Authentication.
@ -307,6 +315,16 @@
# and max_workers parameter # and max_workers parameter
#max_client_requests = 5 #max_client_requests = 5
# Same processing controls, but this time for the admin interface.
# For description of each option, be so kind to scroll few lines
# upwards.
#admin_min_workers = 1
#admin_max_workers = 5
#admin_max_clients = 5
#admin_max_queued_clients = 5
#admin_max_client_requests = 5
################################################################# #################################################################
# #
# Logging controls # Logging controls
@ -427,3 +445,9 @@
# support keepalive protocol. Defaults to 0. # support keepalive protocol. Defaults to 0.
# #
#keepalive_required = 1 #keepalive_required = 1
# Keepalive settings for the admin interface
#admin_keepalive_interval = 5
#admin_keepalive_count = 5
#
#admin_keepalive_required = 1

9
daemon/test_libvirtd.aug.in
View File

@ -12,6 +12,7 @@ module Test_libvirtd =
{ "unix_sock_group" = "libvirt" } { "unix_sock_group" = "libvirt" }
{ "unix_sock_ro_perms" = "0777" } { "unix_sock_ro_perms" = "0777" }
{ "unix_sock_rw_perms" = "0770" } { "unix_sock_rw_perms" = "0770" }
{ "unix_sock_admin_perms" = "0700" }
{ "unix_sock_dir" = "/var/run/libvirt" } { "unix_sock_dir" = "/var/run/libvirt" }
{ "auth_unix_ro" = "none" } { "auth_unix_ro" = "none" }
{ "auth_unix_rw" = "none" } { "auth_unix_rw" = "none" }
@ -42,6 +43,11 @@ module Test_libvirtd =
{ "prio_workers" = "5" } { "prio_workers" = "5" }
{ "max_requests" = "20" } { "max_requests" = "20" }
{ "max_client_requests" = "5" } { "max_client_requests" = "5" }
{ "admin_min_workers" = "1" }
{ "admin_max_workers" = "5" }
{ "admin_max_clients" = "5" }
{ "admin_max_queued_clients" = "5" }
{ "admin_max_client_requests" = "5" }
{ "log_level" = "3" } { "log_level" = "3" }
{ "log_filters" = "3:remote 4:event" } { "log_filters" = "3:remote 4:event" }
{ "log_outputs" = "3:syslog:libvirtd" } { "log_outputs" = "3:syslog:libvirtd" }
@ -52,3 +58,6 @@ module Test_libvirtd =
{ "keepalive_interval" = "5" } { "keepalive_interval" = "5" }
{ "keepalive_count" = "5" } { "keepalive_count" = "5" }
{ "keepalive_required" = "1" } { "keepalive_required" = "1" }
{ "admin_keepalive_interval" = "5" }
{ "admin_keepalive_count" = "5" }
{ "admin_keepalive_required" = "1" }

6
tests/confdata/libvirtd.conf
View File

@ -89,6 +89,12 @@ unix_sock_ro_perms = "0777"
# control then you may want to relax this to: # control then you may want to relax this to:
unix_sock_rw_perms = "0770" unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to
unix_sock_admin_perms = "0700"
################################################################# #################################################################

5
tests/confdata/libvirtd.out
View File

@ -71,6 +71,11 @@ unix_sock_ro_perms = "0777"
# If not using PolicyKit and setting group ownership for access # If not using PolicyKit and setting group ownership for access
# control then you may want to relax this to: # control then you may want to relax this to:
unix_sock_rw_perms = "0770" unix_sock_rw_perms = "0770"
# Set the UNIX socket permissions for the admin interface socket.
#
# Default allows only owner (root), do not change it unless you are
# sure to whom you are exposing the access to
unix_sock_admin_perms = "0700"
################################################################# #################################################################
# #
# Authentication. # Authentication.