mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-06 06:15:46 +00:00
cbfebfc747
When creating the system identity set the system token. The system token is currently stored in a local path /var/run/libvirt/common/system.token Obviously with only traditional UNIX DAC in effect, this is largely security through obscurity, if the client is running at the same privilege level as the daemon. It does, however, reliably distinguish an unprivileged client from the system daemons. With a MAC system like SELinux though, or possible use of containers, access can be further restricted. A possible future improvement for Linux would be to populate the kernel keyring with a secret for libvirt daemons to share. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
31 lines
1.0 KiB
C
31 lines
1.0 KiB
C
/*
|
|
* viridentitypriv.h: helper APIs for managing user identities
|
|
*
|
|
* Copyright (C) 2012-2013 Red Hat, Inc.
|
|
*
|
|
* This library is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
* License as published by the Free Software Foundation; either
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
*
|
|
* This library is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
* Lesser General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
* License along with this library; If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*/
|
|
|
|
#ifndef LIBVIRT_VIRIDENTITYPRIV_H_ALLOW
|
|
# error "viridentitypriv.h may only be included by viridentity.c or test suites"
|
|
#endif /* LIBVIRT_VIRIDENTITYPRIV_H_ALLOW */
|
|
|
|
#pragma once
|
|
|
|
#include "viridentity.h"
|
|
|
|
char *
|
|
virIdentityEnsureSystemToken(void) G_GNUC_NO_INLINE;
|