1 From: Neil Wilson <neil@brightbox.co.uk>
2 To: libvir-list@redhat.com
3 Date: Mon, 10 Jan 2011 09:52:56 +0000
4 Message-ID: <1294653176.3013.16.camel@lenovo-3000-n100>
8 Here's the patch to add basic ACL support to QEMU within libvirt. Like
9 SASL it's ignored by RHEL5's default qemu. Newer qemu picks it up as
10 expected and you can manipulate the acls using 'virsh'.
13 diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf
14 index ba41f80..7ab5eee 100644
15 --- a/src/qemu/qemu.conf
16 +++ b/src/qemu/qemu.conf
21 +# Enable the VNC access control lists. When switched on this will
22 +# initially block all vnc users from accessing the vnc server. To
23 +# add and remove ids from the ACLs you will need to send the appropriate
24 +# commands to the qemu monitor as required by your particular version of
25 +# QEMU. See the QEMU documentation for more details.
30 # The default SASL configuration file is located in /etc/sasl/
31 # When running libvirtd unprivileged, it may be desirable to
32 # override the configs in this location. Set this parameter to
33 --- libvirt-1.0.6/src/qemu/qemu_command.c.orig 2013-06-16 15:45:37.115181922 +0200
34 +++ libvirt-1.0.6/src/qemu/qemu_command.c 2013-06-16 15:47:49.335179175 +0200
35 @@ -6178,6 +6178,10 @@
37 /* TODO: Support ACLs later */
41 + virBufferAddLit(&opt, ",acl");
45 virCommandAddArg(cmd, "-vnc");
46 --- libvirt-1.1.3/src/qemu/qemu_conf.c.orig 2013-10-22 20:38:43.522043292 +0200
47 +++ libvirt-1.1.3/src/qemu/qemu_conf.c 2013-10-22 20:45:19.515360007 +0200
49 GET_VALUE_STR("vnc_sasl_dir", cfg->vncSASLdir);
50 GET_VALUE_BOOL("vnc_allow_host_audio", cfg->vncAllowHostAudio);
51 GET_VALUE_BOOL("nographics_allow_host_audio", cfg->nogfxAllowHostAudio);
52 + GET_VALUE_LONG("vnc_acl", cfg->vncACL);
54 p = virConfGetValue(conf, "security_driver");
55 if (p && p->type == VIR_CONF_LIST) {
56 --- libvirt-1.0.3/src/qemu/qemu_conf.h.orig 2013-03-09 13:10:30.059751685 +0100
57 +++ libvirt-1.0.3/src/qemu/qemu_conf.h 2013-03-09 13:54:17.296308093 +0100
60 bool vncTLSx509verify;
63 char *vncTLSx509certdir;