From: Neil Wilson To: libvir-list@redhat.com Date: Mon, 10 Jan 2011 09:52:56 +0000 Message-ID: <1294653176.3013.16.camel@lenovo-3000-n100> Hi, Here's the patch to add basic ACL support to QEMU within libvirt. Like SASL it's ignored by RHEL5's default qemu. Newer qemu picks it up as expected and you can manipulate the acls using 'virsh'. diff --git a/src/qemu/qemu.conf b/src/qemu/qemu.conf index ba41f80..7ab5eee 100644 --- a/src/qemu/qemu.conf +++ b/src/qemu/qemu.conf @@ -71,6 +71,15 @@ # vnc_sasl = 1 +# Enable the VNC access control lists. When switched on this will +# initially block all vnc users from accessing the vnc server. To +# add and remove ids from the ACLs you will need to send the appropriate +# commands to the qemu monitor as required by your particular version of +# QEMU. See the QEMU documentation for more details. +# +# vnc_acl = 1 + + # The default SASL configuration file is located in /etc/sasl/ # When running libvirtd unprivileged, it may be desirable to # override the configs in this location. Set this parameter to --- libvirt-1.0.6/src/qemu/qemu_command.c.orig 2013-06-16 15:45:37.115181922 +0200 +++ libvirt-1.0.6/src/qemu/qemu_command.c 2013-06-16 15:47:49.335179175 +0200 @@ -6178,6 +6178,10 @@ /* TODO: Support ACLs later */ } + + if (cfg->vncACL) + virBufferAddLit(&opt, ",acl"); + } virCommandAddArg(cmd, "-vnc"); --- libvirt-1.1.3/src/qemu/qemu_conf.c.orig 2013-10-22 20:38:43.522043292 +0200 +++ libvirt-1.1.3/src/qemu/qemu_conf.c 2013-10-22 20:45:19.515360007 +0200 @@ -357,6 +357,7 @@ GET_VALUE_STR("vnc_sasl_dir", cfg->vncSASLdir); GET_VALUE_BOOL("vnc_allow_host_audio", cfg->vncAllowHostAudio); GET_VALUE_BOOL("nographics_allow_host_audio", cfg->nogfxAllowHostAudio); + GET_VALUE_LONG("vnc_acl", cfg->vncACL); p = virConfGetValue(conf, "security_driver"); if (p && p->type == VIR_CONF_LIST) { --- libvirt-1.0.3/src/qemu/qemu_conf.h.orig 2013-03-09 13:10:30.059751685 +0100 +++ libvirt-1.0.3/src/qemu/qemu_conf.h 2013-03-09 13:54:17.296308093 +0100 @@ -102,6 +102,7 @@ bool vncTLS; bool vncTLSx509verify; bool vncSASL; + bool vncACL; char *vncTLSx509certdir; char *vncListen; char *vncPassword;