xenbits.xensource.com Git - libvirt.git/commit

author	Daniel P. Berrangé <berrange@redhat.com>
	Thu, 29 Apr 2021 14:40:33 +0000 (15:40 +0100)
committer	Daniel P. Berrangé <berrange@redhat.com>
	Thu, 13 May 2021 10:07:16 +0000 (11:07 +0100)
commit	cbfebfc74741a00bddf67b7fa10892b757fffd6a
tree	e7b3b9bd8693e4149d377f2ed9334292a42047ca	tree
parent	d5d011f76745a9764464c9066223b17c4058f83f	commit \| diff

util: generate a persistent system token

When creating the system identity set the system token. The system
token is currently stored in a local path

/var/run/libvirt/common/system.token

Obviously with only traditional UNIX DAC in effect, this is largely
security through obscurity, if the client is running at the same
privilege level as the daemon. It does, however, reliably distinguish
an unprivileged client from the system daemons.

With a MAC system like SELinux though, or possible use of containers,
access can be further restricted.

A possible future improvement for Linux would be to populate the
kernel keyring with a secret for libvirt daemons to share.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>

src/libvirt_private.syms		diff \| blob \| blame \| history
src/util/viridentity.c		diff \| blob \| blame \| history
src/util/viridentitypriv.h	[new file with mode: 0644]	blob
tests/viridentitytest.c		diff \| blob \| blame \| history