From patchwork Thu Jun 2 16:46:25 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?q?Daniel_P=2E_Berrang=C3=A9?= X-Patchwork-Id: 9151005 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id D82716082F for ; Thu, 2 Jun 2016 17:15:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C4766282ED for ; Thu, 2 Jun 2016 17:15:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id B9598282EE; Thu, 2 Jun 2016 17:15:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.9 required=2.0 tests=BAYES_00,FSL_HELO_HOME, RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 2D90228310 for ; Thu, 2 Jun 2016 17:15:34 +0000 (UTC) Received: from localhost ([::1]:49364 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b8WDW-0003RB-3B for patchwork-qemu-devel@patchwork.kernel.org; Thu, 02 Jun 2016 13:15:34 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:38657) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b8Vlx-0004rd-CV for qemu-devel@nongnu.org; Thu, 02 Jun 2016 12:47:11 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1b8Vlu-0003a2-Qh for qemu-devel@nongnu.org; Thu, 02 Jun 2016 12:47:04 -0400 Received: from mx1.redhat.com ([209.132.183.28]:44874) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1b8Vll-0003St-OB; Thu, 02 Jun 2016 12:46:53 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4EBA525897; Thu, 2 Jun 2016 16:46:53 +0000 (UTC) Received: from t530wlan.home.berrange.com.com (vpn1-7-181.ams2.redhat.com [10.36.7.181]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u52GkVdR023498; Thu, 2 Jun 2016 12:46:51 -0400 From: "Daniel P. Berrange" To: qemu-devel@nongnu.org Date: Thu, 2 Jun 2016 17:46:25 +0100 Message-Id: <1464885987-4039-10-git-send-email-berrange@redhat.com> In-Reply-To: <1464885987-4039-1-git-send-email-berrange@redhat.com> References: <1464885987-4039-1-git-send-email-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 02 Jun 2016 16:46:53 +0000 (UTC) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 209.132.183.28 Subject: [Qemu-devel] [PATCH v5 09/11] migration: add support for a "tls-acl" migration parameter X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: qemu-block@nongnu.org, Markus Armbruster , Max Reitz , Paolo Bonzini , =?UTF-8?q?Andreas=20F=C3=A4rber?= Errors-To: qemu-devel-bounces+patchwork-qemu-devel=patchwork.kernel.org@nongnu.org Sender: "Qemu-devel" X-Virus-Scanned: ClamAV using ClamSMTP The QEMU instance that runs as the server for the migration data transport (ie the target QEMU) needs to be able to configure access control so it can prevent unauthorized clients initiating an incoming migration. This adds a new 'tls-acl' migration parameter that is used to provide the QOM ID of a QAuthZ subclass instance that provides the access control check. This ACL is checked against the x509 certificate obtained during the TLS handshake. Signed-off-by: Daniel P. Berrange --- hmp.c | 8 ++++++++ migration/migration.c | 7 +++++++ migration/tls.c | 2 +- qapi-schema.json | 20 +++++++++++++++++--- 4 files changed, 33 insertions(+), 4 deletions(-) diff --git a/hmp.c b/hmp.c index e0d0d8c..4cbf37c 100644 --- a/hmp.c +++ b/hmp.c @@ -300,6 +300,9 @@ void hmp_info_migrate_parameters(Monitor *mon, const QDict *qdict) monitor_printf(mon, " %s: '%s'", MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_HOSTNAME], params->tls_hostname ? : ""); + monitor_printf(mon, " %s: '%s'", + MigrationParameter_lookup[MIGRATION_PARAMETER_TLS_ACL], + params->tls_acl ? : ""); monitor_printf(mon, "\n"); } @@ -1259,6 +1262,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict) bool has_cpu_throttle_increment = false; bool has_tls_creds = false; bool has_tls_hostname = false; + bool has_tls_acl = false; bool use_int_value = false; int i; @@ -1290,6 +1294,9 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict) case MIGRATION_PARAMETER_TLS_HOSTNAME: has_tls_hostname = true; break; + case MIGRATION_PARAMETER_TLS_ACL: + has_tls_acl = true; + break; } if (use_int_value) { @@ -1307,6 +1314,7 @@ void hmp_migrate_set_parameter(Monitor *mon, const QDict *qdict) has_cpu_throttle_increment, valueint, has_tls_creds, valuestr, has_tls_hostname, valuestr, + has_tls_acl, valuestr, &err); break; } diff --git a/migration/migration.c b/migration/migration.c index 7ecbade..b5e8e2f 100644 --- a/migration/migration.c +++ b/migration/migration.c @@ -566,6 +566,7 @@ MigrationParameters *qmp_query_migrate_parameters(Error **errp) params->cpu_throttle_increment = s->parameters.cpu_throttle_increment; params->tls_creds = g_strdup(s->parameters.tls_creds); params->tls_hostname = g_strdup(s->parameters.tls_hostname); + params->tls_acl = g_strdup(s->parameters.tls_acl); return params; } @@ -771,6 +772,8 @@ void qmp_migrate_set_parameters(bool has_compress_level, const char *tls_creds, bool has_tls_hostname, const char *tls_hostname, + bool has_tls_acl, + const char *tls_acl, Error **errp) { MigrationState *s = migrate_get_current(); @@ -830,6 +833,10 @@ void qmp_migrate_set_parameters(bool has_compress_level, g_free(s->parameters.tls_hostname); s->parameters.tls_hostname = g_strdup(tls_hostname); } + if (has_tls_acl) { + g_free(s->parameters.tls_acl); + s->parameters.tls_acl = g_strdup(tls_acl); + } } diff --git a/migration/tls.c b/migration/tls.c index 75f959f..968fe16 100644 --- a/migration/tls.c +++ b/migration/tls.c @@ -92,7 +92,7 @@ void migration_tls_set_incoming_channel(MigrationState *s, tioc = qio_channel_tls_new_server( ioc, creds, - NULL, /* XXX pass ACL name */ + s->parameters.tls_acl, errp); if (!tioc) { return; diff --git a/qapi-schema.json b/qapi-schema.json index 337a6ce..e7ec2a1 100644 --- a/qapi-schema.json +++ b/qapi-schema.json @@ -636,12 +636,16 @@ # hostname must be provided so that the server's x509 # certificate identity canbe validated. (Since 2.7) # +# @tls-acl: ID of the 'authz' object subclass that provides access control +# checking of the TLS x509 certificate distinguished name. (Since +# 2.7) +# # Since: 2.4 ## { 'enum': 'MigrationParameter', 'data': ['compress-level', 'compress-threads', 'decompress-threads', 'cpu-throttle-initial', 'cpu-throttle-increment', - 'tls-creds', 'tls-hostname'] } + 'tls-creds', 'tls-hostname', 'tls-acl'] } # # @migrate-set-parameters @@ -677,6 +681,10 @@ # hostname must be provided so that the server's x509 # certificate identity canbe validated. (Since 2.7) # +# @tls-acl: ID of the 'authz' object subclass that provides access control +# checking of the TLS x509 certificate distinguished name. (Since +# 2.7) +# # Since: 2.4 ## { 'command': 'migrate-set-parameters', @@ -686,7 +694,8 @@ '*cpu-throttle-initial': 'int', '*cpu-throttle-increment': 'int', '*tls-creds': 'str', - '*tls-hostname': 'str'} } + '*tls-hostname': 'str', + '*tls-acl': 'str'} } # # @MigrationParameters @@ -720,6 +729,10 @@ # hostname must be provided so that the server's x509 # certificate identity canbe validated. (Since 2.6) # +# @tls-acl: ID of the 'authz' object subclass that provides access control +# checking of the TLS x509 certificate distinguished name. (Since +# 2.7) +# # Since: 2.4 ## { 'struct': 'MigrationParameters', @@ -729,7 +742,8 @@ 'cpu-throttle-initial': 'int', 'cpu-throttle-increment': 'int', 'tls-creds': 'str', - 'tls-hostname': 'str'} } + 'tls-hostname': 'str', + 'tls-acl': 'str'} } ## # @query-migrate-parameters #