[Libguestfs] [PATCH libnbd] api: Allow NBD URIs to be restricted.

Eric Blake eblake at redhat.com
Mon Nov 4 19:26:20 UTC 2019 

On 10/20/19 6:06 AM, Richard W.M. Jones wrote:
> New APIs are added which let you enable or disable features of NBD
> URIs, mainly for security reasons.
> 
> tls-psk-file is *disabled* by default for obvious security reasons.
> All other features are enabled by default.
> ---

> @@ -1445,6 +1453,75 @@ C<\"qemu:dirty-bitmap:...\"> for qemu-nbd
>       see_also = ["L<nbd_block_status(3)>"];
>     };
>   
> +  "set_uri_allow_transports", {
> +    default_call with
> +    args = [ Flags ("mask", allow_transport_flags) ]; ret = RErr;
> +    permitted_states = [ Created ];
> +    shortdesc = "set the allowed transports in NBD URIs";
> +    longdesc = "\
> +Set which transports are allowed to appear in NBD URIs.  The
> +default is to allow any transports.

'any transport.'

> +
> +The C<mask> parameter may contain any of the following flags
> +ORed together:
> +
> +=over 4
> +
> +=item C<LIBNBD_ALLOW_TRANSPORT_TCP>
> +
> +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX>
> +
> +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK>
> +
> +=back";
> +    see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"];
> +  };

Worth L<nbd_get_uri_allow_tls(3)> to query the current permitted 
transports? Similar for other new set_ APIs.

> +
> +  "set_uri_allow_tls", {
> +    default_call with
> +    args = [ Enum ("tls", tls_enum) ]; ret = RErr;
> +    permitted_states = [ Created ];
> +    shortdesc = "set the allowed TLS settings in NBD URIs";
> +    longdesc = "\
> +Set which TLS settings are allowed to appear in NBD URIs.  The
> +default is to allow either non-TLS or TLS URIs.
> +
> +The C<tls> parameter can be:
> +
> +=over 4
> +
> +=item C<LIBNBD_TLS_DISABLE>
> +
> +TLS URIs are not permitted, ie. a URI such as C<nbds://...>
> +will be rejected.
> +
> +=item C<LIBNBD_TLS_ALLOW>
> +
> +This is the default.  TLS may be used or not, depending on
> +whether the URI uses C<nbds> or C<nbd>.
> +
> +=item C<LIBNBD_TLS_REQUIRE>
> +
> +TLS URIs are required.  All URIs must use C<nbs>.

C<nbds>


> +=item Connect to Unix domain socket in the local filesystem
> +
> +Default: allowed
> +
> +To prevent this you must disable the C<+unix> transport

Is the + in C<+unix> intentional?

Otherwise looks like a good addition.

-- 
Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

More information about the Libguestfs mailing list