[libvirt] [PATCHv3 0/5] smartcard: round 3
Alon Levy
alevy at redhat.com
Wed Jan 26 06:59:27 UTC 2011
On Tue, Jan 25, 2011 at 05:36:53PM -0700, Eric Blake wrote:
> This series has hopefully taken into account all the feedback from v2
> (https://www.redhat.com/archives/libvir-list/2011-January/msg00608.html).
>
> Major changes:
> - enhance the XML to support optional ccid <controller> (missing
> controllers are added according to <address> elements) and optional
> <address> per smartcard (missing address assume the next available
> port on controller 0)
> - enhance the XML to support an optional <source dev='/path'/> for
> host mode. For now, this path is only used in SELinux labeling; I
> suspect that this needs more work, since the point is that a single
> device in the host should be shared among the NSS implementation of
> multiple guests (so labeling the host device to belong to a single
> guest is wrong); but fixing it correctly requires a better
> understanding of what NSS actually needs to access, as well as
> possibly modifying qemu's smartcard implementation to take the
> host device either as a pathname or even as an already-opened fd.
I just remembered how NSS actually talks to cards. So basically if
you are using a physical card it will go through a TCP connection to
a local daemon called pcscd - I'm guessing that means no SELinux
labeling would be required? Does SELinux label sockets?
pcscd is a single instance, so wouldn't pose a problem for SELinux.
It uses libccid which is linked to libusb which does the actual
device open, so just pcscd needs the permissions for device access.
> - enhance the XML to support an optional <database> element for
> host-certificates mode.
> - enhance the qemu command line to fully populate all parameters,
> rather than the bare minimum defaults, and reflect that in the tests.
>
> It requires this pre-requisite patch for qemu -chardev aliases:
> https://www.redhat.com/archives/libvir-list/2011-January/msg01032.html
>
> Eric Blake (5):
> smartcard: add XML support for <smartcard> device
> smartcard: add domain conf support
> smartcard: check for qemu capability
> smartcard: enable SELinux support
> smartcard: turn on qemu support
>
> cfg.mk | 1 +
> docs/formatdomain.html.in | 95 +++++-
> docs/schemas/domain.rng | 73 ++++
> src/conf/domain_conf.c | 396 +++++++++++++++++++-
> src/conf/domain_conf.h | 53 +++-
> src/libvirt_private.syms | 4 +
> src/qemu/qemu_capabilities.c | 2 +
> src/qemu/qemu_capabilities.h | 1 +
> src/qemu/qemu_command.c | 90 +++++-
> src/security/security_selinux.c | 94 +++++
> .../qemuxml2argv-smartcard-controller.args | 1 +
> .../qemuxml2argv-smartcard-controller.xml | 20 +
> .../qemuxml2argv-smartcard-host-certificates.args | 1 +
> .../qemuxml2argv-smartcard-host-certificates.xml | 20 +
> .../qemuxml2argv-smartcard-host.args | 1 +
> .../qemuxml2argv-smartcard-host.xml | 16 +
> .../qemuxml2argv-smartcard-passthrough-tcp.args | 1 +
> .../qemuxml2argv-smartcard-passthrough-tcp.xml | 19 +
> tests/qemuxml2argvtest.c | 13 +
> 19 files changed, 887 insertions(+), 14 deletions(-)
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-controller.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host-certificates.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-host.xml
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.args
> create mode 100644 tests/qemuxml2argvdata/qemuxml2argv-smartcard-passthrough-tcp.xml
>
> --
> 1.7.3.5
>
More information about the libvir-list
mailing list