[libvirt] [PATCHv3 0/5] smartcard: round 3
Alon Levy
alevy at redhat.com
Wed Jan 26 15:51:50 UTC 2011
On Wed, Jan 26, 2011 at 12:21:58PM +0000, Daniel P. Berrange wrote:
> On Wed, Jan 26, 2011 at 08:59:27AM +0200, Alon Levy wrote:
> > On Tue, Jan 25, 2011 at 05:36:53PM -0700, Eric Blake wrote:
> > > This series has hopefully taken into account all the feedback from v2
> > > (https://www.redhat.com/archives/libvir-list/2011-January/msg00608.html).
> > >
> > > Major changes:
> > > - enhance the XML to support optional ccid <controller> (missing
> > > controllers are added according to <address> elements) and optional
> > > <address> per smartcard (missing address assume the next available
> > > port on controller 0)
> > > - enhance the XML to support an optional <source dev='/path'/> for
> > > host mode. For now, this path is only used in SELinux labeling; I
> > > suspect that this needs more work, since the point is that a single
> > > device in the host should be shared among the NSS implementation of
> > > multiple guests (so labeling the host device to belong to a single
> > > guest is wrong); but fixing it correctly requires a better
> > > understanding of what NSS actually needs to access, as well as
> > > possibly modifying qemu's smartcard implementation to take the
> > > host device either as a pathname or even as an already-opened fd.
> >
> > I just remembered how NSS actually talks to cards. So basically if
> > you are using a physical card it will go through a TCP connection to
> > a local daemon called pcscd - I'm guessing that means no SELinux
> > labeling would be required? Does SELinux label sockets?
>
> Yes, selinux labels *everything*.
>
> > pcscd is a single instance, so wouldn't pose a problem for SELinux.
> > It uses libccid which is linked to libusb which does the actual
> > device open, so just pcscd needs the permissions for device access.
>
> This will require a SELinux policy addition to allow QEMU to connect
> to the pcscd sockets. It isn't something we can solve in the libvirt
> security drivers unfortunately. It kind of sucks because we'd need
> a admin toggled boolean 'virt_use_smartcards' to allow access globally.
> Then again few people will ever use this mode of smartcard access
> anyway, so its not too bad.
Queue wisecrack.
>
> Daniel
More information about the libvir-list
mailing list