[libvirt PATCH v2 03/10] util: generate a persistent system token

Eric Blake eblake at redhat.com
Fri May 7 17:42:01 UTC 2021

On 5/7/21 11:24 AM, Daniel P. Berrangé wrote:
> When creating the system identity set the system token. The system
> token is currently stored in a local path
>    /var/run/libvirt/common/system.token
> Obviously with only traditional UNIX DAC in effect, this is largely
> security through obscurity, if the client is running at the same
> privilege level as the daemon. It does, however, reliably distinguish
> an unprivilegd client from the system daemons.


> With a MAC system like SELinux though, or possible use of containers,
> access can be further restricted.
> A possible future improvement for Linux would be to populate the
> kernel keyring with a secret for libvirt daemons to share.
> Reviewed-by: Michal Privoznik <mprivozn at redhat.com>
> Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> ---
>  src/util/viridentity.c | 102 +++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 102 insertions(+)

Eric Blake, Principal Software Engineer
Red Hat, Inc.           +1-919-301-3226
Virtualization:  qemu.org | libvirt.org

More information about the libvir-list mailing list