[libvirt PATCH v2 09/10] src: elevate current identity privilege when fetching secret

Daniel P. Berrangé berrange at redhat.com
Mon May 10 15:44:38 UTC 2021 

On Mon, May 10, 2021 at 01:32:20PM +0200, Michal Prívozník wrote:
> On 5/7/21 6:24 PM, Daniel P. Berrangé wrote:
> > When fetching the value of a private secret, we need to use an elevated
> > identity otherwise the secret driver will deny access.
> > 
> > When using the modular daemons, the elevated identity needs to be active
> > before the secret driver connection is opened, and it will apply to all
> > APIs calls made on that conncetion.
> > 
> > When using the monolithic daemon, the identity at time of opening the
> > connection is ignored, and the elevated identity needs to be active
> > precisely at the time the virSecretGetValue API call is made.
> > 
> > After acquiring the secret value, the elevated identity should be
> > cleared.
> > 
> > This sounds complex, but is fairly straightfoward with the automatic
> > cleanup callbacks.
> > 
> > Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
> > ---
> >  src/libxl/libxl_conf.c                     |  5 +++++
> >  src/qemu/qemu_domain.c                     | 11 ++++++++++-
> >  src/qemu/qemu_tpm.c                        |  5 +++++
> >  src/storage/storage_backend_iscsi.c        |  5 +++++
> >  src/storage/storage_backend_iscsi_direct.c |  5 +++++
> >  src/storage/storage_backend_rbd.c          |  5 +++++
> >  src/storage/storage_util.c                 |  5 +++++
> >  7 files changed, 40 insertions(+), 1 deletion(-)
> > 
> 
> 
> After this, I see qemuxml2argv test crash (because of NULL passed to
> open() in the area I'm raising in 03/10). With the fix I'm suggesting I
> see a different error:
> 
> internal error: No current identity to elevate
> 
> That's because we failed to initialize identity. Unfortunately, I will
> have to leave this up to you.

Yep, the test suite needs to call virIdentitySetCurrent now we have a
dependancy on the identity APIs for internal secret access.

Regards,
Daniel
-- 
|: https://berrange.com      -o-    https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org         -o-            https://fstop138.berrange.com :|
|: https://entangle-photo.org    -o-    https://www.instagram.com/dberrange :|

More information about the libvir-list mailing list