[PATCH 6/6] examples: polkit: Grant 'domain.read-secure' for the example cases
Daniel P. Berrangé
berrange at redhat.com
Mon Feb 20 17:09:18 UTC 2023
On Mon, Feb 20, 2023 at 11:47:09AM +0100, Peter Krempa wrote:
> The example gives the user authorized to work with the domain permission
> to open the graphics socket. Since the graphics socket may be protected
> with a password it makes sense to grant the user the
> 'domain.read-secure' permission to fetch the password for the graphics
> object.
>
> This also goes along with e.g. 'domain.send-input' and
> 'domain.screenshot' as they'll allow the user to interact with the
> domain even if they didn't have the password.
The password isn't required, as you can use virDomainOpenGraphics
to connect when its a local display, and that's allowed via the
domain.open-graphics permission. virt-viewer at least will use
this API, but can't remember in virt-manager will. This also
bypasses any need to configure TLS certificates for VNC, or
do Kerberos auth if that's enabled.
>
> Signed-off-by: Peter Krempa <pkrempa at redhat.com>
> ---
> examples/polkit/libvirt-acl.rules | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/examples/polkit/libvirt-acl.rules b/examples/polkit/libvirt-acl.rules
> index dd6836599a..2edd9c5b8e 100644
> --- a/examples/polkit/libvirt-acl.rules
> +++ b/examples/polkit/libvirt-acl.rules
> @@ -93,6 +93,7 @@ restrictedActions = [
> "domain.inject-nmi",
> "domain.open-device",
> "domain.open-graphics",
> + "domain.read-secure",
We don't allow the secret.read-secure parameter, and I don't
think we should allow this either.
> "domain.pm-control",
> "domain.read",
> "domain.reset",
> --
> 2.39.2
>
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
More information about the libvir-list
mailing list