76655d6dec
This patch introduces a generic internal API for access control lists
to be used by network servers in QEMU. It adds support for checking
these ACL in the VNC server, in two places. The first ACL is for the
SASL authentication mechanism, checking the SASL username. This ACL
is called 'vnc.username'. The second is for the TLS authentication
mechanism, when x509 client certificates are turned on, checking against
the Distinguished Name of the client. This ACL is called 'vnc.x509dname'
The internal API provides for an ACL with the following characteristics
- A unique name, eg vnc.username, and vnc.x509dname.
- A default policy, allow or deny
- An ordered series of match rules, with allow or deny policy
If none of the match rules apply, then the default policy is
used.
There is a monitor API to manipulate the ACLs, which I'll describe via
examples
(qemu) acl show vnc.username
policy: allow
(qemu) acl policy vnc.username denya
acl: policy set to 'deny'
(qemu) acl allow vnc.username fred
acl: added rule at position 1
(qemu) acl allow vnc.username bob
acl: added rule at position 2
(qemu) acl allow vnc.username joe 1
acl: added rule at position 1
(qemu) acl show vnc.username
policy: deny
0: allow fred
1: allow joe
2: allow bob
(qemu) acl show vnc.x509dname
policy: allow
(qemu) acl policy vnc.x509dname deny
acl: policy set to 'deny'
(qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=*
acl: added rule at position 1
(qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob
acl: added rule at position 2
(qemu) acl show vnc.x509dname
policy: deny
0: allow C=GB,O=ACME,L=London,CN=*
1: allow C=GB,O=ACME,L=Boston,CN=bob
By default the VNC server will not use any ACLs, allowing access to
the server if the user successfully authenticates. To enable use of
ACLs to restrict user access, the ',acl' flag should be given when
starting QEMU. The initial ACL activated will be a 'deny all' policy
and should be customized using monitor commands.
eg enable SASL auth and ACLs
qemu .... -vnc localhost:1,sasl,acl
The next patch will provide a way to load a pre-defined ACL when
starting up
Makefile | 6 +
b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
b/acl.h | 74 ++++++++++++++++++++++
configure | 18 +++++
monitor.c | 95 ++++++++++++++++++++++++++++
qemu-doc.texi | 49 ++++++++++++++
vnc-auth-sasl.c | 16 +++-
vnc-auth-sasl.h | 7 ++
vnc-tls.c | 19 +++++
vnc-tls.h | 3
vnc.c | 21 ++++++
vnc.h | 3
12 files changed, 491 insertions(+), 5 deletions(-)
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
381 lines
9.4 KiB
Makefile
381 lines
9.4 KiB
Makefile
# Makefile for QEMU.
|
|
|
|
include config-host.mak
|
|
include $(SRC_PATH)/rules.mak
|
|
|
|
.PHONY: all clean cscope distclean dvi html info install install-doc \
|
|
recurse-all speed tar tarbin test
|
|
|
|
VPATH=$(SRC_PATH):$(SRC_PATH)/hw
|
|
|
|
|
|
CFLAGS += $(OS_CFLAGS) $(ARCH_CFLAGS)
|
|
LDFLAGS += $(OS_LDFLAGS) $(ARCH_LDFLAGS)
|
|
|
|
CPPFLAGS += -I. -I$(SRC_PATH) -MMD -MP -MT $@
|
|
CPPFLAGS += -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE
|
|
LIBS=
|
|
ifdef CONFIG_STATIC
|
|
LDFLAGS += -static
|
|
endif
|
|
ifdef BUILD_DOCS
|
|
DOCS=qemu-doc.html qemu-tech.html qemu.1 qemu-img.1 qemu-nbd.8
|
|
else
|
|
DOCS=
|
|
endif
|
|
|
|
LIBS+=$(AIOLIBS)
|
|
|
|
ifdef CONFIG_SOLARIS
|
|
LIBS+=-lsocket -lnsl -lresolv
|
|
endif
|
|
|
|
ifdef CONFIG_WIN32
|
|
LIBS+=-lwinmm -lws2_32 -liphlpapi
|
|
endif
|
|
|
|
all: $(TOOLS) $(DOCS) recurse-all
|
|
|
|
SUBDIR_RULES=$(patsubst %,subdir-%, $(TARGET_DIRS))
|
|
|
|
subdir-%:
|
|
$(call quiet-command,$(MAKE) -C $* V="$(V)" TARGET_DIR="$*/" all,)
|
|
|
|
$(filter %-softmmu,$(SUBDIR_RULES)): libqemu_common.a
|
|
$(filter %-user,$(SUBDIR_RULES)): libqemu_user.a
|
|
|
|
recurse-all: $(SUBDIR_RULES)
|
|
|
|
#######################################################################
|
|
# BLOCK_OBJS is code used by both qemu system emulation and qemu-img
|
|
|
|
BLOCK_OBJS=cutils.o qemu-malloc.o
|
|
BLOCK_OBJS+=block-cow.o block-qcow.o aes.o block-vmdk.o block-cloop.o
|
|
BLOCK_OBJS+=block-dmg.o block-bochs.o block-vpc.o block-vvfat.o
|
|
BLOCK_OBJS+=block-qcow2.o block-parallels.o block-nbd.o
|
|
BLOCK_OBJS+=nbd.o block.o aio.o
|
|
|
|
ifdef CONFIG_WIN32
|
|
BLOCK_OBJS += block-raw-win32.o
|
|
else
|
|
ifdef CONFIG_AIO
|
|
BLOCK_OBJS += posix-aio-compat.o
|
|
endif
|
|
BLOCK_OBJS += block-raw-posix.o
|
|
endif
|
|
|
|
######################################################################
|
|
# libqemu_common.a: Target independent part of system emulation. The
|
|
# long term path is to suppress *all* target specific code in case of
|
|
# system emulation, i.e. a single QEMU executable should support all
|
|
# CPUs and machines.
|
|
|
|
OBJS=$(BLOCK_OBJS)
|
|
OBJS+=readline.o console.o
|
|
|
|
OBJS+=irq.o
|
|
OBJS+=i2c.o smbus.o smbus_eeprom.o max7310.o max111x.o wm8750.o
|
|
OBJS+=ssd0303.o ssd0323.o ads7846.o stellaris_input.o twl92230.o
|
|
OBJS+=tmp105.o lm832x.o
|
|
OBJS+=scsi-disk.o cdrom.o
|
|
OBJS+=scsi-generic.o
|
|
OBJS+=usb.o usb-hub.o usb-$(HOST_USB).o usb-hid.o usb-msd.o usb-wacom.o
|
|
OBJS+=usb-serial.o usb-net.o
|
|
OBJS+=sd.o ssi-sd.o
|
|
OBJS+=bt.o bt-host.o bt-vhci.o bt-l2cap.o bt-sdp.o bt-hci.o bt-hid.o usb-bt.o
|
|
OBJS+=buffered_file.o migration.o migration-tcp.o net.o qemu-sockets.o
|
|
OBJS+=qemu-char.o aio.o net-checksum.o savevm.o cache-utils.o
|
|
|
|
ifdef CONFIG_BRLAPI
|
|
OBJS+= baum.o
|
|
LIBS+=-lbrlapi
|
|
endif
|
|
|
|
ifdef CONFIG_WIN32
|
|
OBJS+=tap-win32.o
|
|
else
|
|
OBJS+=migration-exec.o
|
|
endif
|
|
|
|
AUDIO_OBJS = audio.o noaudio.o wavaudio.o mixeng.o
|
|
ifdef CONFIG_SDL
|
|
AUDIO_OBJS += sdlaudio.o
|
|
endif
|
|
ifdef CONFIG_OSS
|
|
AUDIO_OBJS += ossaudio.o
|
|
endif
|
|
ifdef CONFIG_COREAUDIO
|
|
AUDIO_OBJS += coreaudio.o
|
|
AUDIO_PT = yes
|
|
endif
|
|
ifdef CONFIG_ALSA
|
|
AUDIO_OBJS += alsaaudio.o
|
|
endif
|
|
ifdef CONFIG_DSOUND
|
|
AUDIO_OBJS += dsoundaudio.o
|
|
endif
|
|
ifdef CONFIG_FMOD
|
|
AUDIO_OBJS += fmodaudio.o
|
|
audio/audio.o audio/fmodaudio.o: CPPFLAGS := -I$(CONFIG_FMOD_INC) $(CPPFLAGS)
|
|
endif
|
|
ifdef CONFIG_ESD
|
|
AUDIO_PT = yes
|
|
AUDIO_PT_INT = yes
|
|
AUDIO_OBJS += esdaudio.o
|
|
endif
|
|
ifdef CONFIG_PA
|
|
AUDIO_PT = yes
|
|
AUDIO_PT_INT = yes
|
|
AUDIO_OBJS += paaudio.o
|
|
endif
|
|
ifdef AUDIO_PT
|
|
LDFLAGS += -pthread
|
|
endif
|
|
ifdef AUDIO_PT_INT
|
|
AUDIO_OBJS += audio_pt_int.o
|
|
endif
|
|
AUDIO_OBJS+= wavcapture.o
|
|
OBJS+=$(addprefix audio/, $(AUDIO_OBJS))
|
|
|
|
OBJS+=keymaps.o
|
|
ifdef CONFIG_SDL
|
|
OBJS+=sdl.o x_keymap.o
|
|
endif
|
|
ifdef CONFIG_CURSES
|
|
OBJS+=curses.o
|
|
endif
|
|
OBJS+=vnc.o acl.o d3des.o
|
|
ifdef CONFIG_VNC_TLS
|
|
OBJS+=vnc-tls.o vnc-auth-vencrypt.o
|
|
endif
|
|
ifdef CONFIG_VNC_SASL
|
|
OBJS+=vnc-auth-sasl.o
|
|
endif
|
|
|
|
ifdef CONFIG_COCOA
|
|
OBJS+=cocoa.o
|
|
endif
|
|
|
|
ifdef CONFIG_SLIRP
|
|
CPPFLAGS+=-I$(SRC_PATH)/slirp
|
|
SLIRP_OBJS=cksum.o if.o ip_icmp.o ip_input.o ip_output.o \
|
|
slirp.o mbuf.o misc.o sbuf.o socket.o tcp_input.o tcp_output.o \
|
|
tcp_subr.o tcp_timer.o udp.o bootp.o debug.o tftp.o
|
|
OBJS+=$(addprefix slirp/, $(SLIRP_OBJS))
|
|
endif
|
|
|
|
LIBS+=$(VDE_LIBS)
|
|
|
|
cocoa.o: cocoa.m
|
|
|
|
keymaps.o: keymaps.c keymaps.h
|
|
|
|
sdl.o: sdl.c keymaps.h sdl_keysym.h
|
|
|
|
sdl.o audio/sdlaudio.o: CFLAGS += $(SDL_CFLAGS)
|
|
|
|
acl.o: acl.h acl.c
|
|
|
|
vnc.h: vnc-tls.h vnc-auth-vencrypt.h vnc-auth-sasl.h keymaps.h
|
|
|
|
vnc.o: vnc.c vnc.h vnc_keysym.h vnchextile.h d3des.c d3des.h acl.h
|
|
|
|
vnc.o: CFLAGS += $(CONFIG_VNC_TLS_CFLAGS)
|
|
|
|
vnc-tls.o: vnc-tls.c vnc.h
|
|
|
|
vnc-auth-vencrypt.o: vnc-auth-vencrypt.c vnc.h
|
|
|
|
vnc-auth-sasl.o: vnc-auth-sasl.c vnc.h
|
|
|
|
curses.o: curses.c keymaps.h curses_keys.h
|
|
|
|
bt-host.o: CFLAGS += $(CONFIG_BLUEZ_CFLAGS)
|
|
|
|
libqemu_common.a: $(OBJS)
|
|
|
|
#######################################################################
|
|
# USER_OBJS is code used by qemu userspace emulation
|
|
USER_OBJS=cutils.o cache-utils.o
|
|
|
|
libqemu_user.a: $(USER_OBJS)
|
|
|
|
######################################################################
|
|
|
|
qemu-img$(EXESUF): qemu-img.o qemu-tool.o osdep.o $(BLOCK_OBJS)
|
|
|
|
qemu-nbd$(EXESUF): qemu-nbd.o qemu-tool.o osdep.o $(BLOCK_OBJS)
|
|
|
|
qemu-img$(EXESUF) qemu-nbd$(EXESUF): LIBS += -lz
|
|
|
|
clean:
|
|
# avoid old build problems by removing potentially incorrect old files
|
|
rm -f config.mak config.h op-i386.h opc-i386.h gen-op-i386.h op-arm.h opc-arm.h gen-op-arm.h
|
|
rm -f *.o *.d *.a $(TOOLS) TAGS cscope.* *.pod *~ */*~
|
|
rm -f slirp/*.o slirp/*.d audio/*.o audio/*.d
|
|
$(MAKE) -C tests clean
|
|
for d in $(TARGET_DIRS); do \
|
|
$(MAKE) -C $$d $@ || exit 1 ; \
|
|
done
|
|
|
|
distclean: clean
|
|
rm -f config-host.mak config-host.h $(DOCS)
|
|
rm -f qemu-{doc,tech}.{info,aux,cp,dvi,fn,info,ky,log,pg,toc,tp,vr}
|
|
for d in $(TARGET_DIRS); do \
|
|
rm -rf $$d || exit 1 ; \
|
|
done
|
|
|
|
KEYMAPS=da en-gb et fr fr-ch is lt modifiers no pt-br sv \
|
|
ar de en-us fi fr-be hr it lv nl pl ru th \
|
|
common de-ch es fo fr-ca hu ja mk nl-be pt sl tr
|
|
|
|
ifdef INSTALL_BLOBS
|
|
BLOBS=bios.bin vgabios.bin vgabios-cirrus.bin ppc_rom.bin \
|
|
video.x openbios-sparc32 openbios-sparc64 openbios-ppc \
|
|
pxe-ne2k_pci.bin pxe-rtl8139.bin pxe-pcnet.bin pxe-e1000.bin \
|
|
bamboo.dtb
|
|
else
|
|
BLOBS=
|
|
endif
|
|
|
|
install-doc: $(DOCS)
|
|
mkdir -p "$(DESTDIR)$(docdir)"
|
|
$(INSTALL) -m 644 qemu-doc.html qemu-tech.html "$(DESTDIR)$(docdir)"
|
|
ifndef CONFIG_WIN32
|
|
mkdir -p "$(DESTDIR)$(mandir)/man1"
|
|
$(INSTALL) -m 644 qemu.1 qemu-img.1 "$(DESTDIR)$(mandir)/man1"
|
|
mkdir -p "$(DESTDIR)$(mandir)/man8"
|
|
$(INSTALL) -m 644 qemu-nbd.8 "$(DESTDIR)$(mandir)/man8"
|
|
endif
|
|
|
|
install: all $(if $(BUILD_DOCS),install-doc)
|
|
mkdir -p "$(DESTDIR)$(bindir)"
|
|
ifneq ($(TOOLS),)
|
|
$(INSTALL) -m 755 -s $(TOOLS) "$(DESTDIR)$(bindir)"
|
|
endif
|
|
ifneq ($(BLOBS),)
|
|
mkdir -p "$(DESTDIR)$(datadir)"
|
|
set -e; for x in $(BLOBS); do \
|
|
$(INSTALL) -m 644 $(SRC_PATH)/pc-bios/$$x "$(DESTDIR)$(datadir)"; \
|
|
done
|
|
endif
|
|
ifndef CONFIG_WIN32
|
|
mkdir -p "$(DESTDIR)$(datadir)/keymaps"
|
|
set -e; for x in $(KEYMAPS); do \
|
|
$(INSTALL) -m 644 $(SRC_PATH)/keymaps/$$x "$(DESTDIR)$(datadir)/keymaps"; \
|
|
done
|
|
endif
|
|
for d in $(TARGET_DIRS); do \
|
|
$(MAKE) -C $$d $@ || exit 1 ; \
|
|
done
|
|
|
|
# various test targets
|
|
test speed: all
|
|
$(MAKE) -C tests $@
|
|
|
|
TAGS:
|
|
etags *.[ch] tests/*.[ch]
|
|
|
|
cscope:
|
|
rm -f ./cscope.*
|
|
find . -name "*.[ch]" -print | sed 's,^\./,,' > ./cscope.files
|
|
cscope -b
|
|
|
|
# documentation
|
|
%.html: %.texi
|
|
texi2html -monolithic -number $<
|
|
|
|
%.info: %.texi
|
|
makeinfo $< -o $@
|
|
|
|
%.dvi: %.texi
|
|
texi2dvi $<
|
|
|
|
qemu.1: qemu-doc.texi
|
|
$(SRC_PATH)/texi2pod.pl $< qemu.pod
|
|
pod2man --section=1 --center=" " --release=" " qemu.pod > $@
|
|
|
|
qemu-img.1: qemu-img.texi
|
|
$(SRC_PATH)/texi2pod.pl $< qemu-img.pod
|
|
pod2man --section=1 --center=" " --release=" " qemu-img.pod > $@
|
|
|
|
qemu-nbd.8: qemu-nbd.texi
|
|
$(SRC_PATH)/texi2pod.pl $< qemu-nbd.pod
|
|
pod2man --section=8 --center=" " --release=" " qemu-nbd.pod > $@
|
|
|
|
info: qemu-doc.info qemu-tech.info
|
|
|
|
dvi: qemu-doc.dvi qemu-tech.dvi
|
|
|
|
html: qemu-doc.html qemu-tech.html
|
|
|
|
qemu-doc.dvi qemu-doc.html qemu-doc.info: qemu-img.texi qemu-nbd.texi
|
|
|
|
VERSION ?= $(shell cat VERSION)
|
|
FILE = qemu-$(VERSION)
|
|
|
|
# tar release (use 'make -k tar' on a checkouted tree)
|
|
tar:
|
|
rm -rf /tmp/$(FILE)
|
|
cp -r . /tmp/$(FILE)
|
|
cd /tmp && tar zcvf ~/$(FILE).tar.gz $(FILE) --exclude CVS --exclude .git --exclude .svn
|
|
rm -rf /tmp/$(FILE)
|
|
|
|
# generate a binary distribution
|
|
tarbin:
|
|
cd / && tar zcvf ~/qemu-$(VERSION)-$(ARCH).tar.gz \
|
|
$(bindir)/qemu \
|
|
$(bindir)/qemu-system-x86_64 \
|
|
$(bindir)/qemu-system-arm \
|
|
$(bindir)/qemu-system-cris \
|
|
$(bindir)/qemu-system-m68k \
|
|
$(bindir)/qemu-system-mips \
|
|
$(bindir)/qemu-system-mipsel \
|
|
$(bindir)/qemu-system-mips64 \
|
|
$(bindir)/qemu-system-mips64el \
|
|
$(bindir)/qemu-system-ppc \
|
|
$(bindir)/qemu-system-ppcemb \
|
|
$(bindir)/qemu-system-ppc64 \
|
|
$(bindir)/qemu-system-sh4 \
|
|
$(bindir)/qemu-system-sh4eb \
|
|
$(bindir)/qemu-system-sparc \
|
|
$(bindir)/qemu-i386 \
|
|
$(bindir)/qemu-x86_64 \
|
|
$(bindir)/qemu-alpha \
|
|
$(bindir)/qemu-arm \
|
|
$(bindir)/qemu-armeb \
|
|
$(bindir)/qemu-cris \
|
|
$(bindir)/qemu-m68k \
|
|
$(bindir)/qemu-mips \
|
|
$(bindir)/qemu-mipsel \
|
|
$(bindir)/qemu-ppc \
|
|
$(bindir)/qemu-ppc64 \
|
|
$(bindir)/qemu-ppc64abi32 \
|
|
$(bindir)/qemu-sh4 \
|
|
$(bindir)/qemu-sh4eb \
|
|
$(bindir)/qemu-sparc \
|
|
$(bindir)/qemu-sparc64 \
|
|
$(bindir)/qemu-sparc32plus \
|
|
$(bindir)/qemu-img \
|
|
$(bindir)/qemu-nbd \
|
|
$(datadir)/bios.bin \
|
|
$(datadir)/vgabios.bin \
|
|
$(datadir)/vgabios-cirrus.bin \
|
|
$(datadir)/ppc_rom.bin \
|
|
$(datadir)/video.x \
|
|
$(datadir)/openbios-sparc32 \
|
|
$(datadir)/openbios-sparc64 \
|
|
$(datadir)/openbios-ppc \
|
|
$(datadir)/pxe-ne2k_pci.bin \
|
|
$(datadir)/pxe-rtl8139.bin \
|
|
$(datadir)/pxe-pcnet.bin \
|
|
$(datadir)/pxe-e1000.bin \
|
|
$(docdir)/qemu-doc.html \
|
|
$(docdir)/qemu-tech.html \
|
|
$(mandir)/man1/qemu.1 \
|
|
$(mandir)/man1/qemu-img.1 \
|
|
$(mandir)/man8/qemu-nbd.8
|
|
|
|
# Include automatically generated dependency files
|
|
-include $(wildcard *.d audio/*.d slirp/*.d)
|