qemu/configure

2449 lines
61 KiB
Plaintext
Raw Normal View History

#!/bin/sh
#
# qemu configure script (c) 2003 Fabrice Bellard
#
# set temporary file name
if test ! -z "$TMPDIR" ; then
TMPDIR1="${TMPDIR}"
elif test ! -z "$TEMPDIR" ; then
TMPDIR1="${TEMPDIR}"
else
TMPDIR1="/tmp"
fi
TMPC="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.c"
TMPO="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}.o"
TMPE="${TMPDIR1}/qemu-conf-${RANDOM}-$$-${RANDOM}"
trap "rm -f $TMPC $TMPO $TMPE ; exit" 0 2 3 15
compile_object() {
$cc $QEMU_CFLAGS -c -o $TMPO $TMPC > /dev/null 2> /dev/null
}
compile_prog() {
local_cflags="$1"
local_ldflags="$2"
$cc $QEMU_CFLAGS $local_cflags -o $TMPE $TMPC $LDFLAGS $local_ldflags > /dev/null 2> /dev/null
}
# default parameters
cpu=""
prefix=""
interp_prefix="/usr/gnemul/qemu-%M"
static="no"
sparc_cpu=""
cross_prefix=""
cc="gcc"
audio_drv_list=""
audio_card_list="ac97 es1370 sb16"
audio_possible_cards="ac97 es1370 sb16 cs4231a adlib gus"
host_cc="gcc"
ar="ar"
make="make"
install="install"
objcopy="objcopy"
ld="ld"
helper_cflags=""
libs_softmmu=""
libs_tools=""
audio_pt_int=""
# parse CC options first
for opt do
optarg=`expr "x$opt" : 'x[^=]*=\(.*\)'`
case "$opt" in
--cross-prefix=*) cross_prefix="$optarg"
;;
--cc=*) cc="$optarg"
;;
--cpu=*) cpu="$optarg"
;;
--extra-cflags=*) QEMU_CFLAGS="$optarg $QEMU_CFLAGS"
;;
--extra-ldflags=*) LDFLAGS="$optarg $LDFLAGS"
;;
--sparc_cpu=*)
sparc_cpu="$optarg"
case $sparc_cpu in
v7|v8|v8plus|v8plusa)
cpu="sparc"
;;
v9)
cpu="sparc64"
;;
*)
echo "undefined SPARC architecture. Exiting";
exit 1
;;
esac
;;
esac
done
# OS specific
# Using uname is really, really broken. Once we have the right set of checks
# we can eliminate it's usage altogether
cc="${cross_prefix}${cc}"
ar="${cross_prefix}${ar}"
objcopy="${cross_prefix}${objcopy}"
ld="${cross_prefix}${ld}"
# check that the C compiler works.
cat > $TMPC <<EOF
int main(void) {}
EOF
if compile_object ; then
: C compiler works ok
else
echo "ERROR: \"$cc\" either does not exist or does not work"
exit 1
fi
check_define() {
cat > $TMPC <<EOF
#if !defined($1)
#error Not defined
#endif
int main(void) { return 0; }
EOF
compile_object
}
if test ! -z "$cpu" ; then
# command line argument
:
elif check_define __i386__ ; then
cpu="i386"
elif check_define __x86_64__ ; then
cpu="x86_64"
elif check_define __sparc__ ; then
# We can't check for 64 bit (when gcc is biarch) or V8PLUSA
# They must be specified using --sparc_cpu
if check_define __arch64__ ; then
cpu="sparc64"
else
cpu="sparc"
fi
elif check_define _ARCH_PPC ; then
if check_define _ARCH_PPC64 ; then
cpu="ppc64"
else
cpu="ppc"
fi
else
cpu=`uname -m`
fi
target_list=""
case "$cpu" in
alpha|cris|ia64|m68k|microblaze|mips|mips64|ppc|ppc64|sparc64)
cpu="$cpu"
;;
i386|i486|i586|i686|i86pc|BePC)
cpu="i386"
;;
x86_64|amd64)
cpu="x86_64"
;;
armv*b)
cpu="armv4b"
;;
armv*l)
cpu="armv4l"
;;
parisc|parisc64)
cpu="hppa"
;;
s390*)
cpu="s390"
;;
sparc|sun4[cdmuv])
cpu="sparc"
;;
*)
cpu="unknown"
;;
esac
# Default value for a variable defining feature "foo"
# * foo="no", feature will only be used if --enable-foo arg is given
# * foo="", feature will be searched for, and if found, will be used
# * foo="yes", this value vill only be set by --enable-foo flag.
# feature will searched for, if not found, configure exits with error
#
# Always add --enable-foo and --disable-foo command line args. Distributions want
# to ensure that several features are compiled in, and it is impossible without a
# --enable-foo that exits if feature is not found
bluez=""
brlapi=""
curl=""
curses=""
docs=""
fdt=""
kvm=""
nptl=""
sdl=""
sparse="no"
vde=""
vnc_tls=""
vnc_sasl=""
xen=""
linux_aio=""
gprof="no"
debug_tcg="no"
debug="no"
strip_opt="yes"
bigendian="no"
mingw32="no"
EXESUF=""
slirp="yes"
fmod_lib=""
fmod_inc=""
oss_lib=""
bsd="no"
linux="no"
solaris="no"
profiler="no"
cocoa="no"
softmmu="yes"
linux_user="no"
darwin_user="no"
bsd_user="no"
guest_base=""
uname_release=""
io_thread="no"
mixemu="no"
kerneldir=""
aix="no"
blobs="yes"
pkgversion=""
check_utests="no"
# OS specific
if check_define __linux__ ; then
targetos="Linux"
elif check_define _WIN32 ; then
targetos='MINGW32'
elif check_define __OpenBSD__ ; then
targetos='OpenBSD'
elif check_define __sun__ ; then
targetos='SunOS'
else
targetos=`uname -s`
fi
case $targetos in
CYGWIN*)
mingw32="yes"
QEMU_CFLAGS="-mno-cygwin $QEMU_CFLAGS"
audio_possible_drivers="sdl"
;;
MINGW32*)
mingw32="yes"
audio_possible_drivers="dsound sdl fmod"
;;
GNU/kFreeBSD)
audio_drv_list="oss"
audio_possible_drivers="oss sdl esd pa"
;;
FreeBSD)
bsd="yes"
audio_drv_list="oss"
audio_possible_drivers="oss sdl esd pa"
;;
DragonFly)
bsd="yes"
audio_drv_list="oss"
audio_possible_drivers="oss sdl esd pa"
;;
NetBSD)
bsd="yes"
audio_drv_list="oss"
audio_possible_drivers="oss sdl esd"
oss_lib="-lossaudio"
;;
OpenBSD)
bsd="yes"
audio_drv_list="oss"
audio_possible_drivers="oss sdl esd"
oss_lib="-lossaudio"
;;
Darwin)
bsd="yes"
darwin="yes"
# on Leopard most of the system is 32-bit, so we have to ask the kernel it if we can
# run 64-bit userspace code
if [ "$cpu" = "i386" ] ; then
is_x86_64=`sysctl -n hw.optional.x86_64`
[ "$is_x86_64" = "1" ] && cpu=x86_64
fi
if [ "$cpu" = "x86_64" ] ; then
QEMU_CFLAGS="-arch x86_64 $QEMU_CFLAGS"
LDFLAGS="-arch x86_64 $LDFLAGS"
else
QEMU_CFLAGS="-mdynamic-no-pic $QEMU_CFLAGS"
fi
darwin_user="yes"
cocoa="yes"
audio_drv_list="coreaudio"
audio_possible_drivers="coreaudio sdl fmod"
LDFLAGS="-framework CoreFoundation -framework IOKit $LDFLAGS"
libs_softmmu="-F/System/Library/Frameworks -framework Cocoa -framework IOKit $libs_softmmu"
;;
SunOS)
solaris="yes"
make="gmake"
install="ginstall"
needs_libsunmath="no"
solarisrev=`uname -r | cut -f2 -d.`
# have to select again, because `uname -m` returns i86pc
# even on an x86_64 box.
solariscpu=`isainfo -k`
if test "${solariscpu}" = "amd64" ; then
cpu="x86_64"
fi
if [ "$cpu" = "i386" -o "$cpu" = "x86_64" ] ; then
if test "$solarisrev" -le 9 ; then
if test -f /opt/SUNWspro/prod/lib/libsunmath.so.1; then
needs_libsunmath="yes"
QEMU_CFLAGS="-I/opt/SUNWspro/prod/include/cc $QEMU_CFLAGS"
LDFLAGS="-L/opt/SUNWspro/prod/lib -R/opt/SUNWspro/prod/lib $LDFLAGS"
LIBS="-lsunmath $LIBS"
else
echo "QEMU will not link correctly on Solaris 8/X86 or 9/x86 without"
echo "libsunmath from the Sun Studio compilers tools, due to a lack of"
echo "C99 math features in libm.so in Solaris 8/x86 and Solaris 9/x86"
echo "Studio 11 can be downloaded from www.sun.com."
exit 1
fi
fi
fi
if test -f /usr/include/sys/soundcard.h ; then
audio_drv_list="oss"
fi
audio_possible_drivers="oss sdl"
QEMU_CFLAGS="-std=gnu99 $QEMU_CFLAGS"
LIBS="-lsocket -lnsl -lresolv $LIBS"
;;
AIX)
aix="yes"
make="gmake"
;;
*)
audio_drv_list="oss"
audio_possible_drivers="oss alsa sdl esd pa"
linux="yes"
linux_user="yes"
usb="linux"
if [ "$cpu" = "i386" -o "$cpu" = "x86_64" ] ; then
audio_possible_drivers="$audio_possible_drivers fmod"
fi
;;
esac
if [ "$bsd" = "yes" ] ; then
if [ "$darwin" != "yes" ] ; then
make="gmake"
usb="bsd"
fi
bsd_user="yes"
fi
if test "$mingw32" = "yes" ; then
EXESUF=".exe"
QEMU_CFLAGS="-DWIN32_LEAN_AND_MEAN -DWINVER=0x501 $QEMU_CFLAGS"
LIBS="-lwinmm -lws2_32 -liphlpapi $LIBS"
fi
# find source path
source_path=`dirname "$0"`
source_path_used="no"
workdir=`pwd`
if [ -z "$source_path" ]; then
source_path=$workdir
else
source_path=`cd "$source_path"; pwd`
fi
[ -f "$workdir/vl.c" ] || source_path_used="yes"
werror=""
for opt do
optarg=`expr "x$opt" : 'x[^=]*=\(.*\)'`
case "$opt" in
--help|-h) show_help=yes
;;
--prefix=*) prefix="$optarg"
;;
--interp-prefix=*) interp_prefix="$optarg"
;;
--source-path=*) source_path="$optarg"
source_path_used="yes"
;;
--cross-prefix=*)
;;
--cc=*)
;;
--host-cc=*) host_cc="$optarg"
;;
--make=*) make="$optarg"
;;
--install=*) install="$optarg"
;;
--extra-cflags=*)
;;
--extra-ldflags=*)
;;
--cpu=*)
;;
--target-list=*) target_list="$optarg"
;;
--enable-gprof) gprof="yes"
;;
--static) static="yes"
;;
--disable-sdl) sdl="no"
;;
--enable-sdl) sdl="yes"
;;
--fmod-lib=*) fmod_lib="$optarg"
;;
--fmod-inc=*) fmod_inc="$optarg"
;;
--oss-lib=*) oss_lib="$optarg"
;;
--audio-card-list=*) audio_card_list=`echo "$optarg" | sed -e 's/,/ /g'`
;;
--audio-drv-list=*) audio_drv_list="$optarg"
;;
--enable-debug-tcg) debug_tcg="yes"
;;
--disable-debug-tcg) debug_tcg="no"
;;
--enable-debug)
# Enable debugging options that aren't excessively noisy
debug_tcg="yes"
debug="yes"
strip_opt="no"
;;
--enable-sparse) sparse="yes"
;;
--disable-sparse) sparse="no"
;;
--disable-strip) strip_opt="no"
;;
--disable-vnc-tls) vnc_tls="no"
;;
--enable-vnc-tls) vnc_tls="yes"
;;
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
--disable-vnc-sasl) vnc_sasl="no"
;;
--enable-vnc-sasl) vnc_sasl="yes"
;;
--disable-slirp) slirp="no"
;;
--disable-vde) vde="no"
;;
--enable-vde) vde="yes"
;;
--disable-xen) xen="no"
;;
--enable-xen) xen="yes"
;;
--disable-brlapi) brlapi="no"
;;
--enable-brlapi) brlapi="yes"
;;
--disable-bluez) bluez="no"
;;
--enable-bluez) bluez="yes"
;;
--disable-kvm) kvm="no"
;;
--enable-kvm) kvm="yes"
;;
--enable-profiler) profiler="yes"
;;
--enable-cocoa)
cocoa="yes" ;
sdl="no" ;
audio_drv_list="coreaudio `echo $audio_drv_list | sed s,coreaudio,,g`"
;;
--disable-system) softmmu="no"
;;
--enable-system) softmmu="yes"
;;
--disable-user)
linux_user="no" ;
bsd_user="no" ;
darwin_user="no"
;;
--enable-user) ;;
--disable-linux-user) linux_user="no"
;;
--enable-linux-user) linux_user="yes"
;;
--disable-darwin-user) darwin_user="no"
;;
--enable-darwin-user) darwin_user="yes"
;;
--disable-bsd-user) bsd_user="no"
;;
--enable-bsd-user) bsd_user="yes"
;;
--enable-guest-base) guest_base="yes"
;;
--disable-guest-base) guest_base="no"
;;
--enable-uname-release=*) uname_release="$optarg"
;;
--sparc_cpu=*)
;;
--enable-werror) werror="yes"
;;
--disable-werror) werror="no"
;;
--disable-curses) curses="no"
;;
--enable-curses) curses="yes"
;;
--disable-curl) curl="no"
;;
--enable-curl) curl="yes"
;;
--disable-fdt) fdt="no"
;;
--enable-fdt) fdt="yes"
;;
--disable-check-utests) check_utests="no"
;;
--enable-check-utests) check_utests="yes"
;;
--disable-nptl) nptl="no"
;;
--enable-nptl) nptl="yes"
;;
--enable-mixemu) mixemu="yes"
;;
--disable-linux-aio) linux_aio="no"
;;
--enable-linux-aio) linux_aio="yes"
;;
--enable-io-thread) io_thread="yes"
;;
--disable-blobs) blobs="no"
;;
--kerneldir=*) kerneldir="$optarg"
;;
--with-pkgversion=*) pkgversion=" ($optarg)"
;;
--disable-docs) docs="no"
;;
--enable-docs) docs="yes"
;;
*) echo "ERROR: unknown option $opt"; show_help="yes"
;;
esac
done
#
# If cpu ~= sparc and sparc_cpu hasn't been defined, plug in the right
# QEMU_CFLAGS/LDFLAGS (assume sparc_v8plus for 32-bit and sparc_v9 for 64-bit)
#
host_guest_base="no"
case "$cpu" in
sparc) case $sparc_cpu in
v7|v8)
QEMU_CFLAGS="-mcpu=${sparc_cpu} -D__sparc_${sparc_cpu}__ $QEMU_CFLAGS"
;;
v8plus|v8plusa)
QEMU_CFLAGS="-mcpu=ultrasparc -D__sparc_${sparc_cpu}__ $QEMU_CFLAGS"
;;
*) # sparc_cpu not defined in the command line
QEMU_CFLAGS="-mcpu=ultrasparc -D__sparc_v8plus__ $QEMU_CFLAGS"
esac
LDFLAGS="-m32 $LDFLAGS"
QEMU_CFLAGS="-m32 -ffixed-g2 -ffixed-g3 $QEMU_CFLAGS"
if test "$solaris" = "no" ; then
QEMU_CFLAGS="-ffixed-g1 -ffixed-g6 $QEMU_CFLAGS"
helper_cflags="-ffixed-i0"
fi
;;
sparc64)
QEMU_CFLAGS="-m64 -mcpu=ultrasparc -D__sparc_v9__ $QEMU_CFLAGS"
LDFLAGS="-m64 $LDFLAGS"
QEMU_CFLAGS="-ffixed-g5 -ffixed-g6 -ffixed-g7 $QEMU_CFLAGS"
if test "$solaris" != "no" ; then
QEMU_CFLAGS="-ffixed-g1 $QEMU_CFLAGS"
fi
;;
s390)
QEMU_CFLAGS="-march=z900 $QEMU_CFLAGS"
;;
i386)
QEMU_CFLAGS="-m32 $QEMU_CFLAGS"
LDFLAGS="-m32 $LDFLAGS"
helper_cflags="-fomit-frame-pointer"
host_guest_base="yes"
;;
x86_64)
QEMU_CFLAGS="-m64 $QEMU_CFLAGS"
LDFLAGS="-m64 $LDFLAGS"
host_guest_base="yes"
;;
arm*)
host_guest_base="yes"
;;
ppc*)
host_guest_base="yes"
;;
esac
[ -z "$guest_base" ] && guest_base="$host_guest_base"
if test x"$show_help" = x"yes" ; then
cat << EOF
Usage: configure [options]
Options: [defaults in brackets after descriptions]
EOF
echo "Standard options:"
echo " --help print this message"
echo " --prefix=PREFIX install in PREFIX [$prefix]"
echo " --interp-prefix=PREFIX where to find shared libraries, etc."
echo " use %M for cpu name [$interp_prefix]"
echo " --target-list=LIST set target list [$target_list]"
echo ""
echo "Advanced options (experts only):"
echo " --source-path=PATH path of source code [$source_path]"
echo " --cross-prefix=PREFIX use PREFIX for compile tools [$cross_prefix]"
echo " --cc=CC use C compiler CC [$cc]"
echo " --host-cc=CC use C compiler CC [$host_cc] for dyngen etc."
echo " --extra-cflags=CFLAGS append extra C compiler flags QEMU_CFLAGS"
echo " --extra-ldflags=LDFLAGS append extra linker flags LDFLAGS"
echo " --make=MAKE use specified make [$make]"
echo " --install=INSTALL use specified install [$install]"
echo " --static enable static build [$static]"
echo " --enable-debug-tcg enable TCG debugging"
echo " --disable-debug-tcg disable TCG debugging (default)"
echo " --enable-debug enable common debug build options"
echo " --enable-sparse enable sparse checker"
echo " --disable-sparse disable sparse checker (default)"
echo " --disable-strip disable stripping binaries"
echo " --disable-werror disable compilation abort on warning"
echo " --disable-sdl disable SDL"
echo " --enable-sdl enable SDL"
echo " --enable-cocoa enable COCOA (Mac OS X only)"
echo " --audio-drv-list=LIST set audio drivers list:"
echo " Available drivers: $audio_possible_drivers"
echo " --audio-card-list=LIST set list of emulated audio cards [$audio_card_list]"
echo " Available cards: $audio_possible_cards"
echo " --enable-mixemu enable mixer emulation"
echo " --disable-xen disable xen backend driver support"
echo " --enable-xen enable xen backend driver support"
echo " --disable-brlapi disable BrlAPI"
echo " --enable-brlapi enable BrlAPI"
echo " --disable-vnc-tls disable TLS encryption for VNC server"
echo " --enable-vnc-tls enable TLS encryption for VNC server"
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
echo " --disable-vnc-sasl disable SASL encryption for VNC server"
echo " --enable-vnc-sasl enable SASL encryption for VNC server"
echo " --disable-curses disable curses output"
echo " --enable-curses enable curses output"
echo " --disable-curl disable curl connectivity"
echo " --enable-curl enable curl connectivity"
echo " --disable-fdt disable fdt device tree"
echo " --enable-fdt enable fdt device tree"
echo " --disable-check-utests disable check unit-tests"
echo " --enable-check-utests enable check unit-tests"
echo " --disable-bluez disable bluez stack connectivity"
echo " --enable-bluez enable bluez stack connectivity"
echo " --disable-kvm disable KVM acceleration support"
echo " --enable-kvm enable KVM acceleration support"
echo " --disable-nptl disable usermode NPTL support"
echo " --enable-nptl disable usermode NPTL support"
echo " --enable-system enable all system emulation targets"
echo " --disable-system disable all system emulation targets"
echo " --enable-user enable supported user emulation targets"
echo " --disable-user disable all user emulation targets"
echo " --enable-linux-user enable all linux usermode emulation targets"
echo " --disable-linux-user disable all linux usermode emulation targets"
echo " --enable-darwin-user enable all darwin usermode emulation targets"
echo " --disable-darwin-user disable all darwin usermode emulation targets"
echo " --enable-bsd-user enable all BSD usermode emulation targets"
echo " --disable-bsd-user disable all BSD usermode emulation targets"
echo " --enable-guest-base enable GUEST_BASE support for usermode"
echo " emulation targets"
echo " --disable-guest-base disable GUEST_BASE support"
echo " --fmod-lib path to FMOD library"
echo " --fmod-inc path to FMOD includes"
echo " --oss-lib path to OSS library"
echo " --enable-uname-release=R Return R for uname -r in usermode emulation"
echo " --sparc_cpu=V Build qemu for Sparc architecture v7, v8, v8plus, v8plusa, v9"
echo " --disable-vde disable support for vde network"
echo " --enable-vde enable support for vde network"
echo " --disable-linux-aio disable Linux AIO support"
echo " --enable-linux-aio enable Linux AIO support"
echo " --enable-io-thread enable IO thread"
echo " --disable-blobs disable installing provided firmware blobs"
echo " --kerneldir=PATH look for kernel includes in PATH"
echo ""
echo "NOTE: The object files are built at the place where configure is launched"
exit 1
fi
#
# Solaris specific configure tool chain decisions
#
if test "$solaris" = "yes" ; then
solinst=`which $install 2> /dev/null | /usr/bin/grep -v "no $install in"`
if test -z "$solinst" ; then
echo "Solaris install program not found. Use --install=/usr/ucb/install or"
echo "install fileutils from www.blastwave.org using pkg-get -i fileutils"
echo "to get ginstall which is used by default (which lives in /opt/csw/bin)"
exit 1
fi
if test "$solinst" = "/usr/sbin/install" ; then
echo "Error: Solaris /usr/sbin/install is not an appropriate install program."
echo "try ginstall from the GNU fileutils available from www.blastwave.org"
echo "using pkg-get -i fileutils, or use --install=/usr/ucb/install"
exit 1
fi
sol_ar=`which ar 2> /dev/null | /usr/bin/grep -v "no ar in"`
if test -z "$sol_ar" ; then
echo "Error: No path includes ar"
if test -f /usr/ccs/bin/ar ; then
echo "Add /usr/ccs/bin to your path and rerun configure"
fi
exit 1
fi
fi
if test -z "$target_list" ; then
# these targets are portable
if [ "$softmmu" = "yes" ] ; then
target_list="\
i386-softmmu \
x86_64-softmmu \
arm-softmmu \
cris-softmmu \
m68k-softmmu \
microblaze-softmmu \
mips-softmmu \
mipsel-softmmu \
mips64-softmmu \
mips64el-softmmu \
ppc-softmmu \
ppcemb-softmmu \
ppc64-softmmu \
sh4-softmmu \
sh4eb-softmmu \
sparc-softmmu \
sparc64-softmmu \
"
fi
# the following are Linux specific
if [ "$linux_user" = "yes" ] ; then
target_list="${target_list}\
i386-linux-user \
x86_64-linux-user \
alpha-linux-user \
arm-linux-user \
armeb-linux-user \
cris-linux-user \
m68k-linux-user \
microblaze-linux-user \
mips-linux-user \
mipsel-linux-user \
ppc-linux-user \
ppc64-linux-user \
ppc64abi32-linux-user \
sh4-linux-user \
sh4eb-linux-user \
sparc-linux-user \
sparc64-linux-user \
sparc32plus-linux-user \
"
fi
# the following are Darwin specific
if [ "$darwin_user" = "yes" ] ; then
target_list="$target_list i386-darwin-user ppc-darwin-user "
fi
# the following are BSD specific
if [ "$bsd_user" = "yes" ] ; then
target_list="${target_list}\
i386-bsd-user \
x86_64-bsd-user \
sparc-bsd-user \
sparc64-bsd-user \
"
fi
else
target_list=`echo "$target_list" | sed -e 's/,/ /g'`
fi
if test -z "$target_list" ; then
echo "No targets enabled"
exit 1
fi
feature_not_found() {
feature=$1
echo "ERROR"
echo "ERROR: User requested feature $feature"
echo "ERROR: configure was not able to found it"
echo "ERROR"
exit 1;
}
if test -z "$cross_prefix" ; then
# ---
# big/little endian test
cat > $TMPC << EOF
#include <inttypes.h>
int main(int argc, char ** argv){
volatile uint32_t i=0x01234567;
return (*((uint8_t*)(&i))) == 0x67;
}
EOF
if compile_prog "" "" ; then
$TMPE && bigendian="yes"
else
echo big/little test failed
fi
else
# if cross compiling, cannot launch a program, so make a static guess
case "$cpu" in
armv4b|hppa|m68k|mips|mips64|ppc|ppc64|s390|sparc|sparc64)
bigendian=yes
;;
esac
fi
# host long bits test
hostlongbits="32"
case "$cpu" in
x86_64|alpha|ia64|sparc64|ppc64)
hostlongbits=64
;;
esac
##########################################
# NPTL probe
if test "$nptl" != "no" ; then
cat > $TMPC <<EOF
#include <sched.h>
#include <linux/futex.h>
void foo()
{
#if !defined(CLONE_SETTLS) || !defined(FUTEX_WAIT)
#error bork
#endif
}
EOF
if compile_object ; then
nptl=yes
else
if test "$nptl" = "yes" ; then
feature_not_found "nptl"
fi
nptl=no
fi
fi
##########################################
# zlib check
cat > $TMPC << EOF
#include <zlib.h>
int main(void) { zlibVersion(); return 0; }
EOF
if compile_prog "" "-lz" ; then
:
else
echo
echo "Error: zlib check failed"
echo "Make sure to have the zlib libs and headers installed."
echo
exit 1
fi
##########################################
# xen probe
if test "$xen" != "no" ; then
xen_libs="-lxenstore -lxenctrl -lxenguest"
cat > $TMPC <<EOF
#include <xenctrl.h>
#include <xs.h>
int main(void) { xs_daemon_open(); xc_interface_open(); return 0; }
EOF
if compile_prog "" "$xen_libs" ; then
xen=yes
libs_softmmu="$xen_libs $libs_softmmu"
else
if test "$xen" = "yes" ; then
feature_not_found "xen"
fi
xen=no
fi
fi
##########################################
# Sparse probe
if test "$sparse" != "no" ; then
if test -x "$(which cgcc 2>/dev/null)"; then
sparse=yes
else
if test "$sparse" = "yes" ; then
feature_not_found "sparse"
fi
sparse=no
fi
fi
##########################################
# SDL probe
sdl_too_old=no
if test "$sdl" != "no" ; then
cat > $TMPC << EOF
#include <SDL.h>
#undef main /* We don't want SDL to override our main() */
int main( void ) { return SDL_Init (SDL_INIT_VIDEO); }
EOF
sdl_cflags=`sdl-config --cflags 2> /dev/null`
sdl_libs=`sdl-config --libs 2> /dev/null`
if compile_prog "$sdl_cflags" "$sdl_libs" ; then
_sdlversion=`sdl-config --version | sed 's/[^0-9]//g'`
if test "$_sdlversion" -lt 121 ; then
sdl_too_old=yes
else
if test "$cocoa" = "no" ; then
sdl=yes
fi
fi
# static link with sdl ?
if test "$sdl" = "yes" -a "$static" = "yes" ; then
sdl_libs=`sdl-config --static-libs 2>/dev/null`
if test `sdl-config --static-libs 2>/dev/null | grep \\\-laa > /dev/null` ; then
sdl_libs="$sdl_libs `aalib-config --static-libs >2 /dev/null`"
sdl_cflags="$sd_cflags `aalib-config --cflags >2 /dev/null`"
fi
if compile_prog "$sdl_cflags" "$sdl_libs" ; then
:
else
sdl=no
fi
fi # static link
else # sdl not found
if test "$sdl" = "yes" ; then
feature_not_found "sdl"
fi
sdl=no
fi # sdl compile test
fi
if test "$sdl" = "yes" ; then
cat > $TMPC <<EOF
#include <SDL.h>
#if defined(SDL_VIDEO_DRIVER_X11)
#include <X11/XKBlib.h>
#else
#error No x11 support
#endif
int main(void) { return 0; }
EOF
if compile_prog "$sdl_cflags" "$sdl_libs" ; then
sdl_libs="$sdl_libs -lX11"
fi
if test "$mingw32" = "yes" ; then
sdl_libs="`echo $sdl_libs | sed s/-mwindows//g` -mconsole"
fi
libs_softmmu="$sdl_libs $libs_softmmu"
fi
##########################################
# VNC TLS detection
if test "$vnc_tls" != "no" ; then
cat > $TMPC <<EOF
#include <gnutls/gnutls.h>
int main(void) { gnutls_session_t s; gnutls_init(&s, GNUTLS_SERVER); return 0; }
EOF
vnc_tls_cflags=`pkg-config --cflags gnutls 2> /dev/null`
vnc_tls_libs=`pkg-config --libs gnutls 2> /dev/null`
if compile_prog "$vnc_tls_cflags" "$vnc_tls_libs" ; then
vnc_tls=yes
libs_softmmu="$vnc_tls_libs $libs_softmmu"
else
if test "$vnc_tls" = "yes" ; then
feature_not_found "vnc-tls"
fi
vnc_tls=no
fi
fi
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
##########################################
# VNC SASL detection
if test "$vnc_sasl" = "yes" ; then
cat > $TMPC <<EOF
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
#include <sasl/sasl.h>
#include <stdio.h>
int main(void) { sasl_server_init(NULL, "qemu"); return 0; }
EOF
# Assuming Cyrus-SASL installed in /usr prefix
vnc_sasl_cflags=""
vnc_sasl_libs="-lsasl2"
if compile_prog "$vnc_sasl_cflags" "$vnc_sasl_libs" ; then
vnc_sasl=yes
libs_softmmu="$vnc_sasl_libs $libs_softmmu"
else
if test "$vnc_sasl" = "yes" ; then
feature_not_found "vnc-sasl"
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
fi
vnc_sasl=no
fi
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
fi
Support ACLs for controlling VNC access ("Daniel P. Berrange") This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob By default the VNC server will not use any ACLs, allowing access to the server if the user successfully authenticates. To enable use of ACLs to restrict user access, the ',acl' flag should be given when starting QEMU. The initial ACL activated will be a 'deny all' policy and should be customized using monitor commands. eg enable SASL auth and ACLs qemu .... -vnc localhost:1,sasl,acl The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 + b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++ configure | 18 +++++ monitor.c | 95 ++++++++++++++++++++++++++++ qemu-doc.texi | 49 ++++++++++++++ vnc-auth-sasl.c | 16 +++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 +++++ vnc-tls.h | 3 vnc.c | 21 ++++++ vnc.h | 3 12 files changed, 491 insertions(+), 5 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:37 +08:00
##########################################
# fnmatch() probe, used for ACL routines
fnmatch="no"
cat > $TMPC << EOF
#include <fnmatch.h>
int main(void)
{
fnmatch("foo", "foo", 0);
return 0;
}
EOF
if compile_prog "" "" ; then
Support ACLs for controlling VNC access ("Daniel P. Berrange") This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob By default the VNC server will not use any ACLs, allowing access to the server if the user successfully authenticates. To enable use of ACLs to restrict user access, the ',acl' flag should be given when starting QEMU. The initial ACL activated will be a 'deny all' policy and should be customized using monitor commands. eg enable SASL auth and ACLs qemu .... -vnc localhost:1,sasl,acl The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 + b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++ configure | 18 +++++ monitor.c | 95 ++++++++++++++++++++++++++++ qemu-doc.texi | 49 ++++++++++++++ vnc-auth-sasl.c | 16 +++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 +++++ vnc-tls.h | 3 vnc.c | 21 ++++++ vnc.h | 3 12 files changed, 491 insertions(+), 5 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:37 +08:00
fnmatch="yes"
fi
##########################################
# vde libraries probe
if test "$vde" != "no" ; then
vde_libs="-lvdeplug"
cat > $TMPC << EOF
#include <libvdeplug.h>
int main(void)
{
struct vde_open_args a = {0, 0, 0};
vde_open("", "", &a);
return 0;
}
EOF
if compile_prog "" "$vde_libs" ; then
vde=yes
libs_softmmu="$vde_libs $libs_softmmu"
libs_tools="$vde_libs $libs_tools"
else
if test "$vde" = "yes" ; then
feature_not_found "vde"
fi
vde=no
fi
fi
##########################################
# Sound support libraries probe
audio_drv_probe()
{
drv=$1
hdr=$2
lib=$3
exp=$4
cfl=$5
cat > $TMPC << EOF
#include <$hdr>
int main(void) { $exp }
EOF
if compile_prog "$cfl" "$lib" ; then
:
else
echo
echo "Error: $drv check failed"
echo "Make sure to have the $drv libs and headers installed."
echo
exit 1
fi
}
audio_drv_list=`echo "$audio_drv_list" | sed -e 's/,/ /g'`
for drv in $audio_drv_list; do
case $drv in
alsa)
audio_drv_probe $drv alsa/asoundlib.h -lasound \
"snd_pcm_t **handle; return snd_pcm_close(*handle);"
libs_softmmu="-lasound $libs_softmmu"
;;
fmod)
if test -z $fmod_lib || test -z $fmod_inc; then
echo
echo "Error: You must specify path to FMOD library and headers"
echo "Example: --fmod-inc=/path/include/fmod --fmod-lib=/path/lib/libfmod-3.74.so"
echo
exit 1
fi
audio_drv_probe $drv fmod.h $fmod_lib "return FSOUND_GetVersion();" "-I $fmod_inc"
libs_softmmu="$fmod_lib $libs_softmmu"
;;
esd)
audio_drv_probe $drv esd.h -lesd 'return esd_play_stream(0, 0, "", 0);'
libs_softmmu="-lesd $libs_softmmu"
audio_pt_int="yes"
;;
pa)
audio_drv_probe $drv pulse/simple.h -lpulse-simple \
"pa_simple *s = NULL; pa_simple_free(s); return 0;"
libs_softmmu="-lpulse-simple $libs_softmmu"
audio_pt_int="yes"
;;
coreaudio)
libs_softmmu="-framework CoreAudio $libs_softmmu"
;;
dsound)
libs_softmmu="-lole32 -ldxguid $libs_softmmu"
;;
oss)
libs_softmmu="$oss_lib $libs_softmmu"
;;
sdl|wav)
# XXX: Probes for CoreAudio, DirectSound, SDL(?)
;;
*)
echo "$audio_possible_drivers" | grep -q "\<$drv\>" || {
echo
echo "Error: Unknown driver '$drv' selected"
echo "Possible drivers are: $audio_possible_drivers"
echo
exit 1
}
;;
esac
done
##########################################
# BrlAPI probe
if test "$brlapi" != "no" ; then
brlapi_libs="-lbrlapi"
cat > $TMPC << EOF
#include <brlapi.h>
int main( void ) { return brlapi__openConnection (NULL, NULL, NULL); }
EOF
if compile_prog "" "$brlapi_libs" ; then
brlapi=yes
libs_softmmu="$brlapi_libs $libs_softmmu"
else
if test "$brlapi" = "yes" ; then
feature_not_found "brlapi"
fi
brlapi=no
fi
fi
##########################################
# curses probe
curses_list="-lncurses -lcurses"
if test "$curses" != "no" ; then
curses_found=no
cat > $TMPC << EOF
#include <curses.h>
#ifdef __OpenBSD__
#define resize_term resizeterm
#endif
int main(void) { resize_term(0, 0); return curses_version(); }
EOF
for curses_lib in $curses_list; do
if compile_prog "" "$curses_lib" ; then
curses_found=yes
libs_softmmu="$curses_lib $libs_softmmu"
break
fi
done
if test "$curses_found" = "yes" ; then
curses=yes
else
if test "$curses" = "yes" ; then
feature_not_found "curses"
fi
curses=no
fi
fi
##########################################
# curl probe
if test "$curl" != "no" ; then
cat > $TMPC << EOF
#include <curl/curl.h>
int main(void) { return curl_easy_init(); }
EOF
curl_cflags=`curl-config --cflags 2>/dev/null`
curl_libs=`curl-config --libs 2>/dev/null`
if compile_prog "$curl_cflags" "$curl_libs" ; then
curl=yes
libs_tools="$curl_libs $libs_tools"
libs_softmmu="$curl_libs $libs_softmmu"
else
if test "$curl" = "yes" ; then
feature_not_found "curl"
fi
curl=no
fi
fi # test "$curl"
##########################################
# check framework probe
if test "$check_utests" != "no" ; then
cat > $TMPC << EOF
#include <check.h>
int main(void) { suite_create("qemu test"); return 0; }
EOF
check_libs=`pkg-config --libs check`
if compile_prog "" $check_libs ; then
check_utests=yes
libs_tools="$check_libs $libs_tools"
else
if test "$check_utests" = "yes" ; then
feature_not_found "check"
fi
check_utests=no
fi
fi # test "$check_utests"
##########################################
# bluez support probe
if test "$bluez" != "no" ; then
cat > $TMPC << EOF
#include <bluetooth/bluetooth.h>
int main(void) { return bt_error(0); }
EOF
bluez_cflags=`pkg-config --cflags bluez 2> /dev/null`
bluez_libs=`pkg-config --libs bluez 2> /dev/null`
if compile_prog "$bluez_cflags" "$bluez_libs" ; then
bluez=yes
libs_softmmu="$bluez_libs $libs_softmmu"
else
if test "$bluez" = "yes" ; then
feature_not_found "bluez"
fi
bluez="no"
fi
fi
##########################################
# kvm probe
if test "$kvm" != "no" ; then
cat > $TMPC <<EOF
#include <linux/kvm.h>
report issues causing the kvm probe to fail (Christian Ehrhardt) The patch applies to upstream qemu as well as kvm-userspace, but since it is the qemu configure script I think it should go to upstream qemu (Anthony) first and with the next merge to kvm-userspace. On the other hand it is the kvm probe so an ack from Avi in case v3 is ok would be reasonable. *updates* v2 - it also reports other errors than just #error preprocessor statements (requested by Avi) v3 - In case awk or grep is not installed it now gracfully (silently) fails still disabling kvm (requested by Anthony) This patch is about reporting more details of the issue if configuring kvm fails. Therefore this patch keeps the qemu style configure output which is a list of "$Feature $Status", but extend the "no" result like "KVM Support no" with some more information. There might be a lot of things going wrong with that probe and I don't want to handle all of them, but if it is one of the known checks e.g. for KVM_API_VERSION then we could grep/awk that out and report it. The patch reports in case of a known case in the style "KVM support no - (Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)" In case more than one #error is triggered it creates a comma separated list in those brackets and in case it is something else than an #error it just reports plain old "no". Signed-off-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6334 c046a42c-6fe2-441c-8c8c-71466251a162
2009-01-16 05:57:30 +08:00
#if !defined(KVM_API_VERSION) || KVM_API_VERSION < 12 || KVM_API_VERSION > 12
#error Invalid KVM version
#endif
report issues causing the kvm probe to fail (Christian Ehrhardt) The patch applies to upstream qemu as well as kvm-userspace, but since it is the qemu configure script I think it should go to upstream qemu (Anthony) first and with the next merge to kvm-userspace. On the other hand it is the kvm probe so an ack from Avi in case v3 is ok would be reasonable. *updates* v2 - it also reports other errors than just #error preprocessor statements (requested by Avi) v3 - In case awk or grep is not installed it now gracfully (silently) fails still disabling kvm (requested by Anthony) This patch is about reporting more details of the issue if configuring kvm fails. Therefore this patch keeps the qemu style configure output which is a list of "$Feature $Status", but extend the "no" result like "KVM Support no" with some more information. There might be a lot of things going wrong with that probe and I don't want to handle all of them, but if it is one of the known checks e.g. for KVM_API_VERSION then we could grep/awk that out and report it. The patch reports in case of a known case in the style "KVM support no - (Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)" In case more than one #error is triggered it creates a comma separated list in those brackets and in case it is something else than an #error it just reports plain old "no". Signed-off-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6334 c046a42c-6fe2-441c-8c8c-71466251a162
2009-01-16 05:57:30 +08:00
#if !defined(KVM_CAP_USER_MEMORY)
#error Missing KVM capability KVM_CAP_USER_MEMORY
#endif
#if !defined(KVM_CAP_SET_TSS_ADDR)
#error Missing KVM capability KVM_CAP_SET_TSS_ADDR
#endif
#if !defined(KVM_CAP_DESTROY_MEMORY_REGION_WORKS)
#error Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS
#endif
int main(void) { return 0; }
EOF
if test "$kerneldir" != "" ; then
kvm_cflags=-I"$kerneldir"/include
if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" \) \
-a -d "$kerneldir/arch/x86/include" ; then
kvm_cflags="$kvm_cflags -I$kerneldir/arch/x86/include"
elif test "$cpu" = "ppc" -a -d "$kerneldir/arch/powerpc/include" ; then
kvm_cflags="$kvm_cflags -I$kerneldir/arch/powerpc/include"
elif test -d "$kerneldir/arch/$cpu/include" ; then
kvm_cflags="$kvm_cflags -I$kerneldir/arch/$cpu/include"
fi
else
kvm_cflags=""
fi
if compile_prog "$kvm_cflags" "" ; then
kvm=yes
else
if test "$kvm" = "yes" ; then
if [ -x "`which awk 2>/dev/null`" ] && \
[ -x "`which grep 2>/dev/null`" ]; then
kvmerr=`LANG=C $cc $QEMU_CFLAGS -o $TMPE $kvm_cflags $TMPC 2>&1 \
report issues causing the kvm probe to fail (Christian Ehrhardt) The patch applies to upstream qemu as well as kvm-userspace, but since it is the qemu configure script I think it should go to upstream qemu (Anthony) first and with the next merge to kvm-userspace. On the other hand it is the kvm probe so an ack from Avi in case v3 is ok would be reasonable. *updates* v2 - it also reports other errors than just #error preprocessor statements (requested by Avi) v3 - In case awk or grep is not installed it now gracfully (silently) fails still disabling kvm (requested by Anthony) This patch is about reporting more details of the issue if configuring kvm fails. Therefore this patch keeps the qemu style configure output which is a list of "$Feature $Status", but extend the "no" result like "KVM Support no" with some more information. There might be a lot of things going wrong with that probe and I don't want to handle all of them, but if it is one of the known checks e.g. for KVM_API_VERSION then we could grep/awk that out and report it. The patch reports in case of a known case in the style "KVM support no - (Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)" In case more than one #error is triggered it creates a comma separated list in those brackets and in case it is something else than an #error it just reports plain old "no". Signed-off-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6334 c046a42c-6fe2-441c-8c8c-71466251a162
2009-01-16 05:57:30 +08:00
| grep "error: " \
| awk -F "error: " '{if (NR>1) printf(", "); printf("%s",$2);}'`
if test "$kvmerr" != "" ; then
echo -e "${kvmerr}\n\
NOTE: To enable KVM support, update your kernel to 2.6.29+ or install \
recent kvm-kmod from http://sourceforge.net/projects/kvm."
fi
report issues causing the kvm probe to fail (Christian Ehrhardt) The patch applies to upstream qemu as well as kvm-userspace, but since it is the qemu configure script I think it should go to upstream qemu (Anthony) first and with the next merge to kvm-userspace. On the other hand it is the kvm probe so an ack from Avi in case v3 is ok would be reasonable. *updates* v2 - it also reports other errors than just #error preprocessor statements (requested by Avi) v3 - In case awk or grep is not installed it now gracfully (silently) fails still disabling kvm (requested by Anthony) This patch is about reporting more details of the issue if configuring kvm fails. Therefore this patch keeps the qemu style configure output which is a list of "$Feature $Status", but extend the "no" result like "KVM Support no" with some more information. There might be a lot of things going wrong with that probe and I don't want to handle all of them, but if it is one of the known checks e.g. for KVM_API_VERSION then we could grep/awk that out and report it. The patch reports in case of a known case in the style "KVM support no - (Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)" In case more than one #error is triggered it creates a comma separated list in those brackets and in case it is something else than an #error it just reports plain old "no". Signed-off-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6334 c046a42c-6fe2-441c-8c8c-71466251a162
2009-01-16 05:57:30 +08:00
fi
feature_not_found "kvm"
report issues causing the kvm probe to fail (Christian Ehrhardt) The patch applies to upstream qemu as well as kvm-userspace, but since it is the qemu configure script I think it should go to upstream qemu (Anthony) first and with the next merge to kvm-userspace. On the other hand it is the kvm probe so an ack from Avi in case v3 is ok would be reasonable. *updates* v2 - it also reports other errors than just #error preprocessor statements (requested by Avi) v3 - In case awk or grep is not installed it now gracfully (silently) fails still disabling kvm (requested by Anthony) This patch is about reporting more details of the issue if configuring kvm fails. Therefore this patch keeps the qemu style configure output which is a list of "$Feature $Status", but extend the "no" result like "KVM Support no" with some more information. There might be a lot of things going wrong with that probe and I don't want to handle all of them, but if it is one of the known checks e.g. for KVM_API_VERSION then we could grep/awk that out and report it. The patch reports in case of a known case in the style "KVM support no - (Missing KVM capability KVM_CAP_DESTROY_MEMORY_REGION_WORKS)" In case more than one #error is triggered it creates a comma separated list in those brackets and in case it is something else than an #error it just reports plain old "no". Signed-off-by: Christian Ehrhardt <ehrhardt@linux.vnet.ibm.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6334 c046a42c-6fe2-441c-8c8c-71466251a162
2009-01-16 05:57:30 +08:00
fi
kvm=no
fi
fi
##########################################
# pthread probe
PTHREADLIBS_LIST="-lpthread -lpthreadGC2"
pthread=no
cat > $TMPC << EOF
#include <pthread.h>
int main(void) { pthread_create(0,0,0,0); return 0; }
EOF
for pthread_lib in $PTHREADLIBS_LIST; do
if compile_prog "" "$pthread_lib" ; then
pthread=yes
LIBS="$pthread_lib $LIBS"
break
fi
done
if test "$mingw32" != yes -a "$pthread" = no; then
echo
echo "Error: pthread check failed"
echo "Make sure to have the pthread libs and headers installed."
echo
exit 1
fi
##########################################
# linux-aio probe
AIOLIBS=""
if test "$linux_aio" != "no" ; then
cat > $TMPC <<EOF
#include <libaio.h>
#include <sys/eventfd.h>
int main(void) { io_setup(0, NULL); io_set_eventfd(NULL, 0); eventfd(0, 0); return 0; }
EOF
if compile_prog "" "-laio" ; then
linux_aio=yes
LIBS="$LIBS -laio"
else
if test "$linux_aio" = "yes" ; then
feature_not_found "linux AIO"
fi
fi
fi
##########################################
# iovec probe
cat > $TMPC <<EOF
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
int main(void) { struct iovec iov; return 0; }
EOF
iovec=no
if compile_prog "" "" ; then
iovec=yes
fi
##########################################
# preadv probe
cat > $TMPC <<EOF
#include <sys/types.h>
#include <sys/uio.h>
#include <unistd.h>
int main(void) { preadv; }
EOF
preadv=no
if compile_prog "" "" ; then
preadv=yes
fi
##########################################
# fdt probe
if test "$fdt" != "no" ; then
fdt_libs="-lfdt"
cat > $TMPC << EOF
int main(void) { return 0; }
EOF
if compile_prog "" "$fdt_libs" ; then
fdt=yes
libs_softmmu="$fdt_libs $libs_softmmu"
else
if test "$fdt" = "yes" ; then
feature_not_found "fdt"
fi
fdt=no
fi
fi
#
# Check for xxxat() functions when we are building linux-user
# emulator. This is done because older glibc versions don't
# have syscall stubs for these implemented.
#
atfile=no
cat > $TMPC << EOF
#define _ATFILE_SOURCE
#include <sys/types.h>
#include <fcntl.h>
#include <unistd.h>
int
main(void)
{
/* try to unlink nonexisting file */
return (unlinkat(AT_FDCWD, "nonexistent_file", 0));
}
EOF
if compile_prog "" "" ; then
atfile=yes
fi
# Check for inotify functions when we are building linux-user
# emulator. This is done because older glibc versions don't
# have syscall stubs for these implemented. In that case we
# don't provide them even if kernel supports them.
#
inotify=no
cat > $TMPC << EOF
#include <sys/inotify.h>
int
main(void)
{
/* try to start inotify */
return inotify_init();
}
EOF
if compile_prog "" "" ; then
inotify=yes
fi
# check if utimensat and futimens are supported
utimens=no
cat > $TMPC << EOF
#define _ATFILE_SOURCE
#define _GNU_SOURCE
#include <stddef.h>
#include <fcntl.h>
int main(void)
{
utimensat(AT_FDCWD, "foo", NULL, 0);
futimens(0, NULL);
return 0;
}
EOF
if compile_prog "" "" ; then
utimens=yes
fi
# check if pipe2 is there
pipe2=no
cat > $TMPC << EOF
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
int main(void)
{
int pipefd[2];
pipe2(pipefd, O_CLOEXEC);
return 0;
}
EOF
if compile_prog "" "" ; then
pipe2=yes
fi
# check if tee/splice is there. vmsplice was added same time.
splice=no
cat > $TMPC << EOF
#define _GNU_SOURCE
#include <unistd.h>
#include <fcntl.h>
#include <limits.h>
int main(void)
{
int len, fd;
len = tee(STDIN_FILENO, STDOUT_FILENO, INT_MAX, SPLICE_F_NONBLOCK);
splice(STDIN_FILENO, NULL, fd, NULL, len, SPLICE_F_MOVE);
return 0;
}
EOF
if compile_prog "" "" ; then
splice=yes
fi
# check if eventfd is supported
eventfd=no
cat > $TMPC << EOF
#include <sys/eventfd.h>
int main(void)
{
int efd = eventfd(0, 0);
return 0;
}
EOF
if compile_prog "" "" ; then
eventfd=yes
fi
# Check if tools are available to build documentation.
if test "$docs" != "no" ; then
if test -x "`which texi2html 2>/dev/null`" -a \
-x "`which pod2man 2>/dev/null`" ; then
docs=yes
else
if test "$docs" = "yes" ; then
feature_not_found "docs"
fi
docs=no
fi
fi
# Search for bsawp_32 function
byteswap_h=no
cat > $TMPC << EOF
#include <byteswap.h>
int main(void) { return bswap_32(0); }
EOF
if compile_prog "" "" ; then
byteswap_h=yes
fi
# Search for bsawp_32 function
bswap_h=no
cat > $TMPC << EOF
#include <sys/endian.h>
#include <sys/types.h>
#include <machine/bswap.h>
int main(void) { return bswap32(0); }
EOF
if compile_prog "" "" ; then
bswap_h=yes
fi
##########################################
# Do we need librt
cat > $TMPC <<EOF
#include <signal.h>
#include <time.h>
int main(void) { clockid_t id; return clock_gettime(id, NULL); }
EOF
if compile_prog "" "" ; then
:
elif compile_prog "" "-lrt" ; then
LIBS="-lrt $LIBS"
fi
# Determine what linker flags to use to force archive inclusion
check_linker_flags()
{
w2=
if test "$2" ; then
w2=-Wl,$2
fi
compile_prog "" "-Wl,$1 ${w2}"
}
cat > $TMPC << EOF
int main(void) { }
EOF
if check_linker_flags --whole-archive --no-whole-archive ; then
# GNU ld
arlibs_begin="-Wl,--whole-archive"
arlibs_end="-Wl,--no-whole-archive"
elif check_linker_flags -z,allextract -z,defaultextract ; then
# Solaris ld
arlibs_begin"=-Wl,-z,allextract"
arlibs_end="-Wl,-z,defaultextract"
elif check_linker_flags -all_load ; then
# Mac OS X
arlibs_begin="-all_load"
arlibs_end=""
else
echo "Error: your linker does not support --whole-archive or -z."
echo "Please report to qemu-devel@nongnu.org"
exit 1
fi
if test "$darwin" != "yes" -a "$mingw32" != "yes" -a "$solaries" != yes -a \
"$aix" != "yes" ; then
libs_softmmu="-lutil $libs_softmmu"
fi
# End of CC checks
# After here, no more $cc or $ld runs
# default flags for all hosts
QEMU_CFLAGS="-fno-strict-aliasing $QEMU_CFLAGS"
CFLAGS="-g $CFLAGS"
if test "$debug" = "no" ; then
CFLAGS="-O2 $CFLAGS"
fi
QEMU_CFLAGS="-Wall -Wundef -Wendif-labels -Wwrite-strings -Wmissing-prototypes $QEMU_CFLAGS"
QEMU_CFLAGS="-Wstrict-prototypes -Wredundant-decls $QEMU_CFLAGS"
QEMU_CFLAGS="-D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE $QEMU_CFLAGS"
QEMU_CFLAGS="-U_FORTIFY_SOURCE $QEMU_CFLAGS"
QEMU_CFLAGS="-I. -I\$(SRC_PATH) -MMD -MP -MT \$@ $QEMU_CFLAGS"
LDFLAGS="-g $LDFLAGS"
# Consult white-list to determine whether to enable werror
# by default. Only enable by default for git builds
if test -z "$werror" ; then
z_version=`cut -f3 -d. $source_path/VERSION`
if test "$z_version" = "50" -a \
"$linux" = "yes" ; then
werror="yes"
else
werror="no"
fi
fi
if test "$werror" = "yes" ; then
QEMU_CFLAGS="-Werror $QEMU_CFLAGS"
fi
if test "$solaris" = "no" ; then
if $ld --version 2>/dev/null | grep "GNU ld" >/dev/null 2>/dev/null ; then
LDFLAGS="-Wl,--warn-common $LDFLAGS"
fi
fi
if test "$mingw32" = "yes" ; then
if test -z "$prefix" ; then
prefix="c:/Program Files/Qemu"
fi
mansuffix=""
datasuffix=""
docsuffix=""
binsuffix=""
else
if test -z "$prefix" ; then
prefix="/usr/local"
fi
mansuffix="/share/man"
datasuffix="/share/qemu"
docsuffix="/share/doc/qemu"
binsuffix="/bin"
fi
echo "Install prefix $prefix"
echo "BIOS directory $prefix$datasuffix"
echo "binary directory $prefix$binsuffix"
if test "$mingw32" = "no" ; then
echo "Manual directory $prefix$mansuffix"
echo "ELF interp prefix $interp_prefix"
fi
echo "Source path $source_path"
echo "C compiler $cc"
echo "Host C compiler $host_cc"
echo "CFLAGS $CFLAGS"
echo "QEMU_CFLAGS $QEMU_CFLAGS"
echo "LDFLAGS $LDFLAGS"
echo "make $make"
echo "install $install"
echo "host CPU $cpu"
echo "host big endian $bigendian"
echo "target list $target_list"
echo "tcg debug enabled $debug_tcg"
echo "gprof enabled $gprof"
echo "sparse enabled $sparse"
echo "strip binaries $strip_opt"
echo "profiler $profiler"
echo "static build $static"
echo "-Werror enabled $werror"
if test "$darwin" = "yes" ; then
echo "Cocoa support $cocoa"
fi
echo "SDL support $sdl"
echo "curses support $curses"
echo "curl support $curl"
echo "check support $check_utests"
echo "mingw32 support $mingw32"
echo "Audio drivers $audio_drv_list"
echo "Extra audio cards $audio_card_list"
echo "Mixer emulation $mixemu"
echo "VNC TLS support $vnc_tls"
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
echo "VNC SASL support $vnc_sasl"
if test -n "$sparc_cpu"; then
echo "Target Sparc Arch $sparc_cpu"
fi
echo "xen support $xen"
echo "brlapi support $brlapi"
echo "bluez support $bluez"
echo "Documentation $docs"
[ ! -z "$uname_release" ] && \
echo "uname -r $uname_release"
echo "NPTL support $nptl"
echo "GUEST_BASE $guest_base"
echo "vde support $vde"
echo "IO thread $io_thread"
echo "Linux AIO support $linux_aio"
echo "Install blobs $blobs"
echo "KVM support $kvm"
echo "fdt support $fdt"
echo "preadv support $preadv"
if test $sdl_too_old = "yes"; then
echo "-> Your SDL version is too old - please upgrade to have SDL support"
fi
config_host_mak="config-host.mak"
config_host_h="config-host.h"
config_host_ld="config-host.ld"
#echo "Creating $config_host_mak and $config_host_h"
test -f $config_host_h && mv $config_host_h ${config_host_h}~
echo "# Automatically generated by configure - do not modify" > $config_host_mak
printf "# Configured with:" >> $config_host_mak
printf " '%s'" "$0" "$@" >> $config_host_mak
echo >> $config_host_mak
echo "CONFIG_QEMU_SHAREDIR=\"$prefix$datasuffix\"" >> $config_host_mak
case "$cpu" in
i386|x86_64|alpha|cris|hppa|ia64|m68k|microblaze|mips|mips64|ppc|ppc64|s390|sparc|sparc64)
ARCH=$cpu
;;
armv4b|armv4l)
ARCH=arm
;;
*)
echo "Unsupported CPU = $cpu"
exit 1
;;
esac
echo "ARCH=$ARCH" >> $config_host_mak
if test "$debug_tcg" = "yes" ; then
echo "CONFIG_DEBUG_TCG=y" >> $config_host_mak
fi
if test "$debug" = "yes" ; then
echo "CONFIG_DEBUG_EXEC=y" >> $config_host_mak
fi
if test "$strip_opt" = "yes" ; then
echo "STRIP_OPT=-s" >> $config_host_mak
fi
if test "$bigendian" = "yes" ; then
echo "HOST_WORDS_BIGENDIAN=y" >> $config_host_mak
fi
echo "HOST_LONG_BITS=$hostlongbits" >> $config_host_mak
if test "$mingw32" = "yes" ; then
echo "CONFIG_WIN32=y" >> $config_host_mak
else
echo "CONFIG_POSIX=y" >> $config_host_mak
fi
if test "$darwin" = "yes" ; then
echo "CONFIG_DARWIN=y" >> $config_host_mak
fi
if test "$aix" = "yes" ; then
echo "CONFIG_AIX=y" >> $config_host_mak
fi
if test "$solaris" = "yes" ; then
echo "CONFIG_SOLARIS=y" >> $config_host_mak
echo "CONFIG_SOLARIS_VERSION=$solarisrev" >> $config_host_mak
if test "$needs_libsunmath" = "yes" ; then
echo "CONFIG_NEEDS_LIBSUNMATH=y" >> $config_host_mak
fi
fi
if test "$static" = "yes" ; then
echo "CONFIG_STATIC=y" >> $config_host_mak
LDFLAGS="-static $LDFLAGS"
fi
if test $profiler = "yes" ; then
echo "CONFIG_PROFILER=y" >> $config_host_mak
fi
if test "$slirp" = "yes" ; then
echo "CONFIG_SLIRP=y" >> $config_host_mak
CFLAGS="-I\$(SRC_PATH)/slirp $CFLAGS"
fi
if test "$vde" = "yes" ; then
echo "CONFIG_VDE=y" >> $config_host_mak
fi
for card in $audio_card_list; do
def=CONFIG_`echo $card | tr '[:lower:]' '[:upper:]'`
echo "$def=y" >> $config_host_mak
done
echo "CONFIG_AUDIO_DRIVERS=$audio_drv_list" >> $config_host_mak
for drv in $audio_drv_list; do
def=CONFIG_`echo $drv | tr '[:lower:]' '[:upper:]'`
echo "$def=y" >> $config_host_mak
if test "$drv" = "fmod"; then
echo "FMOD_CFLAGS=-I$fmod_inc" >> $config_host_mak
fi
done
if test "$audio_pt_int" = "yes" ; then
echo "CONFIG_AUDIO_PT_INT=y" >> $config_host_mak
fi
if test "$mixemu" = "yes" ; then
echo "CONFIG_MIXEMU=y" >> $config_host_mak
fi
if test "$vnc_tls" = "yes" ; then
echo "CONFIG_VNC_TLS=y" >> $config_host_mak
echo "VNC_TLS_CFLAGS=$vnc_tls_cflags" >> $config_host_mak
fi
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
if test "$vnc_sasl" = "yes" ; then
echo "CONFIG_VNC_SASL=y" >> $config_host_mak
echo "VNC_SASL_CFLAGS=$vnc_sasl_cflags" >> $config_host_mak
Add SASL authentication support ("Daniel P. Berrange") This patch adds the new SASL authentication protocol to the VNC server. It is enabled by setting the 'sasl' flag when launching VNC. SASL can optionally provide encryption via its SSF layer, if a suitable mechanism is configured (eg, GSSAPI/Kerberos, or Digest-MD5). If an SSF layer is not available, then it should be combined with the x509 VNC authentication protocol which provides encryption. eg, if using GSSAPI qemu -vnc localhost:1,sasl eg if using TLS/x509 for encryption qemu -vnc localhost:1,sasl,tls,x509 By default the Cyrus SASL library will look for its configuration in the file /etc/sasl2/qemu.conf. For non-root users, this can be overridden by setting the SASL_CONF_PATH environment variable, eg to make it look in $HOME/.sasl2. NB unprivileged users may not have access to the full range of SASL mechanisms, since some of them require some administrative privileges to configure. The patch includes an example SASL configuration file which illustrates config for GSSAPI and Digest-MD5, though it should be noted that the latter is not really considered secure any more. Most of the SASL authentication code is located in a separate source file, vnc-auth-sasl.c. The main vnc.c file only contains minimal integration glue, specifically parsing of command line flags / setup, and calls to start the SASL auth process, to do encoding/decoding for data. There are several possible stacks for reading & writing of data, depending on the combo of VNC authentication methods in use - Clear. read/write straight to socket - TLS. read/write via GNUTLS helpers - SASL. encode/decode via SASL SSF layer, then read/write to socket - SASL+TLS. encode/decode via SASL SSF layer, then read/write via GNUTLS Hence, the vnc_client_read & vnc_client_write methods have been refactored a little. vnc_client_read: main entry point for reading, calls either - vnc_client_read_plain reading, with no intermediate decoding - vnc_client_read_sasl reading, with SASL SSF decoding These two methods, then call vnc_client_read_buf(). This decides whether to write to the socket directly or write via GNUTLS. The situation is the same for writing data. More extensive comments have been added in the code / patch. The vnc_client_read_sasl and vnc_client_write_sasl method implementations live in the separate vnc-auth-sasl.c file. The state required for the SASL auth mechanism is kept in a separate VncStateSASL struct, defined in vnc-auth-sasl.h and included in the main VncState. The configure script probes for SASL and automatically enables it if found, unless --disable-vnc-sasl was given to override it. Makefile | 7 Makefile.target | 5 b/qemu.sasl | 34 ++ b/vnc-auth-sasl.c | 626 ++++++++++++++++++++++++++++++++++++++++++++++++++++ b/vnc-auth-sasl.h | 67 +++++ configure | 34 ++ qemu-doc.texi | 97 ++++++++ vnc-auth-vencrypt.c | 12 vnc.c | 249 ++++++++++++++++++-- vnc.h | 31 ++ 10 files changed, 1129 insertions(+), 33 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6724 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:28 +08:00
fi
Support ACLs for controlling VNC access ("Daniel P. Berrange") This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob By default the VNC server will not use any ACLs, allowing access to the server if the user successfully authenticates. To enable use of ACLs to restrict user access, the ',acl' flag should be given when starting QEMU. The initial ACL activated will be a 'deny all' policy and should be customized using monitor commands. eg enable SASL auth and ACLs qemu .... -vnc localhost:1,sasl,acl The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 + b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++ configure | 18 +++++ monitor.c | 95 ++++++++++++++++++++++++++++ qemu-doc.texi | 49 ++++++++++++++ vnc-auth-sasl.c | 16 +++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 +++++ vnc-tls.h | 3 vnc.c | 21 ++++++ vnc.h | 3 12 files changed, 491 insertions(+), 5 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:37 +08:00
if test "$fnmatch" = "yes" ; then
echo "CONFIG_FNMATCH=y" >> $config_host_mak
Support ACLs for controlling VNC access ("Daniel P. Berrange") This patch introduces a generic internal API for access control lists to be used by network servers in QEMU. It adds support for checking these ACL in the VNC server, in two places. The first ACL is for the SASL authentication mechanism, checking the SASL username. This ACL is called 'vnc.username'. The second is for the TLS authentication mechanism, when x509 client certificates are turned on, checking against the Distinguished Name of the client. This ACL is called 'vnc.x509dname' The internal API provides for an ACL with the following characteristics - A unique name, eg vnc.username, and vnc.x509dname. - A default policy, allow or deny - An ordered series of match rules, with allow or deny policy If none of the match rules apply, then the default policy is used. There is a monitor API to manipulate the ACLs, which I'll describe via examples (qemu) acl show vnc.username policy: allow (qemu) acl policy vnc.username denya acl: policy set to 'deny' (qemu) acl allow vnc.username fred acl: added rule at position 1 (qemu) acl allow vnc.username bob acl: added rule at position 2 (qemu) acl allow vnc.username joe 1 acl: added rule at position 1 (qemu) acl show vnc.username policy: deny 0: allow fred 1: allow joe 2: allow bob (qemu) acl show vnc.x509dname policy: allow (qemu) acl policy vnc.x509dname deny acl: policy set to 'deny' (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=London,CN=* acl: added rule at position 1 (qemu) acl allow vnc.x509dname C=GB,O=ACME,L=Boston,CN=bob acl: added rule at position 2 (qemu) acl show vnc.x509dname policy: deny 0: allow C=GB,O=ACME,L=London,CN=* 1: allow C=GB,O=ACME,L=Boston,CN=bob By default the VNC server will not use any ACLs, allowing access to the server if the user successfully authenticates. To enable use of ACLs to restrict user access, the ',acl' flag should be given when starting QEMU. The initial ACL activated will be a 'deny all' policy and should be customized using monitor commands. eg enable SASL auth and ACLs qemu .... -vnc localhost:1,sasl,acl The next patch will provide a way to load a pre-defined ACL when starting up Makefile | 6 + b/acl.c | 185 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ b/acl.h | 74 ++++++++++++++++++++++ configure | 18 +++++ monitor.c | 95 ++++++++++++++++++++++++++++ qemu-doc.texi | 49 ++++++++++++++ vnc-auth-sasl.c | 16 +++- vnc-auth-sasl.h | 7 ++ vnc-tls.c | 19 +++++ vnc-tls.h | 3 vnc.c | 21 ++++++ vnc.h | 3 12 files changed, 491 insertions(+), 5 deletions(-) Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com> git-svn-id: svn://svn.savannah.nongnu.org/qemu/trunk@6726 c046a42c-6fe2-441c-8c8c-71466251a162
2009-03-07 04:27:37 +08:00
fi
qemu_version=`head $source_path/VERSION`
echo "VERSION=$qemu_version" >>$config_host_mak
echo "PKGVERSION=$pkgversion" >>$config_host_mak
echo "SRC_PATH=$source_path" >> $config_host_mak
if [ "$source_path_used" = "yes" ]; then
echo "VPATH=$source_path" >> $config_host_mak
fi
echo "TARGET_DIRS=$target_list" >> $config_host_mak
if [ "$docs" = "yes" ] ; then
echo "BUILD_DOCS=yes" >> $config_host_mak
fi
if test "$sdl" = "yes" ; then
echo "CONFIG_SDL=y" >> $config_host_mak
echo "SDL_CFLAGS=$sdl_cflags" >> $config_host_mak
fi
if test "$cocoa" = "yes" ; then
echo "CONFIG_COCOA=y" >> $config_host_mak
fi
if test "$curses" = "yes" ; then
echo "CONFIG_CURSES=y" >> $config_host_mak
fi
if test "$atfile" = "yes" ; then
echo "CONFIG_ATFILE=y" >> $config_host_mak
fi
if test "$utimens" = "yes" ; then
echo "CONFIG_UTIMENSAT=y" >> $config_host_mak
fi
if test "$pipe2" = "yes" ; then
echo "CONFIG_PIPE2=y" >> $config_host_mak
fi
if test "$splice" = "yes" ; then
echo "CONFIG_SPLICE=y" >> $config_host_mak
fi
if test "$eventfd" = "yes" ; then
echo "CONFIG_EVENTFD=y" >> $config_host_mak
fi
if test "$inotify" = "yes" ; then
echo "CONFIG_INOTIFY=y" >> $config_host_mak
fi
if test "$byteswap_h" = "yes" ; then
echo "CONFIG_BYTESWAP_H=y" >> $config_host_mak
fi
if test "$bswap_h" = "yes" ; then
echo "CONFIG_MACHINE_BSWAP_H=y" >> $config_host_mak
fi
if test "$curl" = "yes" ; then
echo "CONFIG_CURL=y" >> $config_host_mak
echo "CURL_CFLAGS=$curl_cflags" >> $config_host_mak
fi
if test "$brlapi" = "yes" ; then
echo "CONFIG_BRLAPI=y" >> $config_host_mak
fi
if test "$bluez" = "yes" ; then
echo "CONFIG_BLUEZ=y" >> $config_host_mak
echo "BLUEZ_CFLAGS=$bluez_cflags" >> $config_host_mak
fi
if test "$xen" = "yes" ; then
echo "CONFIG_XEN=y" >> $config_host_mak
fi
if test "$io_thread" = "yes" ; then
echo "CONFIG_IOTHREAD=y" >> $config_host_mak
fi
if test "$linux_aio" = "yes" ; then
echo "CONFIG_LINUX_AIO=y" >> $config_host_mak
fi
if test "$blobs" = "yes" ; then
echo "INSTALL_BLOBS=yes" >> $config_host_mak
fi
if test "$iovec" = "yes" ; then
echo "CONFIG_IOVEC=y" >> $config_host_mak
fi
if test "$preadv" = "yes" ; then
echo "CONFIG_PREADV=y" >> $config_host_mak
fi
if test "$fdt" = "yes" ; then
echo "CONFIG_FDT=y" >> $config_host_mak
fi
# XXX: suppress that
if [ "$bsd" = "yes" ] ; then
echo "CONFIG_BSD=y" >> $config_host_mak
fi
echo "CONFIG_UNAME_RELEASE=\"$uname_release\"" >> $config_host_mak
# USB host support
case "$usb" in
linux)
echo "HOST_USB=linux" >> $config_host_mak
;;
bsd)
echo "HOST_USB=bsd" >> $config_host_mak
;;
*)
echo "HOST_USB=stub" >> $config_host_mak
;;
esac
tools=
if test `expr "$target_list" : ".*softmmu.*"` != 0 ; then
tools="qemu-img\$(EXESUF) $tools"
if [ "$linux" = "yes" ] ; then
tools="qemu-nbd\$(EXESUF) qemu-io\$(EXESUF) $tools"
if [ "$check_utests" = "yes" ]; then
tools="check-qint check-qstring check-qdict $tools"
fi
fi
fi
echo "TOOLS=$tools" >> $config_host_mak
# Mac OS X ships with a broken assembler
roms=
if test \( "$cpu" = "i386" -o "$cpu" = "x86_64" \) -a \
"$targetos" != "Darwin" ; then
roms="optionrom"
fi
echo "ROMS=$roms" >> $config_host_mak
echo "prefix=$prefix" >> $config_host_mak
echo "bindir=\${prefix}$binsuffix" >> $config_host_mak
echo "mandir=\${prefix}$mansuffix" >> $config_host_mak
echo "datadir=\${prefix}$datasuffix" >> $config_host_mak
echo "docdir=\${prefix}$docsuffix" >> $config_host_mak
echo "MAKE=$make" >> $config_host_mak
echo "INSTALL=$install" >> $config_host_mak
echo "INSTALL_DIR=$install -d -m0755 -p" >> $config_host_mak
echo "INSTALL_DATA=$install -m0644 -p" >> $config_host_mak
echo "INSTALL_PROG=$install -m0755 -p" >> $config_host_mak
echo "CC=$cc" >> $config_host_mak
echo "HOST_CC=$host_cc" >> $config_host_mak
if test "$sparse" = "yes" ; then
echo "CC := REAL_CC=\"\$(CC)\" cgcc" >> $config_host_mak
echo "HOST_CC := REAL_CC=\"\$(HOST_CC)\" cgcc" >> $config_host_mak
echo "QEMU_CFLAGS += -Wbitwise -Wno-transparent-union -Wno-old-initializer -Wno-non-pointer-null" >> $config_host_mak
fi
echo "AR=$ar" >> $config_host_mak
echo "OBJCOPY=$objcopy" >> $config_host_mak
echo "LD=$ld" >> $config_host_mak
echo "CFLAGS=$CFLAGS" >> $config_host_mak
echo "QEMU_CFLAGS=$QEMU_CFLAGS" >> $config_host_mak
echo "HELPER_CFLAGS=$helper_cflags" >> $config_host_mak
echo "LDFLAGS=$LDFLAGS" >> $config_host_mak
echo "ARLIBS_BEGIN=$arlibs_begin" >> $config_host_mak
echo "ARLIBS_END=$arlibs_end" >> $config_host_mak
echo "LIBS+=$LIBS" >> $config_host_mak
echo "LIBS_TOOLS+=$libs_tools" >> $config_host_mak
echo "EXESUF=$EXESUF" >> $config_host_mak
echo "/* Automatically generated by configure - do not modify */" > $config_host_h
/bin/sh $source_path/create_config < $config_host_mak >> $config_host_h
if test -f ${config_host_h}~ ; then
if cmp -s $config_host_h ${config_host_h}~ ; then
mv ${config_host_h}~ $config_host_h
else
rm ${config_host_h}~
fi
fi
# generate list of library paths for linker script
$ld --verbose -v 2> /dev/null | grep SEARCH_DIR > ${config_host_ld}
if test -f ${config_host_ld}~ ; then
if cmp -s $config_host_ld ${config_host_ld}~ ; then
mv ${config_host_ld}~ $config_host_ld
else
rm ${config_host_ld}~
fi
fi
for target in $target_list; do
target_dir="$target"
config_mak=$target_dir/config.mak
config_h=$target_dir/config.h
target_arch2=`echo $target | cut -d '-' -f 1`
target_bigendian="no"
case "$target_arch2" in
armeb|m68k|microblaze|mips|mipsn32|mips64|ppc|ppcemb|ppc64|ppc64abi32|sh4eb|sparc|sparc64|sparc32plus)
target_bigendian=yes
;;
esac
target_softmmu="no"
target_user_only="no"
target_linux_user="no"
target_darwin_user="no"
target_bsd_user="no"
case "$target" in
${target_arch2}-softmmu)
target_softmmu="yes"
;;
${target_arch2}-linux-user)
target_user_only="yes"
target_linux_user="yes"
;;
${target_arch2}-darwin-user)
target_user_only="yes"
target_darwin_user="yes"
;;
${target_arch2}-bsd-user)
target_user_only="yes"
target_bsd_user="yes"
;;
*)
echo "ERROR: Target '$target' not recognised"
exit 1
;;
esac
#echo "Creating $config_mak, $config_h and $target_dir/Makefile"
test -f $config_h && mv $config_h ${config_h}~
mkdir -p $target_dir
mkdir -p $target_dir/fpu
mkdir -p $target_dir/tcg
mkdir -p $target_dir/ide
if test "$target" = "arm-linux-user" -o "$target" = "armeb-linux-user" -o "$target" = "arm-bsd-user" -o "$target" = "armeb-bsd-user" ; then
mkdir -p $target_dir/nwfpe
fi
#
# don't use ln -sf as not all "ln -sf" over write the file/link
#
rm -f $target_dir/Makefile
ln -s $source_path/Makefile.target $target_dir/Makefile
echo "# Automatically generated by configure - do not modify" > $config_mak
echo "include ../config-host.mak" >> $config_mak
bflt="no"
elfload32="no"
target_nptl="no"
interp_prefix1=`echo "$interp_prefix" | sed "s/%M/$target_arch2/g"`
echo "CONFIG_QEMU_PREFIX=\"$interp_prefix1\"" >> $config_mak
gdb_xml_files=""
TARGET_ARCH="$target_arch2"
TARGET_BASE_ARCH=""
TARGET_ABI_DIR=""
case "$target_arch2" in
i386)
target_phys_bits=32
;;
x86_64)
TARGET_BASE_ARCH=i386
target_phys_bits=64
;;
alpha)
target_phys_bits=64
;;
arm|armeb)
TARGET_ARCH=arm
bflt="yes"
target_nptl="yes"
gdb_xml_files="arm-core.xml arm-vfp.xml arm-vfp3.xml arm-neon.xml"
target_phys_bits=32
;;
cris)
target_nptl="yes"
target_phys_bits=32
;;
m68k)
bflt="yes"
gdb_xml_files="cf-core.xml cf-fp.xml"
target_phys_bits=32
;;
microblaze)
bflt="yes"
target_nptl="yes"
target_phys_bits=32
;;
mips|mipsel)
TARGET_ARCH=mips
echo "TARGET_ABI_MIPSO32=y" >> $config_mak
target_nptl="yes"
target_phys_bits=64
;;
mipsn32|mipsn32el)
TARGET_ARCH=mipsn32
TARGET_BASE_ARCH=mips
echo "TARGET_ABI_MIPSN32=y" >> $config_mak
target_phys_bits=64
;;
mips64|mips64el)
TARGET_ARCH=mips64
TARGET_BASE_ARCH=mips
echo "TARGET_ABI_MIPSN64=y" >> $config_mak
target_phys_bits=64
;;
ppc)
gdb_xml_files="power-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
target_phys_bits=32
target_nptl="yes"
;;
ppcemb)
TARGET_BASE_ARCH=ppc
TARGET_ABI_DIR=ppc
gdb_xml_files="power-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
target_phys_bits=64
target_nptl="yes"
;;
ppc64)
TARGET_BASE_ARCH=ppc
TARGET_ABI_DIR=ppc
gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
target_phys_bits=64
;;
ppc64abi32)
TARGET_ARCH=ppc64
TARGET_BASE_ARCH=ppc
TARGET_ABI_DIR=ppc
echo "TARGET_ABI32=y" >> $config_mak
gdb_xml_files="power64-core.xml power-fpu.xml power-altivec.xml power-spe.xml"
target_phys_bits=64
;;
sh4|sh4eb)
TARGET_ARCH=sh4
bflt="yes"
target_nptl="yes"
target_phys_bits=32
;;
sparc)
target_phys_bits=64
;;
sparc64)
TARGET_BASE_ARCH=sparc
elfload32="yes"
target_phys_bits=64
;;
sparc32plus)
TARGET_ARCH=sparc64
TARGET_BASE_ARCH=sparc
TARGET_ABI_DIR=sparc
echo "TARGET_ABI32=y" >> $config_mak
target_phys_bits=64
;;
*)
echo "Unsupported target CPU"
exit 1
;;
esac
echo "TARGET_ARCH=$TARGET_ARCH" >> $config_mak
target_arch_name="`echo $TARGET_ARCH | tr '[:lower:]' '[:upper:]'`"
echo "TARGET_$target_arch_name=y" >> $config_mak
echo "TARGET_ARCH2=$target_arch2" >> $config_mak
# TARGET_BASE_ARCH needs to be defined after TARGET_ARCH
if [ "$TARGET_BASE_ARCH" = "" ]; then
TARGET_BASE_ARCH=$TARGET_ARCH
fi
echo "TARGET_BASE_ARCH=$TARGET_BASE_ARCH" >> $config_mak
if [ "$TARGET_ABI_DIR" = "" ]; then
TARGET_ABI_DIR=$TARGET_ARCH
fi
echo "TARGET_ABI_DIR=$TARGET_ABI_DIR" >> $config_mak
if [ $target_phys_bits -lt $hostlongbits ] ; then
target_phys_bits=$hostlongbits
fi
case "$target_arch2" in
i386|x86_64)
if test "$xen" = "yes" -a "$target_softmmu" = "yes" ; then
echo "CONFIG_XEN=y" >> $config_mak
fi
esac
case "$target_arch2" in
i386|x86_64|ppcemb|ppc|ppc64)
# Make sure the target and host cpus are compatible
if test "$kvm" = "yes" -a "$target_softmmu" = "yes" -a \
\( "$target_arch2" = "$cpu" -o \
\( "$target_arch2" = "ppcemb" -a "$cpu" = "ppc" \) -o \
\( "$target_arch2" = "ppc64" -a "$cpu" = "ppc" \) -o \
\( "$target_arch2" = "x86_64" -a "$cpu" = "i386" \) -o \
\( "$target_arch2" = "i386" -a "$cpu" = "x86_64" \) \) ; then
echo "CONFIG_KVM=y" >> $config_mak
echo "KVM_CFLAGS=$kvm_cflags" >> $config_mak
fi
esac
echo "HWLIB=../libhw$target_phys_bits/libqemuhw$target_phys_bits.a" >> $config_mak
echo "TARGET_PHYS_ADDR_BITS=$target_phys_bits" >> $config_mak
echo "subdir-$target: subdir-libhw$target_phys_bits" >> $config_host_mak
if test "$target_bigendian" = "yes" ; then
echo "TARGET_WORDS_BIGENDIAN=y" >> $config_mak
fi
if test "$target_softmmu" = "yes" ; then
echo "CONFIG_SOFTMMU=y" >> $config_mak
echo "LIBS+=$libs_softmmu" >> $config_mak
fi
if test "$target_user_only" = "yes" ; then
echo "CONFIG_USER_ONLY=y" >> $config_mak
fi
if test "$target_linux_user" = "yes" ; then
echo "CONFIG_LINUX_USER=y" >> $config_mak
fi
if test "$target_darwin_user" = "yes" ; then
echo "CONFIG_DARWIN_USER=y" >> $config_mak
fi
list=""
if test ! -z "$gdb_xml_files" ; then
for x in $gdb_xml_files; do
list="$list $source_path/gdb-xml/$x"
done
fi
echo "TARGET_XML_FILES=$list" >> $config_mak
case "$target_arch2" in
arm|armeb|m68k|microblaze|mips|mipsel|mipsn32|mipsn32el|mips64|mips64el|ppc|ppc64|ppc64abi32|ppcemb|sparc|sparc64|sparc32plus)
echo "CONFIG_SOFTFLOAT=y" >> $config_mak
;;
*)
echo "CONFIG_NOSOFTFLOAT=y" >> $config_mak
;;
esac
if test "$target_user_only" = "yes" -a "$bflt" = "yes"; then
echo "TARGET_HAS_BFLT=y" >> $config_mak
fi
if test "$target_user_only" = "yes" \
-a "$nptl" = "yes" -a "$target_nptl" = "yes"; then
echo "CONFIG_USE_NPTL=y" >> $config_mak
fi
# 32 bit ELF loader in addition to native 64 bit loader?
if test "$target_user_only" = "yes" -a "$elfload32" = "yes"; then
echo "TARGET_HAS_ELFLOAD32=y" >> $config_mak
fi
if test "$target_user_only" = "yes" -a "$guest_base" = "yes"; then
echo "CONFIG_USE_GUEST_BASE=y" >> $config_mak
fi
if test "$target_bsd_user" = "yes" ; then
echo "CONFIG_BSD_USER=y" >> $config_mak
fi
# generate QEMU_CFLAGS/LDFLAGS for targets
cflags=""
ldflags=""
if test "$ARCH" = "sparc64" ; then
cflags="-I\$(SRC_PATH)/tcg/sparc $cflags"
else
cflags="-I\$(SRC_PATH)/tcg/\$(ARCH) $cflags"
fi
cflags="-I\$(SRC_PATH)/tcg $cflags"
cflags="-I\$(SRC_PATH)/fpu $cflags"
for i in $ARCH $TARGET_BASE_ARCH ; do
case "$i" in
alpha)
echo "CONFIG_ALPHA_DIS=y" >> $config_mak
;;
arm)
echo "CONFIG_ARM_DIS=y" >> $config_mak
;;
cris)
echo "CONFIG_CRIS_DIS=y" >> $config_mak
;;
hppa)
echo "CONFIG_HPPA_DIS=y" >> $config_mak
;;
i386|x86_64)
echo "CONFIG_I386_DIS=y" >> $config_mak
;;
m68k)
echo "CONFIG_M68K_DIS=y" >> $config_mak
;;
microblaze)
echo "CONFIG_MICROBLAZE_DIS=y" >> $config_mak
;;
mips*)
echo "CONFIG_MIPS_DIS=y" >> $config_mak
;;
ppc*)
echo "CONFIG_PPC_DIS=y" >> $config_mak
;;
s390)
echo "CONFIG_S390_DIS=y" >> $config_mak
;;
sh4)
echo "CONFIG_SH4_DIS=y" >> $config_mak
;;
sparc*)
echo "CONFIG_SPARC_DIS=y" >> $config_mak
;;
esac
done
case "$ARCH" in
alpha)
# Ensure there's only a single GP
cflags="-msmall-data $cflags"
;;
ia64)
cflags="-mno-sdata $cflags"
;;
esac
if test "$target_softmmu" = "yes" ; then
case "$TARGET_BASE_ARCH" in
arm)
cflags="-DHAS_AUDIO $cflags"
;;
i386|mips|ppc)
cflags="-DHAS_AUDIO -DHAS_AUDIO_CHOICE $cflags"
;;
esac
fi
if test "$target_softmmu" = "yes" -a \( \
"$TARGET_ARCH" = "microblaze" -o \
"$TARGET_ARCH" = "cris" \) ; then
echo "CONFIG_NEED_MMU=y" >> $config_mak
fi
if test "$gprof" = "yes" ; then
echo "TARGET_GPROF=yes" >> $config_mak
if test "$target_linux_user" = "yes" ; then
cflags="-p $cflags"
ldflags="-p $ldflags"
fi
if test "$target_softmmu" = "yes" ; then
ldflags="-p $ldflags"
echo "GPROF_CFLAGS=-p" >> $config_mak
fi
fi
linker_script="-Wl,-T../config-host.ld -Wl,-T,\$(SRC_PATH)/\$(ARCH).ld"
if test "$target_linux_user" = "yes" -o "$target_bsd_user" = "yes" ; then
case "$ARCH" in
i386)
if test "$gprof" = "yes" -o "$static" = "yes" ; then
ldflags="$linker_script $ldflags"
else
# WARNING: this LDFLAGS is _very_ tricky : qemu is an ELF shared object
# that the kernel ELF loader considers as an executable. I think this
# is the simplest way to make it self virtualizable!
ldflags="-Wl,-shared $ldflags"
fi
;;
sparc)
# -static is used to avoid g1/g3 usage by the dynamic linker
ldflags="$linker_script -static $ldflags"
;;
ia64)
ldflags="-Wl,-G0 $linker_script -static $ldflags"
;;
x86_64|ppc|ppc64|s390|sparc64|alpha|arm|m68k|mips|mips64)
ldflags="$linker_script $ldflags"
;;
esac
fi
if test "$target_softmmu" = "yes" ; then
case "$ARCH" in
ia64)
ldflags="-Wl,-G0 $linker_script -static $ldflags"
;;
esac
fi
echo "LDFLAGS+=$ldflags" >> $config_mak
echo "QEMU_CFLAGS+=$cflags" >> $config_mak
echo "/* Automatically generated by configure - do not modify */" > $config_h
echo "#include \"../config-host.h\"" >> $config_h
/bin/sh $source_path/create_config < $config_mak >> $config_h
if test -f ${config_h}~ ; then
if cmp -s $config_h ${config_h}~ ; then
mv ${config_h}~ $config_h
else
rm ${config_h}~
fi
fi
done # for target in $targets
# build tree in object directory if source path is different from current one
if test "$source_path_used" = "yes" ; then
DIRS="tests tests/cris slirp audio block pc-bios/optionrom"
DIRS="$DIRS roms/pcbios roms/seabios roms/vgabios"
FILES="Makefile tests/Makefile"
FILES="$FILES tests/cris/Makefile tests/cris/.gdbinit"
FILES="$FILES tests/test-mmap.c"
FILES="$FILES pc-bios/optionrom/Makefile pc-bios/keymaps pc-bios/video.x"
FILES="$FILES roms/pcbios/Makefile roms/seabios/Makefile roms/vgabios/Makefile"
for bios_file in $source_path/pc-bios/*.bin $source_path/pc-bios/*.dtb $source_path/pc-bios/openbios-*; do
FILES="$FILES pc-bios/`basename $bios_file`"
done
for dir in $DIRS ; do
mkdir -p $dir
done
# remove the link and recreate it, as not all "ln -sf" overwrite the link
for f in $FILES ; do
rm -f $f
ln -s $source_path/$f $f
done
fi
# temporary config to build submodules
for rom in seabios vgabios pcbios; do
config_mak=roms/$rom/config.mak
echo "# Automatically generated by configure - do not modify" >> $config_mak
echo "SRC_PATH=$source_path/roms/$rom" >> $config_mak
echo "CC=$cc" >> $config_mak
echo "BCC=bcc" >> $config_mak
echo "CPP=${cross_prefix}cpp" >> $config_mak
echo "OBJCOPY=objcopy" >> $config_mak
echo "IASL=iasl" >> $config_mak
echo "HOST_CC=$host_cc" >> $config_mak
echo "LD=$ld" >> $config_mak
done
for hwlib in 32 64; do
d=libhw$hwlib
mkdir -p $d
rm -f $d/Makefile
ln -s $source_path/Makefile.hw $d/Makefile
echo "HWLIB=libqemuhw$hwlib.a" > $d/config.mak
echo "QEMU_CFLAGS+=-DTARGET_PHYS_ADDR_BITS=$hwlib" >> $d/config.mak
done