search for: libnbd_allow_transport_vsock

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

...Set which transports are allowed to appear in NBD URIs. The +default is to allow any transports. + +The C<mask> parameter may contain any of the following flags +ORed together: + +=over 4 + +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> + +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> + +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> + +=back"; + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; + }; + + "set_uri_allow_tls", { + default_call with + args = [ Enum ("tls", tls_enum) ]; ret = RErr; + permitted_states = [ Created ]; + sh...

...any transports. 'any transport.' > + > +The C<mask> parameter may contain any of the following flags > +ORed together: > + > +=over 4 > + > +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> > + > +=back"; > + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; > + }; Worth L<nbd_get_uri_allow_tls(3)> to query the current permitted transports? Similar for other new set_ APIs. > + > + "set_uri...

...le to describe all flags supported by this build of libnbd. Future NBD extensions may add further flags, which in turn may be enabled by default in newer libnbd. As such, when attempting to disable only one specific bit, it is wiser to first call @@ -895,7 +897,11 @@ ORed together: =item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> -=back"; +=back + +For convenience, the constant C<LIBNBD_ALLOW_TRANSPORT_MASK> is +available to describe all transports recognized by this build of +libnbd. A future version of the library may add new flags."; see_also = [Link "connect_uri"; Link "set_uri_...

In v2: - now based on my proposal to add LIBNBD_SHUTDOWN_IMMEDIATE - four flags instead of two: STRICT_FLAGS is new (patch 4), and STRICT_BOUNDS is separate from STRICT_ZERO_SIZE (patch 5) - various refactorings for more shared code and less duplication Eric Blake (5): api: Add xxx_MASK constant for each Flags type generator: Refactor filtering of accepted OFlags api: Add