search for: nbd_set_uri_allow_tls

Previous discussion: https://www.redhat.com/archives/libguestfs/2019-August/msg00102.html Last night I experimentally added support for URIs that contain the query parameter tls-psk-file, as part of rewriting the tests to cover more of the URI code. So you can now have a URI like: nbds://alice@localhost/?tls-psk-file=keys.psk However there's an obvious security problem here because now

...parameter may contain any of the following flags +ORed together: + +=over 4 + +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> + +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> + +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> + +=back"; + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; + }; + + "set_uri_allow_tls", { + default_call with + args = [ Enum ("tls", tls_enum) ]; ret = RErr; + permitted_states = [ Created ]; + shortdesc = "set the allowed TLS settings in NBD URIs"; + longdesc = "\ +Set which TLS settings...

...together: > + > +=over 4 > + > +=item C<LIBNBD_ALLOW_TRANSPORT_TCP> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_UNIX> > + > +=item C<LIBNBD_ALLOW_TRANSPORT_VSOCK> > + > +=back"; > + see_also = ["L<nbd_connect_uri(3)>"; "L<nbd_set_uri_allow_tls(3)>"]; > + }; Worth L<nbd_get_uri_allow_tls(3)> to query the current permitted transports? Similar for other new set_ APIs. > + > + "set_uri_allow_tls", { > + default_call with > + args = [ Enum ("tls", tls_enum) ]; ret = RErr; > + p...

...ng NBD servers to avoid various NBD features (Eric Blake). nbd_get_protocol(3) Get the NBD protocol variant that the server supports. nbd_get_tls_negotiated(3) Did we actually negotiate a TLS connection? nbd_set_uri_allow_local_file(3) nbd_set_uri_allow_tls(3) nbd_set_uri_allow_transports(3) These can be used to filter NBD URIs before calling nbd_connect_uri(3). New features New tool nbdfuse(1) lets you create a loop-mounted file backed by an NBD server without needing root. "AF_VSOCK" i...