Use polkit instead of socket permissions

As before membership in the libvirt group gives r/w access to all VMs.

debian/README.Debian

@@ -53,8 +53,9 @@ can handle the virtual bridges.
 
 Access Control
 ==============
-Access to the libvirt socket is controlled by membership in the "libvirt" group.
-If you want to manage VMs as non root you need to add a user to that group.
+Access to the libvirt managing tasks is controlled by PolicyKit. To ease
+configuration membership in the "libvirt" group is sufficient. If you want to
+manage VMs as non-root you need to add a user to that group.
 
 Note that this will allow users in this group to use all of libvirt's
 API including modifying files on the host. For finer grained access
@@ -83,4 +84,4 @@ for a complete explanation:
   <http://bugs.debian.org/453627>
   <http://bugs.debian.org/614291>
 
- -- Guido Günther <agx@sigxcpu.org>  Mon, 06 Feb 2011 17:28:35 +0200
+ -- Guido Günther <agx@sigxcpu.org>  Sun, 28 Sep 2014 09:50:41 +0200

debian/control

@@ -127,6 +127,7 @@ Depends:
  libvirt-clients (= ${binary:Version}),
  libvirt-daemon (= ${binary:Version}),
  logrotate,
+ policykit-1,
 Recommends:
  bridge-utils,
  dmidecode,
@@ -137,7 +138,7 @@ Recommends:
  parted,
  pm-utils,
 Section: admin
-Suggests: policykit-1, radvd, auditd, systemtap, systemd, apparmor
+Suggests: radvd, auditd, systemtap, systemd, apparmor
 Breaks: avahi-daemon (<< 0.6.31-3~)
 Replaces: libvirt-bin (<< 1.2.7-4~)
 Conflicts: libvirt-bin (<< 1.2.6-1~)

debian/libvirt-daemon-system.NEWS

+libvirt (1.2.9~rc1-1) experimental; urgency=medium
+
+  libvirtd now uses PolicyKit instead of unix socket domain permissions for r/w
+  connections. This has the advantage of requiring less reconfiguration when
+  using ACL based access and bringing us closer to upstream's recommendations.
+  In order to keep old configurations working we're still allowing all members
+  of the libvirt group full access via /etc/polkit-1/rules.d/60-libvirt.rules.
+
+  If you want to continue to use socket permission based access control you can
+  still configure it in /etc/libvirt/libvirtd.conf.
+
+ -- Guido Günther <agx@sigxcpu.org>  Sat, 27 Sep 2014 19:22:46 +0200

debian/libvirt-daemon-system.dirs

@@ -9,3 +9,4 @@
 /var/log/libvirt/uml
 /var/log/libvirt/lxc
 /etc/libvirt/hooks
+/etc/polkit-1/rules.d/

debian/patches/debian/Allow-libvirt-group-to-access-the-socket.patch

-From: Guido Guenther <agx@sigxcpu.org>
-Date: Thu, 26 Jun 2008 20:01:38 +0200
-Subject: Allow libvirt group to access the socket
-
----
- daemon/libvirtd.conf        | 9 +++++----
- daemon/test_libvirtd.aug.in | 4 ----
- 2 files changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/daemon/libvirtd.conf b/daemon/libvirtd.conf
-index d4f6a1c..06cb97f 100644
---- a/daemon/libvirtd.conf
-+++ b/daemon/libvirtd.conf
-@@ -87,7 +87,7 @@
- # without becoming root.
- #
- # This is restricted to 'root' by default.
--#unix_sock_group = "libvirt"
-+unix_sock_group = "libvirt"
- 
- # Set the UNIX socket permissions for the R/O socket. This is used
- # for monitoring VM status only
-@@ -104,7 +104,8 @@
- #
- # If not using PolicyKit and setting group ownership for access
- # control, then you may want to relax this too.
--#unix_sock_rw_perms = "0770"
-+# control then you may want to relax this to:
-+unix_sock_rw_perms = "0770"
- 
- # Set the name of the directory in which sockets will be found/created.
- #unix_sock_dir = "/var/run/libvirt"
-@@ -135,7 +136,7 @@
- #
- # To restrict monitoring of domains you may wish to enable
- # an authentication mechanism here
--#auth_unix_ro = "none"
-+auth_unix_ro = "none"
- 
- # Set an authentication scheme for UNIX read-write sockets
- # By default socket permissions only allow root. If PolicyKit
-@@ -144,7 +145,7 @@
- #
- # If the unix_sock_rw_perms are changed you may wish to enable
- # an authentication mechanism here
--#auth_unix_rw = "none"
-+auth_unix_rw = "none"
- 
- # Change the authentication scheme for TCP sockets.
- #
-diff --git a/daemon/test_libvirtd.aug.in b/daemon/test_libvirtd.aug.in
-index 37ff33d..8c4e8a4 100644
---- a/daemon/test_libvirtd.aug.in
-+++ b/daemon/test_libvirtd.aug.in
-@@ -9,12 +9,8 @@ module Test_libvirtd =
-         { "listen_addr" = "192.168.0.1" }
-         { "mdns_adv" = "1" }
-         { "mdns_name" = "Virtualization Host Joe Demo" }
--        { "unix_sock_group" = "libvirt" }
-         { "unix_sock_ro_perms" = "0777" }
--        { "unix_sock_rw_perms" = "0770" }
-         { "unix_sock_dir" = "/var/run/libvirt" }
--        { "auth_unix_ro" = "none" }
--        { "auth_unix_rw" = "none" }
-         { "auth_tcp" = "sasl" }
-         { "auth_tls" = "none" }
-         { "access_drivers"

debian/patches/series

 debian/remove-RHism.diff.patch
 debian/Don-t-enable-default-network-on-boot.patch
-debian/Allow-libvirt-group-to-access-the-socket.patch
 debian/fix-Debian-specific-path-to-hvm-loader.patch
 debian/Debianize-libvirt-guests.patch
 patch-qemuMonitorTextGetMigrationStatus-to-intercept.patch

debian/polkit/60-libvirt.rules

+/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */
+
+// Mimic behaviour of group libvirt owning libvirt's rw socket
+//
+// See the polkit(8) man page for more information
+// about configuring polkit.
+
+polkit.addRule(function(action, subject) {
+    if (action.id == "org.libvirt.unix.manage" &&
+        subject.isInGroup("libvirt")) {
+        return polkit.Result.YES;
+    }
+});

debian/rules

@@ -145,6 +145,9 @@ override_dh_install:
 	    debian/libvirt-daemon-system.libvirt-guests.init
 	cp tools/libvirt-guests.sysconf \
 	    debian/libvirt-daemon-system.libvirt-guests.default
+	# Add our backward compat polkit rule
+	cp debian/polkit/60-libvirt.rules \
+	    debian/libvirt-daemon-system/etc/polkit-1/rules.d/
 ifneq (,$(findstring $(DEB_HOST_ARCH_OS), linux))
 	# Linux supports more nice things:
 	dh_install -p libvirt-daemon-system usr/lib/systemd/system lib/systemd/