On Fri, Dec 05, 2025 at 12:34:37 +0000, Nikolaus Rath wrote: > On Fri, 5 Dec 2025, at 07:59, Peter Krempa wrote: > > On Thu, Dec 04, 2025 at 19:22:12 -0000, [email protected] wrote
[...] > >> Then, as far as I can tell, there's lots of sockets with different > >> permissions created by systemd in /run/libvirt (e.g. libvirt-admin-sock, > >> libvirt-sock, libvirt-sock-ro). But since they're all passed to libvirtd > >> as open file descriptors, I don't understand how they can give different > >> levels of access (since libvirtd has no way of knowing which socket was > >> used). > > > > Libvirt actually does know what socket you've used to connect to it and > > actually also knows the UID of the connecting client. This allows > > filtering access on a granular level with our ACL support. > > Hmm.. I'm still confused that none of the socket names are mentioned anywhere > in the libvirtd config. For example, if I grep for `sock-ro` or `admin-sock` > in /etc/libvirt, I get no matches. The full names are not mentioned, but the corresponing settings in each config file for the daemon are: unix_sock_group unix_sock_ro_perms unix_sock_rw_perms etc. The documentation also outlines the settings. Also if you use socket activation (e.g. virtqemud.socket unit) then the corresponding unit file is taken for config > Do you know how I could find out what the default permissions are for each > socket? In short if polkit authentication is enabled then both sockets have 0777 mode and authentication is delegated to polkit. By default polkit ought to allow users having admin privileges to also access the write-enabled libvirt daemon system instance socket. If polkit is not in use you can set the group and default permission either in the config file or in the corresponding '.socket' systemd unit file if you use systemd socket activation. > And lastly, how do I tell virt-manager what socket to use? The qemu://system > URL doesn't seem to directly map to any socket.... Normally you don't. The socket gets picked based on the URI and whether you are opening a read-only or read write connection and the socket is placed in a well-known path. ( /run/libvirt/libvirt-sock (virtqemud/virtstoraged etc for per-daemon versions) for qemu://system (or the -ro variant), or e.g. /run/user/1000/libvirt/virtqemud-sock or the appropriate XDG runtime directory for the qemu:///session instances.)
