2012-01-20 18:02:55 +00:00
|
|
|
/*
|
|
|
|
* viraccessdriverstack.c: stacked access control driver
|
|
|
|
*
|
|
|
|
* Copyright (C) 2012-2013 Red Hat, Inc.
|
|
|
|
*
|
|
|
|
* This library is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU Lesser General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2.1 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This library is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* Lesser General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU Lesser General Public
|
|
|
|
* License along with this library. If not, see
|
|
|
|
* <http://www.gnu.org/licenses/>.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
|
|
#include "viraccessdriverstack.h"
|
|
|
|
#include "viralloc.h"
|
|
|
|
|
|
|
|
#define VIR_FROM_THIS VIR_FROM_ACCESS
|
|
|
|
|
|
|
|
typedef struct _virAccessDriverStackPrivate virAccessDriverStackPrivate;
|
|
|
|
struct _virAccessDriverStackPrivate {
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessManager **managers;
|
2012-01-20 18:02:55 +00:00
|
|
|
size_t managersLen;
|
|
|
|
};
|
|
|
|
|
|
|
|
|
2021-03-11 07:16:13 +00:00
|
|
|
int virAccessDriverStackAppend(virAccessManager *manager,
|
|
|
|
virAccessManager *child)
|
2012-01-20 18:02:55 +00:00
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
|
2021-03-19 23:37:03 +00:00
|
|
|
VIR_EXPAND_N(priv->managers, priv->managersLen, 1);
|
2012-01-20 18:02:55 +00:00
|
|
|
|
|
|
|
priv->managers[priv->managersLen-1] = child;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2021-03-11 07:16:13 +00:00
|
|
|
static void virAccessDriverStackCleanup(virAccessManager *manager)
|
2012-01-20 18:02:55 +00:00
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
size_t i;
|
|
|
|
|
2014-11-13 14:27:11 +00:00
|
|
|
for (i = 0; i < priv->managersLen; i++)
|
2012-01-20 18:02:55 +00:00
|
|
|
virObjectUnref(priv->managers[i]);
|
|
|
|
VIR_FREE(priv->managers);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckConnect(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
|
|
|
virAccessPermConnect perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckConnect(priv->managers[i], driverName, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckDomain(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virDomainDef *domain,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermDomain perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckDomain(priv->managers[i], driverName, domain, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckInterface(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virInterfaceDef *iface,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermInterface perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckInterface(priv->managers[i], driverName, iface, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckNetwork(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virNetworkDef *network,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermNetwork perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckNetwork(priv->managers[i], driverName, network, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-11-30 16:34:21 +00:00
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckNetworkPort(virAccessManager *manager,
|
2018-11-30 16:34:21 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virNetworkDef *network,
|
|
|
|
virNetworkPortDef *port,
|
2018-11-30 16:34:21 +00:00
|
|
|
virAccessPermNetworkPort perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2018-11-30 16:34:21 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckNetworkPort(priv->managers[i], driverName, network, port, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2012-01-20 18:02:55 +00:00
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckNodeDevice(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virNodeDeviceDef *nodedev,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermNodeDevice perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckNodeDevice(priv->managers[i], driverName, nodedev, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckNWFilter(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virNWFilterDef *nwfilter,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermNWFilter perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckNWFilter(priv->managers[i], driverName, nwfilter, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2018-05-09 16:19:55 +00:00
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckNWFilterBinding(virAccessManager *manager,
|
2018-05-09 16:19:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virNWFilterBindingDef *binding,
|
2018-05-09 16:19:55 +00:00
|
|
|
virAccessPermNWFilterBinding perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2018-05-09 16:19:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckNWFilterBinding(priv->managers[i], driverName, binding, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2012-01-20 18:02:55 +00:00
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckSecret(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virSecretDef *secret,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermSecret perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckSecret(priv->managers[i], driverName, secret, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckStoragePool(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virStoragePoolDef *pool,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermStoragePool perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckStoragePool(priv->managers[i], driverName, pool, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackCheckStorageVol(virAccessManager *manager,
|
2012-01-20 18:02:55 +00:00
|
|
|
const char *driverName,
|
2021-03-11 07:16:13 +00:00
|
|
|
virStoragePoolDef *pool,
|
|
|
|
virStorageVolDef *vol,
|
2012-01-20 18:02:55 +00:00
|
|
|
virAccessPermStorageVol perm)
|
|
|
|
{
|
2021-03-11 07:16:13 +00:00
|
|
|
virAccessDriverStackPrivate *priv = virAccessManagerGetPrivateData(manager);
|
2012-01-20 18:02:55 +00:00
|
|
|
int ret = 1;
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
for (i = 0; i < priv->managersLen; i++) {
|
|
|
|
int rv;
|
|
|
|
/* We do not short-circuit on first denial - always check all drivers */
|
|
|
|
rv = virAccessManagerCheckStorageVol(priv->managers[i], driverName, pool, vol, perm);
|
|
|
|
if (rv == 0 && ret != -1)
|
|
|
|
ret = 0;
|
|
|
|
else if (rv < 0)
|
|
|
|
ret = -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
virAccessDriver accessDriverStack = {
|
|
|
|
.privateDataLen = sizeof(virAccessDriverStackPrivate),
|
|
|
|
.name = "stack",
|
|
|
|
.cleanup = virAccessDriverStackCleanup,
|
|
|
|
.checkConnect = virAccessDriverStackCheckConnect,
|
|
|
|
.checkDomain = virAccessDriverStackCheckDomain,
|
|
|
|
.checkInterface = virAccessDriverStackCheckInterface,
|
|
|
|
.checkNetwork = virAccessDriverStackCheckNetwork,
|
2018-11-30 16:34:21 +00:00
|
|
|
.checkNetworkPort = virAccessDriverStackCheckNetworkPort,
|
2012-01-20 18:02:55 +00:00
|
|
|
.checkNodeDevice = virAccessDriverStackCheckNodeDevice,
|
|
|
|
.checkNWFilter = virAccessDriverStackCheckNWFilter,
|
2018-05-09 16:19:55 +00:00
|
|
|
.checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
|
2012-01-20 18:02:55 +00:00
|
|
|
.checkSecret = virAccessDriverStackCheckSecret,
|
|
|
|
.checkStoragePool = virAccessDriverStackCheckStoragePool,
|
|
|
|
.checkStorageVol = virAccessDriverStackCheckStorageVol,
|
|
|
|
};
|