vz: add ACL checks to API calls

vzDomainMigrateConfirm3Params is whitelisted. Otherwise we need to move removing domain from domain list from perform to confirm step. This would further imply adding a flag and check that migration is in progress to prohibit mistakenly (maliciously) removing domains on confirm step. vz version of p2p also need to be fixed to include confirm step. One would also need to add means to cleanup pending migration on client disconnect as now is has state across several API calls. On the other hand current version of confirm step is totaly harmless thus it is easier to whitelist it at the moment. Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@virtuozzo.com> Signed-off-by: Maxim Nestratov <mnestratov@virtuozzo.com>
2025-02-22 03:12:22 +00:00 · 2016-06-24 17:32:38 +03:00 · 2016-06-24 17:32:38 +03:00 · 018b4ae14b
commit 018b4ae14b
parent 0adc9d26ae
4 changed files with 336 additions and 31 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -659,6 +659,7 @@ STATEFUL_DRIVER_SOURCE_FILES = \
 	$(STORAGE_DRIVER_SOURCES) \
 	$(UML_DRIVER_SOURCES) \
 	$(XEN_DRIVER_SOURCES) \
+	$(VZ_DRIVER_SOURCES) \
 	$(NULL)


@ -1524,7 +1525,9 @@ else ! WITH_DRIVER_MODULES
 noinst_LTLIBRARIES += libvirt_driver_vz.la
 endif ! WITH_DRIVER_MODULES
 libvirt_driver_vz_impl_la_CFLAGS = \
-		-I$(srcdir)/conf $(AM_CFLAGS) \
+		-I$(srcdir)/conf \
+		-I$(srcdir)/access \
+		$(AM_CFLAGS) \
 		$(PARALLELS_SDK_CFLAGS) $(LIBNL_CFLAGS)
 libvirt_driver_vz_impl_la_SOURCES = $(VZ_DRIVER_SOURCES)
 libvirt_driver_vz_impl_la_LIBADD =  $(PARALLELS_SDK_LIBS) $(LIBNL_LIBS)
--- a/src/check-aclrules.pl
+++ b/src/check-aclrules.pl
@ -73,6 +73,7 @@ my %implwhitelist = (
    "xenUnifiedDomainIsPersistent" => 1,
    "xenUnifiedDomainIsUpdated" => 1,
    "xenUnifiedDomainOpenConsole" => 1,
+    "vzDomainMigrateConfirm3Params" => 1,
    );
 my %filterimplwhitelist = (
    "xenUnifiedConnectListDomains" => 1,
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@ -5824,13 +5824,13 @@ enum remote_procedure {

    /**
     * @generate: none
-     * @acl: none
+     * @acl: connect:getattr
     */
    REMOTE_PROC_CONNECT_REGISTER_CLOSE_CALLBACK = 360,

    /**
     * @generate: none
-     * @acl: none
+     * @acl: connect:getattr
     */
    REMOTE_PROC_CONNECT_UNREGISTER_CLOSE_CALLBACK = 361,

--- a/src/vz/vz_driver.c
+++ b/src/vz/vz_driver.c