External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2025-02-22 11:22:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

access: add nwfilter binding object permissions

Browse Source 
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-05-09 17:19:55 +01:00
parent b57a9aecaf
commit 099812f59d
9 changed files with 126 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/access/viraccessdriver.h
View File

@ -47,6 +47,10 @@ typedef int (*virAccessDriverCheckNWFilterDrv)(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNWFilterDefPtr nwfilter, virNWFilterDefPtr nwfilter,
virAccessPermNWFilter av); virAccessPermNWFilter av);
typedef int (*virAccessDriverCheckNWFilterBindingDrv)(virAccessManagerPtr manager,
const char *driverName,
virNWFilterBindingDefPtr binding,
virAccessPermNWFilterBinding av);
typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager, typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virSecretDefPtr secret, virSecretDefPtr secret,
@ -80,6 +84,7 @@ struct _virAccessDriver {
virAccessDriverCheckNetworkDrv checkNetwork; virAccessDriverCheckNetworkDrv checkNetwork;
virAccessDriverCheckNodeDeviceDrv checkNodeDevice; virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
virAccessDriverCheckNWFilterDrv checkNWFilter; virAccessDriverCheckNWFilterDrv checkNWFilter;
virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
virAccessDriverCheckSecretDrv checkSecret; virAccessDriverCheckSecretDrv checkSecret;
virAccessDriverCheckStoragePoolDrv checkStoragePool; virAccessDriverCheckStoragePoolDrv checkStoragePool;
virAccessDriverCheckStorageVolDrv checkStorageVol; virAccessDriverCheckStorageVolDrv checkStorageVol;

10
src/access/viraccessdrivernop.c
View File

@ -75,6 +75,15 @@ virAccessDriverNopCheckNWFilter(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
return 1; /* Allow */ return 1; /* Allow */
} }
static int
virAccessDriverNopCheckNWFilterBinding(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED,
virNWFilterBindingDefPtr binding ATTRIBUTE_UNUSED,
virAccessPermNWFilterBinding perm ATTRIBUTE_UNUSED)
{
return 1; /* Allow */
}
static int static int
virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED, virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED, const char *driverName ATTRIBUTE_UNUSED,
@ -112,6 +121,7 @@ virAccessDriver accessDriverNop = {
.checkNetwork = virAccessDriverNopCheckNetwork, .checkNetwork = virAccessDriverNopCheckNetwork,
.checkNodeDevice = virAccessDriverNopCheckNodeDevice, .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
.checkNWFilter = virAccessDriverNopCheckNWFilter, .checkNWFilter = virAccessDriverNopCheckNWFilter,
.checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
.checkSecret = virAccessDriverNopCheckSecret, .checkSecret = virAccessDriverNopCheckSecret,
.checkStoragePool = virAccessDriverNopCheckStoragePool, .checkStoragePool = virAccessDriverNopCheckStoragePool,
.checkStorageVol = virAccessDriverNopCheckStorageVol, .checkStorageVol = virAccessDriverNopCheckStorageVol,

21
src/access/viraccessdriverpolkit.c
View File

@ -276,6 +276,26 @@ virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
attrs); attrs);
} }
static int
virAccessDriverPolkitCheckNWFilterBinding(virAccessManagerPtr manager,
const char *driverName,
virNWFilterBindingDefPtr binding,
virAccessPermNWFilterBinding perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"nwfilter_binding_portdev", binding->portdevname,
"nwfilter_binding_linkdev", binding->linkdevname,
"nwfilter_binding_filter", binding->filter,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"nwfilter_binding",
virAccessPermNWFilterBindingTypeToString(perm),
attrs);
}
static int static int
virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager, virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
@ -409,6 +429,7 @@ virAccessDriver accessDriverPolkit = {
.checkNetwork = virAccessDriverPolkitCheckNetwork, .checkNetwork = virAccessDriverPolkitCheckNetwork,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice, .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter, .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
.checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
.checkSecret = virAccessDriverPolkitCheckSecret, .checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool, .checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol, .checkStorageVol = virAccessDriverPolkitCheckStorageVol,

24
src/access/viraccessdriverstack.c
View File

@ -197,6 +197,29 @@ virAccessDriverStackCheckNWFilter(virAccessManagerPtr manager,
return ret; return ret;
} }
static int
virAccessDriverStackCheckNWFilterBinding(virAccessManagerPtr manager,
const char *driverName,
virNWFilterBindingDefPtr binding,
virAccessPermNWFilterBinding perm)
{
virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
int ret = 1;
size_t i;
for (i = 0; i < priv->managersLen; i++) {
int rv;
/* We do not short-circuit on first denial - always check all drivers */
rv = virAccessManagerCheckNWFilterBinding(priv->managers[i], driverName, binding, perm);
if (rv == 0 && ret != -1)
ret = 0;
else if (rv < 0)
ret = -1;
}
return ret;
}
static int static int
virAccessDriverStackCheckSecret(virAccessManagerPtr manager, virAccessDriverStackCheckSecret(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
@ -277,6 +300,7 @@ virAccessDriver accessDriverStack = {
.checkNetwork = virAccessDriverStackCheckNetwork, .checkNetwork = virAccessDriverStackCheckNetwork,
.checkNodeDevice = virAccessDriverStackCheckNodeDevice, .checkNodeDevice = virAccessDriverStackCheckNodeDevice,
.checkNWFilter = virAccessDriverStackCheckNWFilter, .checkNWFilter = virAccessDriverStackCheckNWFilter,
.checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
.checkSecret = virAccessDriverStackCheckSecret, .checkSecret = virAccessDriverStackCheckSecret,
.checkStoragePool = virAccessDriverStackCheckStoragePool, .checkStoragePool = virAccessDriverStackCheckStoragePool,
.checkStorageVol = virAccessDriverStackCheckStorageVol, .checkStorageVol = virAccessDriverStackCheckStorageVol,

15
src/access/viraccessmanager.c
View File

@ -296,6 +296,21 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret); return virAccessManagerSanitizeError(ret);
} }
int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
const char *driverName,
virNWFilterBindingDefPtr binding,
virAccessPermNWFilterBinding perm)
{
int ret = 0;
VIR_DEBUG("manager=%p(name=%s) driver=%s binding=%p perm=%d",
manager, manager->drv->name, driverName, binding, perm);
if (manager->drv->checkNWFilterBinding)
ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
return virAccessManagerSanitizeError(ret);
}
int virAccessManagerCheckSecret(virAccessManagerPtr manager, int virAccessManagerCheckSecret(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virSecretDefPtr secret, virSecretDefPtr secret,

5
src/access/viraccessmanager.h
View File

@ -29,6 +29,7 @@
# include "conf/storage_conf.h" # include "conf/storage_conf.h"
# include "conf/secret_conf.h" # include "conf/secret_conf.h"
# include "conf/interface_conf.h" # include "conf/interface_conf.h"
# include "conf/virnwfilterbindingdef.h"
# include "access/viraccessperm.h" # include "access/viraccessperm.h"
typedef struct _virAccessManager virAccessManager; typedef struct _virAccessManager virAccessManager;
@ -73,6 +74,10 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNWFilterDefPtr nwfilter, virNWFilterDefPtr nwfilter,
virAccessPermNWFilter perm); virAccessPermNWFilter perm);
int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
const char *driverName,
virNWFilterBindingDefPtr binding,
virAccessPermNWFilterBinding perm);
int virAccessManagerCheckSecret(virAccessManagerPtr manager, int virAccessManagerCheckSecret(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virSecretDefPtr secret, virSecretDefPtr secret,

7
src/access/viraccessperm.c
View File

@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
"search_domains", "search_networks", "search_domains", "search_networks",
"search_storage_pools", "search_node_devices", "search_storage_pools", "search_node_devices",
"search_interfaces", "search_secrets", "search_interfaces", "search_secrets",
"search_nwfilters", "search_nwfilters", "search_nwfilter_bindings",
"detect_storage_pools", "pm_control", "detect_storage_pools", "pm_control",
"interface_transaction"); "interface_transaction");
@ -66,6 +66,11 @@ VIR_ENUM_IMPL(virAccessPermNWFilter,
"getattr", "read", "write", "getattr", "read", "write",
"save", "delete"); "save", "delete");
VIR_ENUM_IMPL(virAccessPermNWFilterBinding,
VIR_ACCESS_PERM_NWFILTER_BINDING_LAST,
"getattr", "read",
"create", "delete");
VIR_ENUM_IMPL(virAccessPermSecret, VIR_ENUM_IMPL(virAccessPermSecret,
VIR_ACCESS_PERM_SECRET_LAST, VIR_ACCESS_PERM_SECRET_LAST,
"getattr", "read", "write", "getattr", "read", "write",

38
src/access/viraccessperm.h
View File

@ -94,6 +94,12 @@ typedef enum {
*/ */
VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS, VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS,
/**
* @desc: List network filter bindings
* @message: Listing network filter bindings requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS,
/** /**
* @desc: Detect storage pools * @desc: Detect storage pools
@ -486,6 +492,37 @@ typedef enum {
VIR_ACCESS_PERM_NWFILTER_LAST VIR_ACCESS_PERM_NWFILTER_LAST
} virAccessPermNWFilter; } virAccessPermNWFilter;
typedef enum {
/**
* @desc: Access network filter
* @message: Accessing network filter requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR,
/**
* @desc: Read network filter binding
* @message: Reading network filter configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_READ,
/**
* @desc: Create network filter binding
* @message: Creating network filter binding requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE,
/**
* @desc: Delete network filter binding
* @message: Deleting network filter binding requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE,
VIR_ACCESS_PERM_NWFILTER_BINDING_LAST
} virAccessPermNWFilterBinding;
typedef enum { typedef enum {
/** /**
@ -657,6 +694,7 @@ VIR_ENUM_DECL(virAccessPermInterface);
VIR_ENUM_DECL(virAccessPermNetwork); VIR_ENUM_DECL(virAccessPermNetwork);
VIR_ENUM_DECL(virAccessPermNodeDevice); VIR_ENUM_DECL(virAccessPermNodeDevice);
VIR_ENUM_DECL(virAccessPermNWFilter); VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermNWFilterBinding);
VIR_ENUM_DECL(virAccessPermSecret); VIR_ENUM_DECL(virAccessPermSecret);
VIR_ENUM_DECL(virAccessPermStoragePool); VIR_ENUM_DECL(virAccessPermStoragePool);
VIR_ENUM_DECL(virAccessPermStorageVol); VIR_ENUM_DECL(virAccessPermStorageVol);

3
src/rpc/gendispatch.pl
View File

@ -2033,7 +2033,8 @@ elsif ($mode eq "client") {
"storage_conf.h", "storage_conf.h",
"nwfilter_conf.h", "nwfilter_conf.h",
"node_device_conf.h", "node_device_conf.h",
"interface_conf.h" "interface_conf.h",
"virnwfilterbindingdef.h",
); );
foreach my $hdr (@headers) { foreach my $hdr (@headers) {
print "#include \"$hdr\"\n"; print "#include \"$hdr\"\n";