mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-10-30 09:53:10 +00:00
util: helper to temporary elevate privileges of the current identity
When talking to the secret driver, the callers inside libvirt daemons need to be able to run with an elevated privileges that prove the API calls are made by a libvirt daemon, not an end user application. The virIdentityElevateCurrent method will take the current identity and, if not already present, add the system token. The old current identity is returned to the caller. With the VIR_IDENTITY_AUTORESTORE annotation, the old current identity will be restored upon leaving the codeblock scope. ... early work with regular privileges ... if (something needing elevated privs) { VIR_IDENTITY_AUTORESTORE virIdentity *oldident = virIdentityElevateCurrent(); if (!oldident) return -1; ... do something with elevated privileges ... } ... later work with regular privileges ... Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
695d713df2
commit
10689c16d8
@ -2396,6 +2396,7 @@ virHostGetBootTime;
|
|||||||
|
|
||||||
|
|
||||||
# util/viridentity.h
|
# util/viridentity.h
|
||||||
|
virIdentityElevateCurrent;
|
||||||
virIdentityEnsureSystemToken;
|
virIdentityEnsureSystemToken;
|
||||||
virIdentityGetCurrent;
|
virIdentityGetCurrent;
|
||||||
virIdentityGetGroupName;
|
virIdentityGetGroupName;
|
||||||
@ -2412,6 +2413,7 @@ virIdentityGetUserName;
|
|||||||
virIdentityGetX509DName;
|
virIdentityGetX509DName;
|
||||||
virIdentityNew;
|
virIdentityNew;
|
||||||
virIdentityNewCopy;
|
virIdentityNewCopy;
|
||||||
|
virIdentityRestoreHelper;
|
||||||
virIdentitySetCurrent;
|
virIdentitySetCurrent;
|
||||||
virIdentitySetGroupName;
|
virIdentitySetGroupName;
|
||||||
virIdentitySetParameters;
|
virIdentitySetParameters;
|
||||||
|
@ -154,6 +154,53 @@ int virIdentitySetCurrent(virIdentity *ident)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* virIdentityElevateCurrent:
|
||||||
|
*
|
||||||
|
* Set the new identity to be associated with this thread,
|
||||||
|
* to an elevated copy of the current identity. The old
|
||||||
|
* current identity is returned and should be released by
|
||||||
|
* the caller when no longer required.
|
||||||
|
*
|
||||||
|
* Returns the previous identity, or NULL on error
|
||||||
|
*/
|
||||||
|
virIdentity *virIdentityElevateCurrent(void)
|
||||||
|
{
|
||||||
|
g_autoptr(virIdentity) ident = virIdentityGetCurrent();
|
||||||
|
const char *token;
|
||||||
|
int rc;
|
||||||
|
|
||||||
|
if (!ident) {
|
||||||
|
virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
|
||||||
|
_("No current identity to elevate"));
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ((rc = virIdentityGetSystemToken(ident, &token)) < 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
if (rc == 0) {
|
||||||
|
g_autoptr(virIdentity) identel = virIdentityNewCopy(ident);
|
||||||
|
|
||||||
|
if (virIdentitySetSystemToken(identel, systemToken) < 0)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
|
if (virIdentitySetCurrent(identel) < 0)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return g_steal_pointer(&ident);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
void virIdentityRestoreHelper(virIdentity **identptr)
|
||||||
|
{
|
||||||
|
virIdentity *ident = *identptr;
|
||||||
|
|
||||||
|
if (ident != NULL)
|
||||||
|
virIdentitySetCurrent(ident);
|
||||||
|
}
|
||||||
|
|
||||||
#define TOKEN_BYTES 16
|
#define TOKEN_BYTES 16
|
||||||
#define TOKEN_STRLEN (TOKEN_BYTES * 2)
|
#define TOKEN_STRLEN (TOKEN_BYTES * 2)
|
||||||
|
|
||||||
|
@ -27,8 +27,13 @@
|
|||||||
#define VIR_TYPE_IDENTITY vir_identity_get_type()
|
#define VIR_TYPE_IDENTITY vir_identity_get_type()
|
||||||
G_DECLARE_FINAL_TYPE(virIdentity, vir_identity, VIR, IDENTITY, GObject);
|
G_DECLARE_FINAL_TYPE(virIdentity, vir_identity, VIR, IDENTITY, GObject);
|
||||||
|
|
||||||
|
#define VIR_IDENTITY_AUTORESTORE __attribute__((cleanup(virIdentityRestoreHelper)))
|
||||||
|
|
||||||
virIdentity *virIdentityGetCurrent(void);
|
virIdentity *virIdentityGetCurrent(void);
|
||||||
int virIdentitySetCurrent(virIdentity *ident);
|
int virIdentitySetCurrent(virIdentity *ident);
|
||||||
|
virIdentity *virIdentityElevateCurrent(void);
|
||||||
|
|
||||||
|
void virIdentityRestoreHelper(virIdentity **identptr);
|
||||||
|
|
||||||
virIdentity *virIdentityGetSystem(void);
|
virIdentity *virIdentityGetSystem(void);
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user