Add ACL checks into the nwfilter driver

Insert calls to the ACL checking APIs in all nwfilter driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2013-04-23 11:56:22 +01:00
parent 20d8e1f1d7
commit 1eca3f5bdf
2 changed files with 33 additions and 2 deletions

View File

@ -1391,8 +1391,13 @@ noinst_LTLIBRARIES += libvirt_driver_nwfilter.la
# Stateful, so linked to daemon instead # Stateful, so linked to daemon instead
#libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la #libvirt_la_BUILT_LIBADD += libvirt_driver_nwfilter.la
endif endif
libvirt_driver_nwfilter_la_CFLAGS = $(LIBPCAP_CFLAGS) \ libvirt_driver_nwfilter_la_CFLAGS = \
-I$(top_srcdir)/src/conf $(LIBNL_CFLAGS) $(AM_CFLAGS) $(DBUS_CFLAGS) $(LIBPCAP_CFLAGS) \
$(LIBNL_CFLAGS) \
$(DBUS_CFLAGS) \
-I$(top_srcdir)/src/access \
-I$(top_srcdir)/src/conf \
$(AM_CFLAGS)
libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS) libvirt_driver_nwfilter_la_LDFLAGS = $(LD_AMFLAGS)
libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS) libvirt_driver_nwfilter_la_LIBADD = $(LIBPCAP_LIBS) $(LIBNL_LIBS) $(DBUS_LIBS)
if WITH_DRIVER_MODULES if WITH_DRIVER_MODULES

View File

@ -42,6 +42,7 @@
#include "nwfilter_gentech_driver.h" #include "nwfilter_gentech_driver.h"
#include "configmake.h" #include "configmake.h"
#include "virstring.h" #include "virstring.h"
#include "viraccessapicheck.h"
#include "nwfilter_ipaddrmap.h" #include "nwfilter_ipaddrmap.h"
#include "nwfilter_dhcpsnoop.h" #include "nwfilter_dhcpsnoop.h"
@ -374,6 +375,9 @@ nwfilterLookupByUUID(virConnectPtr conn,
goto cleanup; goto cleanup;
} }
if (virNWFilterLookupByUUIDEnsureACL(conn, nwfilter->def) < 0)
goto cleanup;
ret = virGetNWFilter(conn, nwfilter->def->name, nwfilter->def->uuid); ret = virGetNWFilter(conn, nwfilter->def->name, nwfilter->def->uuid);
cleanup: cleanup:
@ -400,6 +404,9 @@ nwfilterLookupByName(virConnectPtr conn,
goto cleanup; goto cleanup;
} }
if (virNWFilterLookupByNameEnsureACL(conn, nwfilter->def) < 0)
goto cleanup;
ret = virGetNWFilter(conn, nwfilter->def->name, nwfilter->def->uuid); ret = virGetNWFilter(conn, nwfilter->def->name, nwfilter->def->uuid);
cleanup: cleanup:
@ -434,6 +441,10 @@ nwfilterClose(virConnectPtr conn) {
static int static int
nwfilterConnectNumOfNWFilters(virConnectPtr conn) { nwfilterConnectNumOfNWFilters(virConnectPtr conn) {
virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData; virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
if (virConnectNumOfNWFiltersEnsureACL(conn) < 0)
return -1;
return driver->nwfilters.count; return driver->nwfilters.count;
} }
@ -445,6 +456,9 @@ nwfilterConnectListNWFilters(virConnectPtr conn,
virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData; virNWFilterDriverStatePtr driver = conn->nwfilterPrivateData;
int got = 0, i; int got = 0, i;
if (virConnectListNWFiltersEnsureACL(conn) < 0)
return -1;
nwfilterDriverLock(driver); nwfilterDriverLock(driver);
for (i = 0; i < driver->nwfilters.count && got < nnames; i++) { for (i = 0; i < driver->nwfilters.count && got < nnames; i++) {
virNWFilterObjLock(driver->nwfilters.objs[i]); virNWFilterObjLock(driver->nwfilters.objs[i]);
@ -481,6 +495,9 @@ nwfilterConnectListAllNWFilters(virConnectPtr conn,
virCheckFlags(0, -1); virCheckFlags(0, -1);
if (virConnectListAllNWFiltersEnsureACL(conn) < 0)
return -1;
nwfilterDriverLock(driver); nwfilterDriverLock(driver);
if (!filters) { if (!filters) {
@ -537,6 +554,9 @@ nwfilterDefineXML(virConnectPtr conn,
if (!(def = virNWFilterDefParseString(conn, xml))) if (!(def = virNWFilterDefParseString(conn, xml)))
goto cleanup; goto cleanup;
if (virNWFilterDefineXMLEnsureACL(conn, def) < 0)
goto cleanup;
if (!(nwfilter = virNWFilterObjAssignDef(conn, &driver->nwfilters, def))) if (!(nwfilter = virNWFilterObjAssignDef(conn, &driver->nwfilters, def)))
goto cleanup; goto cleanup;
@ -578,6 +598,9 @@ nwfilterUndefine(virNWFilterPtr obj) {
goto cleanup; goto cleanup;
} }
if (virNWFilterUndefineEnsureACL(obj->conn, nwfilter->def) < 0)
goto cleanup;
if (virNWFilterTestUnassignDef(obj->conn, nwfilter) < 0) { if (virNWFilterTestUnassignDef(obj->conn, nwfilter) < 0) {
virReportError(VIR_ERR_OPERATION_INVALID, virReportError(VIR_ERR_OPERATION_INVALID,
"%s", "%s",
@ -626,6 +649,9 @@ nwfilterGetXMLDesc(virNWFilterPtr obj,
goto cleanup; goto cleanup;
} }
if (virNWFilterGetXMLDescEnsureACL(obj->conn, nwfilter->def) < 0)
goto cleanup;
ret = virNWFilterDefFormat(nwfilter->def); ret = virNWFilterDefFormat(nwfilter->def);
cleanup: cleanup: