Add APIs to get at more client security data

A socket object has various pieces of security data associated
with it, such as the SELinux context, the SASL username and
the x509 distinguished name. Add new APIs to virNetServerClient
and related modules to access this data.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2012-01-20 17:18:28 +00:00
parent ef3cd6473f
commit 51997e50fa
9 changed files with 125 additions and 0 deletions

View File

@ -13,6 +13,7 @@ virNetServerSetTLSContext;
# rpc/virnetserverclient.h
virNetServerClientGetTLSKeySize;
virNetServerClientGetTLSSession;
virNetServerClientHasTLSSession;
@ -33,6 +34,7 @@ virNetTLSContextNewServerPath;
virNetTLSInit;
virNetTLSSessionGetHandshakeStatus;
virNetTLSSessionGetKeySize;
virNetTLSSessionGetX509DName;
virNetTLSSessionHandshake;
virNetTLSSessionNew;
virNetTLSSessionRead;

View File

@ -854,11 +854,13 @@ virNetServerClientGetAuth;
virNetServerClientGetFD;
virNetServerClientGetPrivateData;
virNetServerClientGetReadonly;
virNetServerClientGetSecurityContext;
virNetServerClientGetUNIXIdentity;
virNetServerClientImmediateClose;
virNetServerClientInit;
virNetServerClientInitKeepAlive;
virNetServerClientIsClosed;
virNetServerClientIsLocal;
virNetServerClientIsSecure;
virNetServerClientLocalAddrString;
virNetServerClientNeedAuth;
@ -923,6 +925,7 @@ virNetSocketClose;
virNetSocketDupFD;
virNetSocketGetFD;
virNetSocketGetPort;
virNetSocketGetSecurityContext;
virNetSocketGetUNIXIdentity;
virNetSocketHasCachedData;
virNetSocketHasPassFD;

View File

@ -26,6 +26,7 @@ virNetSASLSessionServerStep;
# rpc/virnetserverclient.h
virNetServerClientGetSASLSession;
virNetServerClientSetSASLSession;

View File

@ -587,6 +587,16 @@ bool virNetServerClientHasTLSSession(virNetServerClientPtr client)
return has;
}
virNetTLSSessionPtr virNetServerClientGetTLSSession(virNetServerClientPtr client)
{
virNetTLSSessionPtr tls;
virObjectLock(client);
tls = client->tls;
virObjectUnlock(client);
return tls;
}
int virNetServerClientGetTLSKeySize(virNetServerClientPtr client)
{
int size = 0;
@ -608,6 +618,18 @@ int virNetServerClientGetFD(virNetServerClientPtr client)
return fd;
}
bool virNetServerClientIsLocal(virNetServerClientPtr client)
{
bool local = false;
virObjectLock(client);
if (client->sock)
local = virNetSocketIsLocal(client->sock);
virObjectUnlock(client);
return local;
}
int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
uid_t *uid, gid_t *gid, pid_t *pid)
{
@ -619,6 +641,20 @@ int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
return ret;
}
int virNetServerClientGetSecurityContext(virNetServerClientPtr client,
char **context)
{
int ret = 0;
*context = NULL;
virObjectLock(client);
if (client->sock)
ret = virNetSocketGetSecurityContext(client->sock, context);
virObjectUnlock(client);
return ret;
}
bool virNetServerClientIsSecure(virNetServerClientPtr client)
{
bool secure = false;
@ -651,6 +687,16 @@ void virNetServerClientSetSASLSession(virNetServerClientPtr client,
client->sasl = virObjectRef(sasl);
virObjectUnlock(client);
}
virNetSASLSessionPtr virNetServerClientGetSASLSession(virNetServerClientPtr client)
{
virNetSASLSessionPtr sasl;
virObjectLock(client);
sasl = client->sasl;
virObjectUnlock(client);
return sasl;
}
#endif

View File

@ -81,21 +81,28 @@ bool virNetServerClientGetReadonly(virNetServerClientPtr client);
# ifdef WITH_GNUTLS
bool virNetServerClientHasTLSSession(virNetServerClientPtr client);
virNetTLSSessionPtr virNetServerClientGetTLSSession(virNetServerClientPtr client);
int virNetServerClientGetTLSKeySize(virNetServerClientPtr client);
# endif
# ifdef WITH_SASL
void virNetServerClientSetSASLSession(virNetServerClientPtr client,
virNetSASLSessionPtr sasl);
virNetSASLSessionPtr virNetServerClientGetSASLSession(virNetServerClientPtr client);
# endif
int virNetServerClientGetFD(virNetServerClientPtr client);
bool virNetServerClientIsSecure(virNetServerClientPtr client);
bool virNetServerClientIsLocal(virNetServerClientPtr client);
int virNetServerClientGetUNIXIdentity(virNetServerClientPtr client,
uid_t *uid, gid_t *gid, pid_t *pid);
int virNetServerClientGetSecurityContext(virNetServerClientPtr client,
char **context);
void *virNetServerClientGetPrivateData(virNetServerClientPtr client);
typedef void (*virNetServerClientCloseFunc)(virNetServerClientPtr client);

View File

@ -40,6 +40,10 @@
#endif
#include "c-ctype.h"
#ifdef HAVE_SELINUX
# include <selinux/selinux.h>
#endif
#include "virnetsocket.h"
#include "virutil.h"
#include "viralloc.h"
@ -1156,6 +1160,46 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock ATTRIBUTE_UNUSED,
}
#endif
#ifdef HAVE_SELINUX
int virNetSocketGetSecurityContext(virNetSocketPtr sock,
char **context)
{
security_context_t seccon = NULL;
int ret = -1;
*context = NULL;
virMutexLock(&sock->lock);
if (getpeercon(sock->fd, &seccon) < 0) {
if (errno == ENOSYS) {
ret = 0;
goto cleanup;
}
virReportSystemError(errno, "%s",
_("Unable to query peer security context"));
goto cleanup;
}
if (!(*context = strdup(seccon))) {
virReportOOMError();
goto cleanup;
}
ret = 0;
cleanup:
freecon(seccon);
virMutexUnlock(&sock->lock);
return ret;
}
#else
int virNetSocketGetSecurityContext(virNetSocketPtr sock ATTRIBUTE_UNUSED,
char **context)
{
*context = NULL;
return 0;
}
#endif
int virNetSocketSetBlocking(virNetSocketPtr sock,
bool blocking)

View File

@ -114,6 +114,8 @@ int virNetSocketGetUNIXIdentity(virNetSocketPtr sock,
uid_t *uid,
gid_t *gid,
pid_t *pid);
int virNetSocketGetSecurityContext(virNetSocketPtr sock,
char **context);
int virNetSocketSetBlocking(virNetSocketPtr sock,
bool blocking);

View File

@ -71,6 +71,7 @@ struct _virNetTLSSession {
virNetTLSSessionWriteFunc writeFunc;
virNetTLSSessionReadFunc readFunc;
void *opaque;
char *x509dname;
};
static virClassPtr virNetTLSContextClass;
@ -1026,6 +1027,10 @@ static int virNetTLSContextValidCertificate(virNetTLSContextPtr ctxt,
"[session]", gnutls_strerror(ret));
goto authfail;
}
if (!(sess->x509dname = strdup(dname))) {
virReportOOMError();
goto authfail;
}
VIR_DEBUG("Peer DN is %s", dname);
if (virNetTLSContextCheckCertDN(cert, "[session]", sess->hostname, dname,
@ -1364,6 +1369,18 @@ cleanup:
return ssf;
}
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess)
{
const char *ret = NULL;
virObjectLock(sess);
ret = sess->x509dname;
virObjectUnlock(sess);
return ret;
}
void virNetTLSSessionDispose(void *obj)
{
@ -1372,6 +1389,7 @@ void virNetTLSSessionDispose(void *obj)
PROBE(RPC_TLS_SESSION_DISPOSE,
"sess=%p", sess);
VIR_FREE(sess->x509dname);
VIR_FREE(sess->hostname);
gnutls_deinit(sess->session);
}

View File

@ -94,4 +94,6 @@ virNetTLSSessionGetHandshakeStatus(virNetTLSSessionPtr sess);
int virNetTLSSessionGetKeySize(virNetTLSSessionPtr sess);
const char *virNetTLSSessionGetX509DName(virNetTLSSessionPtr sess);
#endif