mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2025-01-22 20:45:18 +00:00
src: set identity when opening secondary drivers
The drivers can all call virGetConnectXXX to open a connection to a secondary driver. For example, when creating a encrypted storage volume, the storage driver has to open a secret driver connection, or when starting a guest, the QEMU driver has to open the network driver to lookup a virtual network. When using monolithic libvirtd, the connection has the same effective identity as the client, since everything is still in the same process. When using the modular daemons, however, the remote daemon sees the identity of the calling daemon. This is a mistake as it results in the modular daemons seeing the client with elevated privileges. We need to pass on the current identity explicitly when opening the secondary drivers. This is the same thing that is done by daemon RPC dispatcher code when it is directly forwarding top level API calls from virtproxyd and other daemons. Reviewed-by: Michal Privoznik <mprivozn@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
11f077e286
commit
9645200dc0
27
src/driver.c
27
src/driver.c
@ -33,6 +33,8 @@
|
||||
#include "virstring.h"
|
||||
#include "virthread.h"
|
||||
#include "virutil.h"
|
||||
#include "viridentity.h"
|
||||
#include "datatypes.h"
|
||||
#include "configmake.h"
|
||||
|
||||
VIR_LOG_INIT("driver");
|
||||
@ -136,6 +138,7 @@ static virConnectPtr
|
||||
virGetConnectGeneric(virThreadLocal *threadPtr, const char *name)
|
||||
{
|
||||
virConnectPtr conn;
|
||||
virErrorPtr saved;
|
||||
|
||||
if (virConnectCacheInitialize() < 0)
|
||||
return NULL;
|
||||
@ -153,8 +156,32 @@ virGetConnectGeneric(virThreadLocal *threadPtr, const char *name)
|
||||
|
||||
conn = virConnectOpen(uri);
|
||||
VIR_DEBUG("Opened new %s connection %p", name, conn);
|
||||
if (!conn)
|
||||
return NULL;
|
||||
|
||||
if (conn->driver->connectSetIdentity != NULL) {
|
||||
g_autoptr(virIdentity) ident = NULL;
|
||||
virTypedParameterPtr identparams = NULL;
|
||||
int nidentparams = 0;
|
||||
|
||||
VIR_DEBUG("Attempting to delegate current identity");
|
||||
if (!(ident = virIdentityGetCurrent()))
|
||||
goto error;
|
||||
|
||||
if (virIdentityGetParameters(ident, &identparams, &nidentparams) < 0)
|
||||
goto error;
|
||||
|
||||
if (virConnectSetIdentity(conn, identparams, nidentparams, 0) < 0)
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
return conn;
|
||||
|
||||
error:
|
||||
saved = virSaveLastError();
|
||||
virConnectClose(conn);
|
||||
virSetError(saved);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user