External/libvirt
1
0
Fork 0
mirror of https://gitlab.com/libvirt/libvirt.git synced 2024-07-03 16:42:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add a policy kit access control driver

Browse Source 
Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.

It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrange 2012-01-23 15:12:57 +00:00
parent ed3bac713c
commit b904bba7f4
9 changed files with 586 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -103,6 +103,7 @@
/run
/sc_*
/src/.*.stamp
/src/access/org.libvirt.api.policy
/src/esx/*.generated.*
/src/hyperv/*.generated.*
/src/libvirt*.def

2
daemon/libvirtd.conf
View File

@ -163,7 +163,7 @@
# meaning no access control checks are done once a
# client has authenticated with libvirtd
#
#access_drivers = [ ]
#access_drivers = [ "polkit" ]
#################################################################
#

1
daemon/test_libvirtd.aug.in
View File

@ -18,6 +18,7 @@ module Test_libvirtd =
{ "auth_tcp" = "sasl" }
{ "auth_tls" = "none" }
{ "access_drivers"
{ "1" = "polkit" }
}
{ "key_file" = "/etc/pki/libvirt/private/serverkey.pem" }
{ "cert_file" = "/etc/pki/libvirt/servercert.pem" }

1
po/POTFILES.in
View File

@ -6,6 +6,7 @@ daemon/remote_dispatch.h
daemon/stream.c
gnulib/lib/gai_strerror.c
gnulib/lib/regcomp.c
src/access/viraccessdriverpolkit.c
src/access/viraccessmanager.c
src/conf/cpu_conf.c
src/conf/device_conf.c

28
src/Makefile.am
View File

@ -797,6 +797,13 @@ ACCESS_DRIVER_SOURCES = \
access/viraccessdrivernop.h access/viraccessdrivernop.c \
access/viraccessdriverstack.h access/viraccessdriverstack.c
ACCESS_DRIVER_POLKIT_SOURCES = \
access/viraccessdriverpolkit.h access/viraccessdriverpolkit.c
ACCESS_DRIVER_POLKIT_POLICY = \
access/org.libvirt.api.policy
NODE_DEVICE_DRIVER_SOURCES = \
node_device/node_device_driver.c \
node_device/node_device_driver.h \
@ -1391,6 +1398,24 @@ libvirt_driver_access_la_CFLAGS = \
libvirt_driver_access_la_LDFLAGS = $(AM_LDFLAGS)
libvirt_driver_access_la_LIBADD =
EXTRA_DIST += access/genpolkit.pl
if WITH_POLKIT1
libvirt_driver_access_la_SOURCES += $(ACCESS_DRIVER_POLKIT_SOURCES)
polkitactiondir = $(datadir)/polkit-1/actions
polkitaction_DATA = $(ACCESS_DRIVER_POLKIT_POLICY)
$(ACCESS_DRIVER_POLKIT_POLICY): $(srcdir)/access/viraccessperm.h \
$(srcdir)/access/genpolkit.pl Makefile.am
$(AM_V_GEN)$(PERL) $(srcdir)/access/genpolkit.pl < $< > $@ || rm -f $@
CLEANFILES += $(ACCESS_DRIVER_POLKIT_POLICY)
BUILT_SOURCES += $(ACCESS_DRIVER_POLKIT_POLICY)
else
EXTRA_DIST += $(ACCESS_DRIVER_POLKIT_SOURCES)
endif
# Add all conditional sources just in case...
EXTRA_DIST += \
@ -1430,7 +1455,8 @@ EXTRA_DIST += \
$(SECRET_DRIVER_SOURCES) \
$(VBOX_DRIVER_EXTRA_DIST) \
$(VMWARE_DRIVER_SOURCES) \
$(XENXS_SOURCES)
$(XENXS_SOURCES) \
$(ACCESS_DRIVER_POLKIT_POLICY)
check-local: check-augeas

119
src/access/genpolkit.pl Executable file
View File

@ -0,0 +1,119 @@
#!/usr/bin/perl
#
# Copyright (C) 2012-2013 Red Hat, Inc.
#
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
#
# This library is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library. If not, see
# <http://www.gnu.org/licenses/>.
#
use strict;
use warnings;
my @objects = (
"CONNECT", "DOMAIN", "INTERFACE",
"NETWORK","NODE_DEVICE", "NWFILTER",
"SECRET", "STORAGE_POOL", "STORAGE_VOL",
);
my $objects = join ("|", @objects);
# Data we're going to be generating looks like this
#
# <policyconfig>
# <action id="org.libvirt.unix.monitor">
# <description>Monitor local virtualized systems</description>
# <message>System policy prevents monitoring of local virtualized systems</message>
# <defaults>
# <allow_any>yes</allow_any>
# <allow_inactive>yes</allow_inactive>
# <allow_active>yes</allow_active>
# </defaults>
# </action>
# ...more <action> rules...
# </policyconfig>
my %opts;
my $in_opts = 0;
my %perms;
while (<>) {
if ($in_opts) {
if (m,\*/,) {
$in_opts = 0;
} elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) {
$opts{$1} = $2;
}
} elsif (m,/\*\*,) {
$in_opts = 1;
} elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) {
my $object = lc $1;
my $perm = lc $2;
next if $perm eq "last";
$object =~ s/_/-/g;
$perm =~ s/_/-/g;
$perms{$object} = {} unless exists $perms{$object};
$perms{$object}->{$perm} = {
desc => $opts{desc},
message => $opts{message},
anonymous => $opts{anonymous}
};
%opts = ();
}
}
print <<EOF;
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
<policyconfig>
<vendor>Libvirt Project</vendor>
<vendor_url>http://libvirt.org</vendor_url>
EOF
foreach my $object (sort { $a cmp $b } keys %perms) {
foreach my $perm (sort { $a cmp $b } keys %{$perms{$object}}) {
my $description = $perms{$object}->{$perm}->{desc};
my $message = $perms{$object}->{$perm}->{message};
my $anonymous = $perms{$object}->{$perm}->{anonymous};
die "missing description for $object.$perm" unless
defined $description;
die "missing message for $object.$perm" unless
defined $message;
my $allow_any = $anonymous ? "yes" : "no";
my $allow_inactive = $allow_any;
my $allow_active = $allow_any;
print <<EOF;
<action id="org.libvirt.api.$object.$perm">
<description>$description</description>
<message>$message</message>
<defaults>
<allow_any>$allow_any</allow_any>
<allow_inactive>$allow_inactive</allow_inactive>
<allow_active>$allow_active</allow_active>
</defaults>
</action>
EOF
}
}
print <<EOF;
</policyconfig>
EOF

402
src/access/viraccessdriverpolkit.c Normal file
View File

@ -0,0 +1,402 @@
/*
* viraccessdriverpolkit.c: polkited access control driver
*
* Copyright (C) 2012 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#include <config.h>
#include "viraccessdriverpolkit.h"
#include "viralloc.h"
#include "vircommand.h"
#include "virlog.h"
#include "virprocess.h"
#include "virerror.h"
#include "virstring.h"
#define VIR_FROM_THIS VIR_FROM_ACCESS
#define virAccessError(code, ...) \
virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
__FUNCTION__, __LINE__, __VA_ARGS__)
#define VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX "org.libvirt.api"
typedef struct _virAccessDriverPolkitPrivate virAccessDriverPolkitPrivate;
typedef virAccessDriverPolkitPrivate *virAccessDriverPolkitPrivatePtr;
struct _virAccessDriverPolkitPrivate {
bool ignore;
};
static void virAccessDriverPolkitCleanup(virAccessManagerPtr manager ATTRIBUTE_UNUSED)
{
}
static char *
virAccessDriverPolkitFormatAction(const char *typename,
const char *permname)
{
char *actionid = NULL;
size_t i;
if (virAsprintf(&actionid, "%s.%s.%s",
VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX,
typename, permname) < 0) {
virReportOOMError();
return NULL;
}
for (i = 0; actionid[i]; i++)
if (actionid[i] == '_')
actionid[i] = '-';
return actionid;
}
static char *
virAccessDriverPolkitFormatProcess(const char *actionid)
{
virIdentityPtr identity = virIdentityGetCurrent();
const char *process = NULL;
char *ret = NULL;
if (!identity) {
virAccessError(VIR_ERR_ACCESS_DENIED,
_("Policy kit denied action %s from <anonymous>"),
actionid);
return NULL;
}
if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
goto cleanup;
if (!process) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No UNIX process ID available"));
goto cleanup;
}
if (VIR_STRDUP(ret, process) < 0)
goto cleanup;
cleanup:
virObjectUnref(identity);
return ret;
}
static int
virAccessDriverPolkitCheck(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *typename,
const char *permname,
const char **attrs)
{
char *actionid = NULL;
char *process = NULL;
virCommandPtr cmd = NULL;
int status;
int ret = -1;
if (!(actionid = virAccessDriverPolkitFormatAction(typename, permname)))
goto cleanup;
if (!(process = virAccessDriverPolkitFormatProcess(actionid)))
goto cleanup;
VIR_DEBUG("Check action '%s' for process '%s'", actionid, process);
cmd = virCommandNewArgList(PKCHECK_PATH,
"--action-id", actionid,
"--process", process,
NULL);
while (attrs && attrs[0] && attrs[1]) {
virCommandAddArgList(cmd, "--detail", attrs[0], attrs[1], NULL);
attrs += 2;
}
if (virCommandRun(cmd, &status) < 0)
goto cleanup;
if (status == 0) {
ret = 1; /* Allowed */
} else {
if (status == 1 ||
status == 2 ||
status == 3) {
ret = 0; /* Denied */
} else {
ret = -1; /* Error */
char *tmp = virProcessTranslateStatus(status);
virAccessError(VIR_ERR_ACCESS_DENIED,
_("Policy kit denied action %s from %s: %s"),
actionid, process, NULLSTR(tmp));
VIR_FREE(tmp);
}
goto cleanup;
}
cleanup:
virCommandFree(cmd);
VIR_FREE(actionid);
VIR_FREE(process);
return ret;
}
static int
virAccessDriverPolkitCheckConnect(virAccessManagerPtr manager,
const char *driverName,
virAccessPermConnect perm)
{
const char *attrs[] = {
"connect_driver", driverName,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"connect",
virAccessPermConnectTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckDomain(virAccessManagerPtr manager,
const char *driverName,
virDomainDefPtr domain,
virAccessPermDomain perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"domain_name", domain->name,
"domain_uuid", uuidstr,
NULL,
};
virUUIDFormat(domain->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"domain",
virAccessPermDomainTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckInterface(virAccessManagerPtr manager,
const char *driverName,
virInterfaceDefPtr iface,
virAccessPermInterface perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"interface_name", iface->name,
"interface_macaddr", iface->mac,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"interface",
virAccessPermInterfaceTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virAccessPermNetwork perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"network_name", network->name,
"network_uuid", uuidstr,
NULL,
};
virUUIDFormat(network->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"network",
virAccessPermNetworkTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName,
virNodeDeviceDefPtr nodedev,
virAccessPermNodeDevice perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"node_device_name", nodedev->name,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"nodedevice",
virAccessPermNodeDeviceTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
const char *driverName,
virNWFilterDefPtr nwfilter,
virAccessPermNWFilter perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"nwfilter_name", nwfilter->name,
"nwfilter_uuid", uuidstr,
NULL,
};
virUUIDFormat(nwfilter->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"nwfilter",
virAccessPermNWFilterTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
const char *driverName,
virSecretDefPtr secret,
virAccessPermSecret perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
virUUIDFormat(secret->uuid, uuidstr);
switch (secret->usage_type) {
default:
case VIR_SECRET_USAGE_TYPE_NONE: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_VOLUME: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_volume", secret->usage.volume,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_CEPH: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_ceph", secret->usage.ceph,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_ISCSI: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_target", secret->usage.target,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
}
}
static int
virAccessDriverPolkitCheckStoragePool(virAccessManagerPtr manager,
const char *driverName,
virStoragePoolDefPtr pool,
virAccessPermStoragePool perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"pool_name", pool->name,
"pool_uuid", uuidstr,
NULL,
};
virUUIDFormat(pool->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"pool",
virAccessPermStoragePoolTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
const char *driverName,
virStoragePoolDefPtr pool,
virStorageVolDefPtr vol,
virAccessPermStorageVol perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"pool_name", pool->name,
"pool_uuid", uuidstr,
"vol_name", vol->name,
"vol_key", vol->key,
NULL,
};
virUUIDFormat(pool->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"vol",
virAccessPermStorageVolTypeToString(perm),
attrs);
}
virAccessDriver accessDriverPolkit = {
.privateDataLen = sizeof(virAccessDriverPolkitPrivate),
.name = "polkit",
.cleanup = virAccessDriverPolkitCleanup,
.checkConnect = virAccessDriverPolkitCheckConnect,
.checkDomain = virAccessDriverPolkitCheckDomain,
.checkInterface = virAccessDriverPolkitCheckInterface,
.checkNetwork = virAccessDriverPolkitCheckNetwork,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter,
.checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol,
};

28
src/access/viraccessdriverpolkit.h Normal file
View File

@ -0,0 +1,28 @@
/*
* viraccessdriverpolkit.h: polkited access control driver
*
* Copyright (C) 2012 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#ifndef __VIR_ACCESS_DRIVER_POLKIT_H__
# define __VIR_ACCESS_DRIVER_POLKIT_H__
# include "viraccessdriver.h"
extern virAccessDriver accessDriverPolkit;
#endif /* __VIR_ACCESS_DRIVER_POLKIT_H__ */

6
src/access/viraccessmanager.c
View File

@ -23,6 +23,9 @@
#include "viraccessmanager.h"
#include "viraccessdrivernop.h"
#include "viraccessdriverstack.h"
#if WITH_POLKIT1
# include "viraccessdriverpolkit.h"
#endif
#include "viralloc.h"
#include "virerror.h"
#include "virobject.h"
@ -108,6 +111,9 @@ static virAccessManagerPtr virAccessManagerNewDriver(virAccessDriverPtr drv)
static virAccessDriverPtr accessDrivers[] = {
&accessDriverNop,
#if WITH_POLKIT1
&accessDriverPolkit,
#endif
};