util: introduce concept of a system token into identities

We want a way to distinguish between calls from a libvirt daemon, and a
regular client application when both are running as the same user
account. This is not possible with the current set of attributes
recorded against an identity, as there is nothing that is common to all
of the modular libvirt daemons, while distinct to all other processes.

We thus introduce the idea of a system token, which is simply a random
hex string that is only known by the libvirt daemons, to be recorded
against the system identity.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2020-11-19 12:26:17 +00:00
parent 1ca3959712
commit d5d011f767
3 changed files with 40 additions and 0 deletions

View File

@ -2404,6 +2404,7 @@ virIdentityGetProcessTime;
virIdentityGetSASLUserName; virIdentityGetSASLUserName;
virIdentityGetSELinuxContext; virIdentityGetSELinuxContext;
virIdentityGetSystem; virIdentityGetSystem;
virIdentityGetSystemToken;
virIdentityGetUNIXGroupID; virIdentityGetUNIXGroupID;
virIdentityGetUNIXUserID; virIdentityGetUNIXUserID;
virIdentityGetUserName; virIdentityGetUserName;
@ -2416,6 +2417,7 @@ virIdentitySetProcessID;
virIdentitySetProcessTime; virIdentitySetProcessTime;
virIdentitySetSASLUserName; virIdentitySetSASLUserName;
virIdentitySetSELinuxContext; virIdentitySetSELinuxContext;
virIdentitySetSystemToken;
virIdentitySetUNIXGroupID; virIdentitySetUNIXGroupID;
virIdentitySetUNIXUserID; virIdentitySetUNIXUserID;
virIdentitySetUserName; virIdentitySetUserName;

View File

@ -40,6 +40,8 @@
#define VIR_FROM_THIS VIR_FROM_IDENTITY #define VIR_FROM_THIS VIR_FROM_IDENTITY
#define VIR_CONNECT_IDENTITY_SYSTEM_TOKEN "system.token"
VIR_LOG_INIT("util.identity"); VIR_LOG_INIT("util.identity");
struct _virIdentity { struct _virIdentity {
@ -382,6 +384,17 @@ int virIdentityGetSELinuxContext(virIdentity *ident,
} }
int virIdentityGetSystemToken(virIdentity *ident,
const char **token)
{
*token = NULL;
return virTypedParamsGetString(ident->params,
ident->nparams,
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
token);
}
int virIdentitySetUserName(virIdentity *ident, int virIdentitySetUserName(virIdentity *ident,
const char *username) const char *username)
{ {
@ -554,6 +567,25 @@ int virIdentitySetSELinuxContext(virIdentity *ident,
} }
int virIdentitySetSystemToken(virIdentity *ident,
const char *token)
{
if (virTypedParamsGet(ident->params,
ident->nparams,
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN)) {
virReportError(VIR_ERR_OPERATION_DENIED, "%s",
_("Identity attribute is already set"));
return -1;
}
return virTypedParamsAddString(&ident->params,
&ident->nparams,
&ident->maxparams,
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
token);
}
int virIdentitySetParameters(virIdentity *ident, int virIdentitySetParameters(virIdentity *ident,
virTypedParameterPtr params, virTypedParameterPtr params,
int nparams) int nparams)
@ -577,6 +609,8 @@ int virIdentitySetParameters(virIdentity *ident,
VIR_TYPED_PARAM_STRING, VIR_TYPED_PARAM_STRING,
VIR_CONNECT_IDENTITY_SELINUX_CONTEXT, VIR_CONNECT_IDENTITY_SELINUX_CONTEXT,
VIR_TYPED_PARAM_STRING, VIR_TYPED_PARAM_STRING,
VIR_CONNECT_IDENTITY_SYSTEM_TOKEN,
VIR_TYPED_PARAM_STRING,
NULL) < 0) NULL) < 0)
return -1; return -1;

View File

@ -52,6 +52,8 @@ int virIdentityGetX509DName(virIdentity *ident,
const char **dname); const char **dname);
int virIdentityGetSELinuxContext(virIdentity *ident, int virIdentityGetSELinuxContext(virIdentity *ident,
const char **context); const char **context);
int virIdentityGetSystemToken(virIdentity *ident,
const char **token);
int virIdentitySetUserName(virIdentity *ident, int virIdentitySetUserName(virIdentity *ident,
@ -72,6 +74,8 @@ int virIdentitySetX509DName(virIdentity *ident,
const char *dname); const char *dname);
int virIdentitySetSELinuxContext(virIdentity *ident, int virIdentitySetSELinuxContext(virIdentity *ident,
const char *context); const char *context);
int virIdentitySetSystemToken(virIdentity *ident,
const char *token);
int virIdentitySetParameters(virIdentity *ident, int virIdentitySetParameters(virIdentity *ident,
virTypedParameterPtr params, virTypedParameterPtr params,