65 Commits

Author SHA1 Message Date
Daniel P. Berrangé
80fcfab9ce access: ensure ACL files are rebuilt when protocol changes
Meson is not told that the .x protocol files are an input for the
generator, so it doesn't know to setup a rebuild dependancy.

Reviewed-by: Erik Skultety <eskultet@redhat.com>
Reviewed-by: Pavel Hrdina <phrdina@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2020-09-16 15:53:27 +01:00
Pavel Hrdina
4d0e327b70 meson: src/access: add check-aclperms test
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:05 +02:00
Pavel Hrdina
f7ca387fa6 meson: src/access: generate libvirt_access*.xml files
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:05 +02:00
Pavel Hrdina
85c11323b1 meson: src/access: generate org.libvirt.api.policy
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:05 +02:00
Pavel Hrdina
b681012422 meson: src: build libvirt.so library
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:04 +02:00
Pavel Hrdina
215a753222 meson: src: build libvirt.syms and libvirt.def symbol files
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:04 +02:00
Pavel Hrdina
9e24d677a0 meson: src: build libvirt_access.a static library
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:27:04 +02:00
Pavel Hrdina
b63c979fc9 meson: remove automake specific directives
EXTRA_DIST is not relevant because meson makes a git copy when creating
dist archive so everything tracked by git is part of dist tarball.

The remaining ones are not converted to meson files as they are
automatically tracked by meson.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Neal Gompa <ngompa13@gmail.com>
2020-08-03 09:26:25 +02:00
Ján Tomko
b11e8cccdd Remove virutil.h from all header files
After the split of enum functions into virenum.h,
this function does not contain anything worth including
in another header file.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel Henrique Barboza <danielhb413@gmail.com>
2020-02-24 23:15:50 +01:00
Daniel P. Berrangé
cccc3fc1bb access: report an error if no access manager is present
The code calling this method expects it to have reported an error on
failure.

Reviewed-by: Cole Robinson <crobinso@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-12-18 14:04:51 +00:00
Daniel P. Berrangé
a5c72a0061 src: rewrite polkit ACL generator in Python
As part of a goal to eliminate Perl from libvirt build tools,
rewrite the genpolkit.pl tool in Python.

This was a straight conversion, manually going line-by-line to
change the syntax from Perl to Python. Thus the overall structure
of the file and approach is the same.

Tested-by: Cole Robinson <crobinso@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-20 14:45:25 +00:00
Michal Privoznik
87af7ff8b7 access: Use g_strdup_printf() instead of virAsprintf()
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-11-12 16:15:58 +01:00
Pavel Hrdina
0985a9597b src: stop distributing generated source files
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-08 17:07:57 +01:00
Pavel Hrdina
b98f90cf91 src: access: generate source files into build directory
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-11-08 17:07:57 +01:00
Ján Tomko
67e72053c1 Use G_N_ELEMENTS instead of ARRAY_CARDINALITY
Prefer the GLib version of the macro.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-15 16:14:19 +02:00
Ján Tomko
96013d0dcf access: use G_GNUC_UNUSED
Use G_GNUC_UNUSED from GLib instead of ATTRIBUTE_UNUSED.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-10-15 11:25:22 +02:00
Daniel P. Berrangé
f80c8dab85 access: convert polkit driver to auto free memory
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-10-14 10:54:42 +01:00
Daniel P. Berrangé
cfbe9f1201 build: link to glib library
Add the main glib.h to internal.h so that all common code can use it.

Historically glib allowed applications to register an alternative
memory allocator, so mixing g_malloc/g_free with malloc/free was not
safe.

This was feature was dropped in 2.46.0 with:

      commit 3be6ed60aa58095691bd697344765e715a327fc1
      Author: Alexander Larsson <alexl@redhat.com>
      Date:   Sat Jun 27 18:38:42 2015 +0200

        Deprecate and drop support for memory vtables

Applications are still encourged to match g_malloc/g_free, but it is no
longer a mandatory requirement for correctness, just stylistic. This is
explicitly clarified in

    commit 1f24b36607bf708f037396014b2cdbc08d67b275
    Author: Daniel P. Berrangé <berrange@redhat.com>
    Date:   Thu Sep 5 14:37:54 2019 +0100

        gmem: clarify that g_malloc always uses the system allocator

Applications can still use custom allocators in general, but they must
do this by linking to a library that replaces the core malloc/free
implemenentation entirely, instead of via a glib specific call.

This means that libvirt does not need to be concerned about use of
g_malloc/g_free causing an ABI change in the public libary, and can
avoid memory copying when talking to external libraries.

This patch probes for glib, which provides the foundation layer with
a collection of data structures, helper APIs, and platform portability
logic.

Later patches will introduce linkage to gobject which provides the
object type system, built on glib, and gio which providing objects
for various interesting tasks, most notably including DBus client
and server support and portable sockets APIs, but much more too.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-10-14 10:54:42 +01:00
Daniel P. Berrangé
45b273d981 util: sanitize return values for virIdentity getters
The virIdentity getters are unusual in that they return -1 to indicate
"not found" and don't report any error. Change them to return -1 for
real errors, 0 for not found, and 1 for success.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-09-16 11:25:34 +01:00
Daniel P. Berrangé
4597a23f50 util: change identity class attribute names
Remove the "UNIX" tag from the names for user name, group name,
process ID and process time, since these attributes are all usable
for non-UNIX platforms like Windows.

User ID and group ID are left with a "UNIX" tag, since there's no
equivalent on Windows. The closest equivalent concept on Windows,
SID, is a struct containing a number of integer fields, which is
commonly represented in string format instead. This would require
a separate attribute, and is left for a future exercise, since
the daemons are not currently built on Windows anyway.

Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-09-16 11:25:10 +01:00
Laine Stump
8d6eaf5e09 access: fix incorrect addition to virAccessPermNetwork
Commit e69444e17 (first appeared in libvirt-5.5.0) added the new value
"VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS" to the virAccessPerNetwork
enum, and also the string "search_ports" to the VIR_ENUM_IMPL() macro
for that enum. Unfortunately, the enum value was added in the middle
of the list, while the string was added to the end of the
VIR_ENUM_IMPL().

This patch corrects that error by moving the new value to the end of
the enum definition, so that the order matches that of the string
list.

Resolves: https://bugzilla.redhat.com/1741428

Signed-off-by: Laine Stump <laine@redhat.com>
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
2019-08-16 11:56:56 -04:00
Eric Blake
4f0438ef7c backup: Add new domain:checkpoint access control
Creating a checkpoint does not modify guest-visible state,
but does modify host resources.  Rather than reuse existing
domain:write, domain:block_write, or domain:snapshot access
controls, it seems better to introduce a new access control
specific to tasks related to checkpoints and incremental
backups of guest disk state.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-26 16:48:58 -05:00
Daniel P. Berrangé
e69444e179 access: add permissions for network port objects
Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2019-06-17 15:19:54 +01:00
Jonathon Jongsma
bed1143ff5 src/access: use #pragma once in headers
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2019-06-13 17:05:08 +02:00
Andrea Bolognani
03a07357e1 maint: Add filetype annotations to Makefile.inc.am
Vim has trouble figuring out the filetype automatically because
the name doesn't follow existing conventions; annotations like
the ones we already have in Makefile.ci help it out.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-04-12 16:55:38 +02:00
Peter Krempa
285c5f28c4 util: Move enum convertors into virenum.(c|h)
virutil.(c|h) is a very gross collection of random code. Remove the enum
handlers from there so we can limit the scope where virtutil.h is used.

Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2019-04-10 09:12:04 +02:00
Cole Robinson
6a4d938dd3 Require a semicolon for VIR_ENUM_IMPL calls
Missing semicolon at the end of macros can confuse some analyzers
(like cppcheck <filename>), and we have a mix of semicolon and
non-semicolon usage through the code. Let's standardize on using
a semicolon for VIR_ENUM_IMPL calls.

Move the verify() statement to the end of the macro and drop
the semicolon, so the compiler will require callers to add a
semicolon.

While we are touching these call sites, standardize on putting
the closing parenth on its own line, as discussed here:
https://www.redhat.com/archives/libvir-list/2019-January/msg00750.html

Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Cole Robinson <crobinso@redhat.com>
2019-02-03 17:46:29 -05:00
Daniel P. Berrangé
568a417224 Enforce a standard header file guard symbol name
Require that all headers are guarded by a symbol named

  LIBVIRT_$FILENAME

where $FILENAME is the uppercased filename, with all characters
outside a-z changed into '_'.

Note we do not use a leading __ because that is technically a
namespace reserved for the toolchain.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-12-14 10:47:13 +00:00
Yuri Chornoivan
e5c1fbca24 Fix minor typos in messages and docs
Signed-off-by: Yuri Chornoivan <yurchor@ukr.net>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-12-05 10:39:54 +01:00
John Ferlan
605496be60 access: Modify the VIR_ERR_ACCESS_DENIED to include driverName
https://bugzilla.redhat.com/show_bug.cgi?id=1631606

Changes made to manage and utilize a secondary connection
driver to APIs outside the scope of the primary connection
driver have resulted in some confusion processing polkit rules
since the simple "access denied" error message doesn't provide
enough of a clue when combined with the "authentication failed:
access denied by policy" as to which connection driver refused
or failed the ACL check.

In order to provide some context, let's modify the existing
"access denied" error returned from the various vir*EnsureACL
API's to provide the connection driver name that is causing
the failure. This should provide the context for writing the
polkit rules that would allow access via the driver, but yet
still adhere to the virAccessManagerSanitizeError commentary
regarding not telling the user why access was denied.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2018-11-14 14:06:43 -05:00
John Ferlan
b08396a5fe Revert "access: Modify the VIR_ERR_ACCESS_DENIED to include driverName"
This reverts commit ccc72d5cbdd85f66cb737134b3be40aac1df03ef.

Based on upstream comment to a follow-up patch, this didn't take the
right approach and the right thing to do is revert and rework.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2018-11-14 14:06:43 -05:00
John Ferlan
ccc72d5cbd access: Modify the VIR_ERR_ACCESS_DENIED to include driverName
https://bugzilla.redhat.com/show_bug.cgi?id=1631606

Changes made to manage and utilize a secondary connection
driver to APIs outside the scope of the primary connection
driver have resulted in some confusion processing polkit rules
since the simple "access denied" error message doesn't provide
enough of a clue when combined with the "authentication failed:
access denied by policy" as to which connection driver refused
or failed the ACL check.

In order to provide some context, let's modify the existing
"access denied" error returne from the various vir*EnsureACL
API's to provide the connection driver name that is causing
the failure. This should provide the context for writing the
polkit rules that would allow access via the driver.

Signed-off-by: John Ferlan <jferlan@redhat.com>
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
2018-11-05 07:13:03 -05:00
John Ferlan
6ef65e3c96 access: Fix nwfilter-binding ACL access API name generation
https://bugzilla.redhat.com/show_bug.cgi?id=1611320

Generation of the ACL API policy is a "automated process"
based on this perl script which "worked" with the changes to
add nwfilter binding API's because they had the "nwfilter"
prefix; however, the generated output name was incorrect
based on the remote protocol algorithm which expected to
generate names such as 'nwfilter-binding.action' instead
of 'nwfilter.binding-action'.

This effectively changes src/access/org.libvirt.api.policy entries:

  org.libvirt.api.nwfilter.binding-create ==>
      org.libvirt.api.nwfilter-binding.create

  org.libvirt.api.nwfilter.binding-delete ==>
      org.libvirt.api.nwfilter-binding.delete

  org.libvirt.api.nwfilter.binding-getattr ==>
      org.libvirt.api.nwfilter-binding.getattr

  org.libvirt.api.nwfilter.binding-read ==>
      org.libvirt.api.nwfilter-binding.read

Signed-off-by: John Ferlan <jferlan@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2018-08-24 08:04:14 -04:00
Daniel P. Berrangé
099812f59d access: add nwfilter binding object permissions
Reviewed-by: John Ferlan <jferlan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-06-26 11:22:07 +01:00
Martin Kletzander
76f253d866 access/: Remove spaces after casts
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
2018-05-03 22:31:36 +02:00
Michal Privoznik
10f94828ea virobject: Introduce VIR_CLASS_NEW() macro
So far we are repeating the following lines over and over:

  if (!(virSomeObjectClass = virClassNew(virClassForObject(),
                             "virSomeObject",
                             sizeof(virSomeObject),
                             virSomeObjectDispose)))
      return -1;

While this works, it is impossible to do some checking. Firstly,
the class name (the 2nd argument) doesn't match the name in the
code in all cases (the 3rd argument). Secondly, the current style
is needlessly verbose. This commit turns example into following:

  if (!(VIR_CLASS_NEW(virSomeObject,
                      virClassForObject)))
      return -1;

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2018-04-18 10:04:55 +02:00
Ján Tomko
0d4b988b3e Merge WITH_POLKIT1 and WITH_POLKIT
There is just one polkit now.

Signed-off-by: Ján Tomko <jtomko@redhat.com>
2018-03-14 12:46:26 +01:00
Daniel P. Berrangé
3c1e95e6ff make: split access driver build rules into access/Makefile.inc.am
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
2018-03-05 17:12:01 +00:00
Andrea Bolognani
3e7db8d3e8 Remove backslash alignment attempts
Right-aligning backslashes when defining macros or using complex
commands in Makefiles looks cute, but as soon as any changes is
required to the code you end up with either distractingly broken
alignment or unnecessarily big diffs where most of the changes
are just pushing all backslashes a few characters to one side.

Generated using

  $ git grep -El '[[:blank:]][[:blank:]]\\$' | \
    grep -E '*\.([chx]|am|mk)$$' | \
    while read f; do \
      sed -Ei 's/[[:blank:]]*[[:blank:]]\\$/ \\/g' "$f"; \
    done

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-11-03 13:24:12 +01:00
Daniel P. Berrange
e371b3bf41 Use https:// links for most sites
This adds a rule to require https links for the libvirt, qemu
and kvm websites.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-10-16 10:22:34 +01:00
Andrea Bolognani
90b17aef1a perl: Don't hardcode interpreter path
This is particularly useful on operating systems that don't ship
Perl as part of the base system (eg. FreeBSD) while still working
just as well as it did before on Linux.

In one case (src/rpc/genprotocol.pl) the interpreter path was
missing altogether.

Signed-off-by: Andrea Bolognani <abologna@redhat.com>
2017-09-19 16:04:53 +02:00
Daniel P. Berrange
bd300b7194 conf: simplify internal virSecretDef handling of usage
The public virSecret object has a single "usage_id" field
but the virSecretDef object has a different 'char *' field
for each usage type, but the code all assumes every usage
type has a corresponding single string. Get rid of the
pointless union in virSecretDef and just use "usage_id"
everywhere. This doesn't impact public XML format, only
the internal handling.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-01-09 15:53:49 +00:00
John Ferlan
13350a17e4 conf: Add new secret type "tls"
Add a new secret usage type known as "tls" - it will handle adding the
secret objects for various TLS objects that need to provide some sort
of passphrase in order to access the credentials.

The format is:

   <secret ephemeral='no' private='no'>
     <description>Sample TLS secret</description>
     <usage type='tls'>
       <name>mumblyfratz</name>
     </usage>
</secret>

Once defined and a passphrase set, future patches will allow the UUID
to be set in the qemu.conf file and thus used as a secret for various
TLS options such as a chardev serial TCP connection, a NBD client/server
connection, and migration.

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-09-09 08:20:05 -04:00
John Ferlan
dae3b96560 conf: Revert changes to add new secret type "passphrase"
Revert the remainder of commit id 'c84380106'
2016-07-14 13:47:08 -04:00
John Ferlan
c84380106f conf: Add new secret type "passphrase"
Add a new secret type known as "passphrase" - it will handle adding the
secret objects that need a passphrase without a specific username.

The format is:

   <secret ...>
     <uuid>...</uuid>
     ...
     <usage type='passphrase'>
       <name>mumblyfratz</name>
     </usage>
   </secret>

Signed-off-by: John Ferlan <jferlan@redhat.com>
2016-07-01 15:45:41 -04:00
Michal Privoznik
54012746ae viraccessperm.h: Fix some typos
Like s/authoriation/authorization/ and s/requries/requires/

Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
2015-07-17 09:41:31 +02:00
Ján Tomko
e8982c88bd Introduce virDomainSetUserPassword API
For setting passwords of users inside the domain.

With the VIR_DOMAIN_PASSWORD_ENCRYPTED flag set, the password
is assumed to be already encrypted by the method required
by the guest OS.

https://bugzilla.redhat.com/show_bug.cgi?id=1174177
2015-05-21 16:04:01 +02:00
Eric Blake
1398b70044 build: fix mingw printing of pid
Commit c75425734 introduced a compilation failure:

../../src/access/viraccessdriverpolkit.c: In function 'virAccessDriverPolkitCheck':
../../src/access/viraccessdriverpolkit.c:137:5: error: format '%d' expects argument of type 'int', but argument 9 has type 'pid_t' [-Werror=format=]
     VIR_DEBUG("Check action '%s' for process '%d' time %lld uid %d",
     ^

Since mingw pid_t is 64 bits, it's easier to just follow what we've
done elsewhere and cast to a large enough type when printing pids.

* src/access/viraccessdriverpolkit.c (virAccessDriverPolkitCheck):
Add cast.

Signed-off-by: Eric Blake <eblake@redhat.com>
2014-12-08 15:01:24 -07:00
Martin Kletzander
138c2aee01 Remove unnecessary curly brackets in rest of src/[a-n]*/
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
2014-11-14 17:13:36 +01:00
Pavel Hrdina
c4b4b13ccb polkit_driver: fix possible segfault
The changes in commit c7542573 introduced possible segfault. Looking
deeper into the code and the original code before the patch series were
applied I think that we should report error for each function failure
and also we shouldn't call some of the function twice.

Found by coverity.

Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
2014-09-25 12:53:37 +02:00