/*
* viraccessdriverpolkit.c: polkitd access control driver
*
* Copyright (C) 2012, 2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* .
*/
#include
#include "viraccessdriverpolkit.h"
#include "virlog.h"
#include "virerror.h"
#include "virpolkit.h"
#define VIR_FROM_THIS VIR_FROM_ACCESS
VIR_LOG_INIT("access.accessdriverpolkit");
#define virAccessError(code, ...) \
virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
__FUNCTION__, __LINE__, __VA_ARGS__)
#define VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX "org.libvirt.api"
typedef struct _virAccessDriverPolkitPrivate virAccessDriverPolkitPrivate;
struct _virAccessDriverPolkitPrivate {
bool ignore;
};
static void virAccessDriverPolkitCleanup(virAccessManager *manager G_GNUC_UNUSED)
{
}
static char *
virAccessDriverPolkitFormatAction(const char *typename,
const char *permname)
{
char *actionid = NULL;
size_t i;
actionid = g_strdup_printf("%s.%s.%s", VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX,
typename, permname);
for (i = 0; actionid[i]; i++)
if (actionid[i] == '_')
actionid[i] = '-';
return actionid;
}
static int
virAccessDriverPolkitGetCaller(const char *actionid,
pid_t *pid,
unsigned long long *startTime,
uid_t *uid)
{
g_autoptr(virIdentity) identity = virIdentityGetCurrent();
int rc;
if (!identity) {
virAccessError(VIR_ERR_ACCESS_DENIED,
_("Policy kit denied action %s from "),
actionid);
return -1;
}
if ((rc = virIdentityGetProcessID(identity, pid)) < 0)
return -1;
if (rc == 0) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No process ID available"));
return -1;
}
if ((rc = virIdentityGetProcessTime(identity, startTime)) < 0)
return -1;
if (rc == 0) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No process start time available"));
return -1;
}
if ((rc = virIdentityGetUNIXUserID(identity, uid)) < 0)
return -1;
if (rc == 0) {
virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
_("No UNIX caller UID available"));
return -1;
}
return 0;
}
static int
virAccessDriverPolkitCheck(virAccessManager *manager G_GNUC_UNUSED,
const char *typename,
const char *permname,
const char **attrs)
{
g_autofree char *actionid = NULL;
pid_t pid;
uid_t uid;
unsigned long long startTime;
int rv;
if (!(actionid = virAccessDriverPolkitFormatAction(typename, permname)))
return -1;
if (virAccessDriverPolkitGetCaller(actionid,
&pid,
&startTime,
&uid) < 0)
return -1;
VIR_DEBUG("Check action '%s' for process '%lld' time %lld uid %d",
actionid, (long long)pid, startTime, uid);
rv = virPolkitCheckAuth(actionid,
pid,
startTime,
uid,
attrs,
false);
if (rv == 0) {
return 1; /* Allowed */
} else {
if (rv == -2) {
return 0; /* Denied */
} else {
return -1; /* Error */
}
}
}
static int
virAccessDriverPolkitCheckConnect(virAccessManager *manager,
const char *driverName,
virAccessPermConnect perm)
{
const char *attrs[] = {
"connect_driver", driverName,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"connect",
virAccessPermConnectTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckDomain(virAccessManager *manager,
const char *driverName,
virDomainDef *domain,
virAccessPermDomain perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"domain_name", domain->name,
"domain_uuid", uuidstr,
NULL,
};
virUUIDFormat(domain->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"domain",
virAccessPermDomainTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckInterface(virAccessManager *manager,
const char *driverName,
virInterfaceDef *iface,
virAccessPermInterface perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"interface_name", iface->name,
"interface_macaddr", iface->mac,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"interface",
virAccessPermInterfaceTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNetwork(virAccessManager *manager,
const char *driverName,
virNetworkDef *network,
virAccessPermNetwork perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"network_name", network->name,
"network_uuid", uuidstr,
NULL,
};
virUUIDFormat(network->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"network",
virAccessPermNetworkTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNetworkPort(virAccessManager *manager,
const char *driverName,
virNetworkDef *network,
virNetworkPortDef *port,
virAccessPermNetworkPort perm)
{
char uuidstr1[VIR_UUID_STRING_BUFLEN];
char uuidstr2[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"network_name", network->name,
"network_uuid", uuidstr1,
"port_uuid", uuidstr2,
NULL,
};
virUUIDFormat(network->uuid, uuidstr1);
virUUIDFormat(port->uuid, uuidstr2);
return virAccessDriverPolkitCheck(manager,
"network-port",
virAccessPermNetworkPortTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNodeDevice(virAccessManager *manager,
const char *driverName,
virNodeDeviceDef *nodedev,
virAccessPermNodeDevice perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"node_device_name", nodedev->name,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"node-device",
virAccessPermNodeDeviceTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNWFilter(virAccessManager *manager,
const char *driverName,
virNWFilterDef *nwfilter,
virAccessPermNWFilter perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"nwfilter_name", nwfilter->name,
"nwfilter_uuid", uuidstr,
NULL,
};
virUUIDFormat(nwfilter->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"nwfilter",
virAccessPermNWFilterTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckNWFilterBinding(virAccessManager *manager,
const char *driverName,
virNWFilterBindingDef *binding,
virAccessPermNWFilterBinding perm)
{
const char *attrs[] = {
"connect_driver", driverName,
"nwfilter_binding_portdev", binding->portdevname,
"nwfilter_binding_linkdev", binding->linkdevname,
"nwfilter_binding_filter", binding->filter,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"nwfilter_binding",
virAccessPermNWFilterBindingTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckSecret(virAccessManager *manager,
const char *driverName,
virSecretDef *secret,
virAccessPermSecret perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
virUUIDFormat(secret->uuid, uuidstr);
switch (secret->usage_type) {
default:
case VIR_SECRET_USAGE_TYPE_NONE: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_VOLUME: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_volume", secret->usage_id,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_CEPH: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_ceph", secret->usage_id,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_ISCSI: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_target", secret->usage_id,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
case VIR_SECRET_USAGE_TYPE_TLS: {
const char *attrs[] = {
"connect_driver", driverName,
"secret_uuid", uuidstr,
"secret_usage_name", secret->usage_id,
NULL,
};
return virAccessDriverPolkitCheck(manager,
"secret",
virAccessPermSecretTypeToString(perm),
attrs);
} break;
}
}
static int
virAccessDriverPolkitCheckStoragePool(virAccessManager *manager,
const char *driverName,
virStoragePoolDef *pool,
virAccessPermStoragePool perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"pool_name", pool->name,
"pool_uuid", uuidstr,
NULL,
};
virUUIDFormat(pool->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"storage-pool",
virAccessPermStoragePoolTypeToString(perm),
attrs);
}
static int
virAccessDriverPolkitCheckStorageVol(virAccessManager *manager,
const char *driverName,
virStoragePoolDef *pool,
virStorageVolDef *vol,
virAccessPermStorageVol perm)
{
char uuidstr[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"pool_name", pool->name,
"pool_uuid", uuidstr,
"vol_name", vol->name,
"vol_key", vol->key,
NULL,
};
virUUIDFormat(pool->uuid, uuidstr);
return virAccessDriverPolkitCheck(manager,
"storage-vol",
virAccessPermStorageVolTypeToString(perm),
attrs);
}
virAccessDriver accessDriverPolkit = {
.privateDataLen = sizeof(virAccessDriverPolkitPrivate),
.name = "polkit",
.cleanup = virAccessDriverPolkitCleanup,
.checkConnect = virAccessDriverPolkitCheckConnect,
.checkDomain = virAccessDriverPolkitCheckDomain,
.checkInterface = virAccessDriverPolkitCheckInterface,
.checkNetwork = virAccessDriverPolkitCheckNetwork,
.checkNetworkPort = virAccessDriverPolkitCheckNetworkPort,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter,
.checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
.checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol,
};