mirror of
https://gitlab.com/libvirt/libvirt.git
synced 2024-12-26 15:45:28 +00:00
b904bba7f4
Add an access control driver that uses the pkcheck command to check authorization requests. This is fairly inefficient, particularly for cases where an API returns a list of objects and needs to check permission for each object. It would be desirable to use the polkit API but this links to glib with abort-on-OOM behaviour, so can't be used. The other alternative is to speak to dbus directly Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
120 lines
3.4 KiB
Perl
Executable File
120 lines
3.4 KiB
Perl
Executable File
#!/usr/bin/perl
|
|
#
|
|
# Copyright (C) 2012-2013 Red Hat, Inc.
|
|
#
|
|
# This library is free software; you can redistribute it and/or
|
|
# modify it under the terms of the GNU Lesser General Public
|
|
# License as published by the Free Software Foundation; either
|
|
# version 2.1 of the License, or (at your option) any later version.
|
|
#
|
|
# This library is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
# Lesser General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Lesser General Public
|
|
# License along with this library. If not, see
|
|
# <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
use strict;
|
|
use warnings;
|
|
|
|
my @objects = (
|
|
"CONNECT", "DOMAIN", "INTERFACE",
|
|
"NETWORK","NODE_DEVICE", "NWFILTER",
|
|
"SECRET", "STORAGE_POOL", "STORAGE_VOL",
|
|
);
|
|
|
|
my $objects = join ("|", @objects);
|
|
|
|
# Data we're going to be generating looks like this
|
|
#
|
|
# <policyconfig>
|
|
# <action id="org.libvirt.unix.monitor">
|
|
# <description>Monitor local virtualized systems</description>
|
|
# <message>System policy prevents monitoring of local virtualized systems</message>
|
|
# <defaults>
|
|
# <allow_any>yes</allow_any>
|
|
# <allow_inactive>yes</allow_inactive>
|
|
# <allow_active>yes</allow_active>
|
|
# </defaults>
|
|
# </action>
|
|
# ...more <action> rules...
|
|
# </policyconfig>
|
|
|
|
my %opts;
|
|
my $in_opts = 0;
|
|
|
|
my %perms;
|
|
|
|
while (<>) {
|
|
if ($in_opts) {
|
|
if (m,\*/,) {
|
|
$in_opts = 0;
|
|
} elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) {
|
|
$opts{$1} = $2;
|
|
}
|
|
} elsif (m,/\*\*,) {
|
|
$in_opts = 1;
|
|
} elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) {
|
|
my $object = lc $1;
|
|
my $perm = lc $2;
|
|
next if $perm eq "last";
|
|
|
|
$object =~ s/_/-/g;
|
|
$perm =~ s/_/-/g;
|
|
|
|
$perms{$object} = {} unless exists $perms{$object};
|
|
$perms{$object}->{$perm} = {
|
|
desc => $opts{desc},
|
|
message => $opts{message},
|
|
anonymous => $opts{anonymous}
|
|
};
|
|
%opts = ();
|
|
}
|
|
}
|
|
|
|
print <<EOF;
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
|
|
"http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
|
|
<policyconfig>
|
|
<vendor>Libvirt Project</vendor>
|
|
<vendor_url>http://libvirt.org</vendor_url>
|
|
EOF
|
|
|
|
foreach my $object (sort { $a cmp $b } keys %perms) {
|
|
foreach my $perm (sort { $a cmp $b } keys %{$perms{$object}}) {
|
|
my $description = $perms{$object}->{$perm}->{desc};
|
|
my $message = $perms{$object}->{$perm}->{message};
|
|
my $anonymous = $perms{$object}->{$perm}->{anonymous};
|
|
|
|
die "missing description for $object.$perm" unless
|
|
defined $description;
|
|
die "missing message for $object.$perm" unless
|
|
defined $message;
|
|
|
|
my $allow_any = $anonymous ? "yes" : "no";
|
|
my $allow_inactive = $allow_any;
|
|
my $allow_active = $allow_any;
|
|
|
|
print <<EOF;
|
|
<action id="org.libvirt.api.$object.$perm">
|
|
<description>$description</description>
|
|
<message>$message</message>
|
|
<defaults>
|
|
<allow_any>$allow_any</allow_any>
|
|
<allow_inactive>$allow_inactive</allow_inactive>
|
|
<allow_active>$allow_active</allow_active>
|
|
</defaults>
|
|
</action>
|
|
EOF
|
|
|
|
}
|
|
}
|
|
|
|
print <<EOF;
|
|
</policyconfig>
|
|
EOF
|