libvirt/src/access/viraccessperm.h
Eric Blake 4f0438ef7c backup: Add new domain:checkpoint access control
Creating a checkpoint does not modify guest-visible state,
but does modify host resources.  Rather than reuse existing
domain:write, domain:block_write, or domain:snapshot access
controls, it seems better to introduce a new access control
specific to tasks related to checkpoints and incremental
backups of guest disk state.

Signed-off-by: Eric Blake <eblake@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
2019-07-26 16:48:58 -05:00

751 lines
20 KiB
C

/*
* viraccessperm.h: access control permissions
*
* Copyright (C) 2012-2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library. If not, see
* <http://www.gnu.org/licenses/>.
*/
#pragma once
#include "internal.h"
#include "virutil.h"
#include "virenum.h"
typedef enum {
/**
* @desc: Access connection
* @message: Accessing the connection requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_GETATTR,
/**
* @desc: Read host
* @message: Reading the host configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_READ,
/**
* @desc: Write host
* @message: Writing the host configuration requires authorization
*/
VIR_ACCESS_PERM_CONNECT_WRITE,
/**
* @desc: List domains
* @message: Listing domains or using domain events requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS,
/**
* @desc: List networks
* @message: Listing networks or using network events requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS,
/**
* @desc: List storage pools
* @message: Listing storage pools requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_STORAGE_POOLS,
/**
* @desc: List node devices
* @message: Listing node devices requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NODE_DEVICES,
/**
* @desc: List interfaces
* @message: Listing interfaces requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_INTERFACES,
/**
* @desc: List secrets
* @message: Listing secrets requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_SECRETS,
/**
* @desc: List network filters
* @message: Listing network filters requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS,
/**
* @desc: List network filter bindings
* @message: Listing network filter bindings requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS,
/**
* @desc: Detect storage pools
* @message: Detecting storage pools requires authorization
*/
VIR_ACCESS_PERM_CONNECT_DETECT_STORAGE_POOLS,
/**
* @desc: Use host power management
* @message: Using host power management requires authorization
*/
VIR_ACCESS_PERM_CONNECT_PM_CONTROL,
/**
* @desc: Interface transactions
* @message: Using interface transactions requires authorization
*/
VIR_ACCESS_PERM_CONNECT_INTERFACE_TRANSACTION,
VIR_ACCESS_PERM_CONNECT_LAST,
} virAccessPermConnect;
typedef enum {
/**
* @desc: Access domain
* @message: Accessing the domain requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_DOMAIN_GETATTR, /* Name/ID/UUID access */
/**
* @desc: Read domain
* @message: Reading domain configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_DOMAIN_READ, /* Config view */
/**
* @desc: Write domain
* @message: Writing domain configuration requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_WRITE, /* Config change */
/**
* @desc: Read secure domain
* @message: Reading secure domain configuration requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_READ_SECURE, /* Config access of passwords */
/**
* @desc: Start domain
* @message: Starting the domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_START, /* Power on */
/**
* @desc: Stop domain
* @message: Stopping the domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_STOP, /* Power off */
/**
* @desc: Reset domain
* @message: Resetting the domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_RESET, /* Power reset */
/**
* @desc: Save domain
* @message: Saving domain configuration requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SAVE, /* Write out persistent config */
/**
* @desc: Delete domain
* @message: Deleting domain configuration requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_DELETE, /* Remove persistent config */
/**
* @desc: Migrate domain
* @message: Migrating domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_MIGRATE, /* Host migration */
/**
* @desc: Checkpoint domain
* @message: Checkpointing domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_CHECKPOINT, /* Checkpoint disks */
/**
* @desc: Snapshot domain
* @message: Snapshotting domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SNAPSHOT, /* Snapshot disks/memory */
/**
* @desc: Suspend domain
* @message: Suspending domain CPUs requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SUSPEND, /* Pause/resume CPUs */
/**
* @desc: Hibernate domain
* @message: Saving domain state requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_HIBERNATE, /* Save state to host */
/**
* @desc: Dump domain
* @message: Dumping domain corefile requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_CORE_DUMP, /* Dump guest core */
/**
* @desc: Use domain power management
* @message: Using domain power management requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_PM_CONTROL, /* S3/S5 suspend/wakeup */
/* Interactions with guest OS */
/**
* @desc: Domain init control
* @message: Controlling domain init process requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_INIT_CONTROL, /* Init shutdown/reboot request */
/**
* @desc: Inject domain NMI
* @message: Injecting interrupt requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_INJECT_NMI, /* Trigger interrupts */
/**
* @desc: Send domain input
* @message: Sending input events to domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SEND_INPUT, /* Send guest input device (key/mouse) events */
/**
* @desc: Send domain signal
* @message: Sending signals to processes in domain requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SEND_SIGNAL, /* Send a signal to processes inside */
/**
* @desc: Trim domain filesystems
* @message: Trimming domain filesystems requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_FS_TRIM, /* Issue TRIM to guest filesystems */
/**
* @desc: Freeze and thaw domain filesystems
* @message: Freezing and thawing domain filesystems requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_FS_FREEZE, /* Freeze and thaw guest filesystems */
/* Peeking at guest */
/**
* @desc: Read domain block
* @message: Reading domain block devices requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_BLOCK_READ, /* Read data from block devices */
/**
* @desc: Write domain block
* @message: Writing domain block devices requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_BLOCK_WRITE, /* resize/pull/rebase/commit */
/**
* @desc: Read domain memory
* @message: Reading domain memory requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_MEM_READ, /* Read data from guest memory */
/* Device interaction */
/**
* @desc: Open domain graphics
* @message: Opening domain graphics console requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_OPEN_GRAPHICS, /* Open graphical console */
/**
* @desc: Open domain device
* @message: Opening domain devices requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_OPEN_DEVICE, /* Open a guest console/channel */
/**
* @desc: Take domain screenshot
* @message: Taking domain screenshots requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SCREENSHOT, /* Trigger a screen shot */
/**
* @desc: Open domain namespace
* @message: Opening domain namespaces requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_OPEN_NAMESPACE,
/**
* @desc: Write domain time
* @message: Setting the domain time requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SET_TIME,
/**
* @desc: Set password of the domain's account
* @message: Setting the domain accounts' password requires authorization
*/
VIR_ACCESS_PERM_DOMAIN_SET_PASSWORD,
VIR_ACCESS_PERM_DOMAIN_LAST,
} virAccessPermDomain;
typedef enum {
/**
* @desc: Access interface
* @message: Accessing interface requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_INTERFACE_GETATTR,
/**
* @desc: Read interface
* @message: Reading interface configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_INTERFACE_READ,
/**
* @desc: Write interface
* @message: Writing interface configuration requires authorization
*/
VIR_ACCESS_PERM_INTERFACE_WRITE,
/**
* @desc: Save interface
* @message: Saving interface configuration requires authorization
*/
VIR_ACCESS_PERM_INTERFACE_SAVE,
/**
* @desc: Delete interface
* @message: Deleting interface configuration requires authorization
*/
VIR_ACCESS_PERM_INTERFACE_DELETE,
/**
* @desc: Start interface
* @message: Starting interface requires authorization
*/
VIR_ACCESS_PERM_INTERFACE_START,
/**
* @desc: Stop interface
* @message: Stopping interface requires authorization
*/
VIR_ACCESS_PERM_INTERFACE_STOP,
VIR_ACCESS_PERM_INTERFACE_LAST
} virAccessPermInterface;
typedef enum {
/**
* @desc: Access network
* @message: Accessing network requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_GETATTR,
/**
* @desc: Read network
* @message: Reading network configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_READ,
/**
* @desc: Write network
* @message: Writing network configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_WRITE,
/**
* @desc: Save network
* @message: Saving network configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_SAVE,
/**
* @desc: Delete network
* @message: Deleting network configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_DELETE,
/**
* @desc: Start network
* @message: Starting network requires authorization
*/
VIR_ACCESS_PERM_NETWORK_START,
/**
* @desc: List network ports
* @message: Listing network ports requires authorization
*/
VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
/**
* @desc: Stop network
* @message: Stopping network requires authorization
*/
VIR_ACCESS_PERM_NETWORK_STOP,
VIR_ACCESS_PERM_NETWORK_LAST
} virAccessPermNetwork;
typedef enum {
/**
* @desc: Access network port
* @message: Accessing network port requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_PORT_GETATTR,
/**
* @desc: Read network port
* @message: Reading network port configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_PORT_READ,
/**
* @desc: Read network port
* @message: Writing network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_WRITE,
/**
* @desc: Create network port
* @message: Creating network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_CREATE,
/**
* @desc: Delete network port
* @message: Deleting network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_DELETE,
VIR_ACCESS_PERM_NETWORK_PORT_LAST
} virAccessPermNetworkPort;
typedef enum {
/**
* @desc: Access node device
* @message: Accessing node device requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NODE_DEVICE_GETATTR,
/**
* @desc: Read node device
* @message: Reading node device configuration requires authorization
*/
VIR_ACCESS_PERM_NODE_DEVICE_READ,
/**
* @desc: Write node device
* @message: Writing node device configuration requires authorization
*/
VIR_ACCESS_PERM_NODE_DEVICE_WRITE,
/**
* @desc: Start node device
* @message: Starting node device requires authorization
*/
VIR_ACCESS_PERM_NODE_DEVICE_START,
/**
* @desc: Stop node device
* @message: Stopping node device requires authorization
*/
VIR_ACCESS_PERM_NODE_DEVICE_STOP,
/**
* @desc: Detach node device
* @message: Detaching node device driver requires authorization
*/
VIR_ACCESS_PERM_NODE_DEVICE_DETACH,
VIR_ACCESS_PERM_NODE_DEVICE_LAST
} virAccessPermNodeDevice;
typedef enum {
/**
* @desc: Access network filter
* @message: Accessing network filter requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_GETATTR,
/**
* @desc: Read network filter
* @message: Reading network filter configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_READ,
/**
* @desc: Write network filter
* @message: Writing network filter configuration requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_WRITE,
/**
* @desc: Save network filter
* @message: Saving network filter configuration requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_SAVE,
/**
* @desc: Delete network filter
* @message: Deleting network filter configuration requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_DELETE,
VIR_ACCESS_PERM_NWFILTER_LAST
} virAccessPermNWFilter;
typedef enum {
/**
* @desc: Access network filter
* @message: Accessing network filter requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR,
/**
* @desc: Read network filter binding
* @message: Reading network filter configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_READ,
/**
* @desc: Create network filter binding
* @message: Creating network filter binding requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE,
/**
* @desc: Delete network filter binding
* @message: Deleting network filter binding requires authorization
*/
VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE,
VIR_ACCESS_PERM_NWFILTER_BINDING_LAST
} virAccessPermNWFilterBinding;
typedef enum {
/**
* @desc: Access secret
* @message: Accessing secret requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_SECRET_GETATTR,
/**
* @desc: Read secret
* @message: Reading secret configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_SECRET_READ,
/**
* @desc: Write secret
* @message: Writing secret configuration requires authorization
*/
VIR_ACCESS_PERM_SECRET_WRITE,
/**
* @desc: Read secure secret
* @message: Reading secure secret configuration requires authorization
*/
VIR_ACCESS_PERM_SECRET_READ_SECURE,
/**
* @desc: Save secret
* @message: Saving secret configuration requires authorization
*/
VIR_ACCESS_PERM_SECRET_SAVE,
/**
* @desc: Delete secret
* @message: Deleting secret configuration requires authorization
*/
VIR_ACCESS_PERM_SECRET_DELETE,
VIR_ACCESS_PERM_SECRET_LAST
} virAccessPermSecret;
typedef enum {
/**
* @desc: Access storage pool
* @message: Accessing storage pool requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_STORAGE_POOL_GETATTR,
/**
* @desc: Read storage pool
* @message: Reading storage pool configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_STORAGE_POOL_READ,
/**
* @desc: Write storage pool
* @message: Writing storage pool configuration requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_WRITE,
/**
* @desc: Save storage pool
* @message: Saving storage pool configuration requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_SAVE,
/**
* @desc: Delete storage pool
* @message: Deleting storage pool configuration requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_DELETE,
/**
* @desc: Start storage pool
* @message: Starting storage pool configuration requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_START,
/**
* @desc: Stop storage pool
* @message: Stopping storage pool configuration requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_STOP,
/**
* @desc: Refresh storage pool
* @message: Refreshing storage pool volumes requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_REFRESH,
/**
* @desc: List storage pool volumes
* @message: Listing storage pool volumes requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_SEARCH_STORAGE_VOLS,
/**
* @desc: Format storage pool
* @message: Formatting storage pool data requires authorization
*/
VIR_ACCESS_PERM_STORAGE_POOL_FORMAT,
VIR_ACCESS_PERM_STORAGE_POOL_LAST
} virAccessPermStoragePool;
typedef enum {
/**
* @desc: Access storage volume
* @message: Accessing storage volume requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_STORAGE_VOL_GETATTR,
/**
* @desc: Read storage volume
* @message: Reading storage volume configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_STORAGE_VOL_READ,
/**
* @desc: Create storage volume
* @message: Creating storage volume requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_CREATE,
/**
* @desc: Delete storage volume
* @message: Deleting storage volume requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_DELETE,
/**
* @desc: Format storage volume
* @message: Formatting storage volume data requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_FORMAT,
/**
* @desc: Resize storage volume
* @message: Resizing storage volume requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_RESIZE,
/**
* @desc: Read storage volume data
* @message: Reading storage volume data requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_DATA_READ,
/**
* @desc: Write storage volume data
* @message: Writing storage volume data requires authorization
*/
VIR_ACCESS_PERM_STORAGE_VOL_DATA_WRITE,
VIR_ACCESS_PERM_STORAGE_VOL_LAST
} virAccessPermStorageVol;
VIR_ENUM_DECL(virAccessPermConnect);
VIR_ENUM_DECL(virAccessPermDomain);
VIR_ENUM_DECL(virAccessPermInterface);
VIR_ENUM_DECL(virAccessPermNetwork);
VIR_ENUM_DECL(virAccessPermNetworkPort);
VIR_ENUM_DECL(virAccessPermNodeDevice);
VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermNWFilterBinding);
VIR_ENUM_DECL(virAccessPermSecret);
VIR_ENUM_DECL(virAccessPermStoragePool);
VIR_ENUM_DECL(virAccessPermStorageVol);