[libvirt] [PATCH 07/12] Add a policy kit access control driver

Eric Blake eblake at redhat.com
Wed May 2 22:40:08 UTC 2012 

On 05/02/2012 05:44 AM, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 

Sparse on the commit message.

> ---
>  po/POTFILES.in                       |    1 +
>  src/Makefile.am                      |   12 ++-
>  src/access/org.libvirt.domain.policy |   37 ++++++++
>  src/access/viraccessdriverpolkit.c   |  163 ++++++++++++++++++++++++++++++++++
>  src/access/viraccessdriverpolkit.h   |   28 ++++++
>  src/access/viraccessmanager.c        |    2 +
>  6 files changed, 241 insertions(+), 2 deletions(-)
>  create mode 100644 src/access/org.libvirt.domain.policy
>  create mode 100644 src/access/viraccessdriverpolkit.c
>  create mode 100644 src/access/viraccessdriverpolkit.h
> 

> @@ -536,7 +536,12 @@ ACCESS_DRIVER_SOURCES = \
>  		access/viraccessmanager.h access/viraccessmanager.c \
>  		access/viraccessdriver.h \
>  		access/viraccessdrivernop.h access/viraccessdrivernop.c \
> -		access/viraccessdriverstack.h access/viraccessdriverstack.c
> +		access/viraccessdriverstack.h access/viraccessdriverstack.c \
> +		access/viraccessdriverpolkit.h access/viraccessdriverpolkit.c

Sort these lines?


> +++ b/src/access/org.libvirt.domain.policy
> @@ -0,0 +1,37 @@
> +<!DOCTYPE policyconfig PUBLIC
> + "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
> + "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">
> +
> +<!--
> +Policy definitions for libvirt daemon
> +
> +Copyright (c) 2007 Daniel P. Berrange <berrange redhat com>

2012

> +
> +libvirt is licensed to you under the GNU Lesser General Public License
> +version 2. See COPYING for details.

LGPLv2 _or later_


> +    <action id="org.libvirt.domain.read">
> +      <description>Get virtual domain attributes</description>
> +      <message>System policy prevents getattr on guest domains</message>

s/getattr/read/

> +++ b/src/access/viraccessdriverpolkit.c

> +
> +    if (virCommandRun(cmd, &status) < 0)
> +        goto cleanup;
> +
> +    if (status != 0) {
> +        char *tmp = virCommandTranslateStatus(status);
> +        virAccessError(VIR_ERR_ACCESS_DENIED,
> +                       _("Policy kit denied action %s from %s: %s"),
> +                       actionid, process, NULLSTR(tmp));

Given that all we do on failure is report it, should we just use
virCommandRun(cmd, NULL)?

-- 
Eric Blake   eblake at redhat.com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 620 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20120502/62cf0a34/attachment-0001.sig>

More information about the libvir-list mailing list