[libvirt] [PATCH] Add documentation for access control system

Fri Aug 9 15:51:02 UTC 2013

On Fri, Aug 09, 2013 at 09:47:46AM -0600, Eric Blake wrote:
> On 08/08/2013 05:27 AM, Daniel P. Berrange wrote:
> > +aclperms.htmlinc: $(top_srcdir)/src/access/viraccessperm.h \
> > +        genaclperms.pl Makefile.am
> > +	$(PERL) genaclperms.pl $< > $@
> 
> Did you test a VPATH build?

No, but I will do.

> > +    <p>
> > +      And to reset back to the default (no-op) driver
> > +    </p>
> > +
> > +
> > +    <pre>
> > +# augtool -s rm /files/etc/libvirt/libvirtd.conf/access_drivers
> > +    </pre>
> > +
> > +    <p>
> > +      <strong>Note:</strong> changes to libvirtd.conf require that
> > +      the libvirtd daemon be restarted.
> 
> Isn't sending SIGHUP sufficient, or does it have to be a full restart?

No, SIGHUP only reloads .xml files.

> > +    <pre>
> > +polkit.addRule(function(action, subject) {
> > +    if (action.id == "org.libvirt.api.connect.getattr" &&
> > +        subject.user == "berrange") {
> > +          if (action._detail_connect_driver == 'QEMU') {
> > +            return polkit.Result.YES;
> > +          } else {
> > +            return polkit.Result.NO;
> > +          }
> > +    }
> 
> This function has no return statement when the initial 'if' is not
> satisfied; is that valid?

Yeah, it will just carry on with other polkit rules that are defined
in other files, eventually fallback back to the default policy
defined for the action.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|