[libvirt] [PATCH 10/19] Add ACL checks into the UML driver
Daniel P. Berrange
berrange at redhat.com
Wed Jun 19 17:00:51 UTC 2013
From: "Daniel P. Berrange" <berrange at redhat.com>
Insert calls to the ACL checking APIs in all UML driver
entrypoints.
Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
src/Makefile.am | 4 +-
src/uml/uml_driver.c | 174 +++++++++++++++++++++++++++++++++++++++++++++++----
2 files changed, 165 insertions(+), 13 deletions(-)
diff --git a/src/Makefile.am b/src/Makefile.am
index a915fe3..75db540 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1142,7 +1142,9 @@ noinst_LTLIBRARIES += libvirt_driver_uml.la
endif
libvirt_driver_uml_impl_la_CFLAGS = \
- -I$(top_srcdir)/src/conf $(AM_CFLAGS)
+ -I$(top_srcdir)/src/access \
+ -I$(top_srcdir)/src/conf \
+ $(AM_CFLAGS)
libvirt_driver_uml_impl_la_LDFLAGS = $(AM_LDFLAGS)
# libvirt_driver_uml_impl_la_LIBADD =
libvirt_driver_uml_impl_la_SOURCES = $(UML_DRIVER_SOURCES)
diff --git a/src/uml/uml_driver.c b/src/uml/uml_driver.c
index b238b0f..25b9748 100644
--- a/src/uml/uml_driver.c
+++ b/src/uml/uml_driver.c
@@ -65,6 +65,7 @@
#include "virprocess.h"
#include "viruri.h"
#include "virstring.h"
+#include "viraccessapicheck.h"
#define VIR_FROM_THIS VIR_FROM_UML
@@ -1235,6 +1236,9 @@ static virDrvOpenStatus umlConnectOpen(virConnectPtr conn,
}
}
+ if (virConnectOpenEnsureACL(conn) < 0)
+ return VIR_DRV_OPEN_ERROR;
+
conn->privateData = uml_driver;
return VIR_DRV_OPEN_SUCCESS;
@@ -1252,7 +1256,10 @@ static int umlConnectClose(virConnectPtr conn) {
return 0;
}
-static const char *umlConnectGetType(virConnectPtr conn ATTRIBUTE_UNUSED) {
+static const char *umlConnectGetType(virConnectPtr conn) {
+ if (virConnectGetTypeEnsureACL(conn) < 0)
+ return NULL;
+
return "UML";
}
@@ -1281,6 +1288,9 @@ static char *umlConnectGetCapabilities(virConnectPtr conn) {
struct uml_driver *driver = (struct uml_driver *)conn->privateData;
char *xml;
+ if (virConnectGetCapabilitiesEnsureACL(conn) < 0)
+ return NULL;
+
umlDriverLock(driver);
if ((xml = virCapabilitiesFormatXML(driver->caps)) == NULL)
virReportOOMError();
@@ -1346,6 +1356,9 @@ static virDomainPtr umlDomainLookupByID(virConnectPtr conn,
goto cleanup;
}
+ if (virDomainLookupByIDEnsureACL(conn, vm->def) < 0)
+ goto cleanup;
+
dom = virGetDomain(conn, vm->def->name, vm->def->uuid);
if (dom) dom->id = vm->def->id;
@@ -1370,6 +1383,9 @@ static virDomainPtr umlDomainLookupByUUID(virConnectPtr conn,
goto cleanup;
}
+ if (virDomainLookupByUUIDEnsureACL(conn, vm->def) < 0)
+ goto cleanup;
+
dom = virGetDomain(conn, vm->def->name, vm->def->uuid);
if (dom) dom->id = vm->def->id;
@@ -1394,6 +1410,9 @@ static virDomainPtr umlDomainLookupByName(virConnectPtr conn,
goto cleanup;
}
+ if (virDomainLookupByNameEnsureACL(conn, vm->def) < 0)
+ goto cleanup;
+
dom = virGetDomain(conn, vm->def->name, vm->def->uuid);
if (dom) dom->id = vm->def->id;
@@ -1417,6 +1436,10 @@ static int umlDomainIsActive(virDomainPtr dom)
virReportError(VIR_ERR_NO_DOMAIN, NULL);
goto cleanup;
}
+
+ if (virDomainIsActiveEnsureACL(dom->conn, obj->def) < 0)
+ goto cleanup;
+
ret = virDomainObjIsActive(obj);
cleanup:
@@ -1439,6 +1462,10 @@ static int umlDomainIsPersistent(virDomainPtr dom)
virReportError(VIR_ERR_NO_DOMAIN, NULL);
goto cleanup;
}
+
+ if (virDomainIsPersistentEnsureACL(dom->conn, obj->def) < 0)
+ goto cleanup;
+
ret = obj->persistent;
cleanup:
@@ -1460,6 +1487,10 @@ static int umlDomainIsUpdated(virDomainPtr dom)
virReportError(VIR_ERR_NO_DOMAIN, NULL);
goto cleanup;
}
+
+ if (virDomainIsUpdatedEnsureACL(dom->conn, obj->def) < 0)
+ goto cleanup;
+
ret = obj->updated;
cleanup:
@@ -1473,6 +1504,9 @@ static int umlConnectGetVersion(virConnectPtr conn, unsigned long *version) {
struct utsname ut;
int ret = -1;
+ if (virConnectGetVersionEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
if (driver->umlVersion == 0) {
@@ -1494,8 +1528,11 @@ cleanup:
}
-static char *umlConnectGetHostname(virConnectPtr conn ATTRIBUTE_UNUSED)
+static char *umlConnectGetHostname(virConnectPtr conn)
{
+ if (virConnectGetHostnameEnsureACL(conn) < 0)
+ return NULL;
+
return virGetHostname();
}
@@ -1504,6 +1541,9 @@ static int umlConnectListDomains(virConnectPtr conn, int *ids, int nids) {
struct uml_driver *driver = conn->privateData;
int n;
+ if (virConnectListDomainsEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
n = virDomainObjListGetActiveIDs(driver->domains, ids, nids);
umlDriverUnlock(driver);
@@ -1514,6 +1554,9 @@ static int umlConnectNumOfDomains(virConnectPtr conn) {
struct uml_driver *driver = conn->privateData;
int n;
+ if (virConnectNumOfDomainsEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
n = virDomainObjListNumOfDomains(driver->domains, 1);
umlDriverUnlock(driver);
@@ -1536,6 +1579,9 @@ static virDomainPtr umlDomainCreateXML(virConnectPtr conn, const char *xml,
VIR_DOMAIN_XML_INACTIVE)))
goto cleanup;
+ if (virDomainCreateXMLEnsureACL(conn, def) < 0)
+ goto cleanup;
+
if (!(vm = virDomainObjListAdd(driver->domains, def,
driver->xmlopt,
VIR_DOMAIN_OBJ_LIST_ADD_CHECK_LIVE,
@@ -1588,6 +1634,9 @@ static int umlDomainShutdownFlags(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainShutdownFlagsEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
#if 0
if (umlMonitorCommand(driver, vm, "system_powerdown", &info) < 0) {
virReportError(VIR_ERR_OPERATION_FAILED, "%s",
@@ -1629,6 +1678,9 @@ umlDomainDestroyFlags(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainDestroyFlagsEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
umlShutdownVMDaemon(driver, vm, VIR_DOMAIN_SHUTOFF_DESTROYED);
virDomainAuditStop(vm, "destroyed");
event = virDomainEventNewFromObj(vm,
@@ -1671,7 +1723,11 @@ static char *umlDomainGetOSType(virDomainPtr dom) {
goto cleanup;
}
- ignore_value(VIR_STRDUP(type, vm->def->os.type));
+ if (virDomainGetOSTypeEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
+ if (VIR_STRDUP(type, vm->def->os.type) < 0)
+ goto cleanup;
cleanup:
if (vm)
@@ -1699,6 +1755,10 @@ umlDomainGetMaxMemory(virDomainPtr dom)
_("no domain with matching uuid '%s'"), uuidstr);
goto cleanup;
}
+
+ if (virDomainGetMaxMemoryEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
ret = vm->def->mem.max_balloon;
cleanup:
@@ -1725,6 +1785,9 @@ static int umlDomainSetMaxMemory(virDomainPtr dom, unsigned long newmax) {
goto cleanup;
}
+ if (virDomainSetMaxMemoryEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (newmax < vm->def->mem.cur_balloon) {
virReportError(VIR_ERR_INVALID_ARG, "%s",
_("cannot set max memory lower than current memory"));
@@ -1758,6 +1821,9 @@ static int umlDomainSetMemory(virDomainPtr dom, unsigned long newmem) {
goto cleanup;
}
+ if (virDomainSetMemoryEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (virDomainObjIsActive(vm)) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("cannot set memory of an active domain"));
@@ -1795,6 +1861,9 @@ static int umlDomainGetInfo(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainGetInfoEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
info->state = virDomainObjGetState(vm, NULL);
if (!virDomainObjIsActive(vm)) {
@@ -1841,6 +1910,9 @@ umlDomainGetState(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainGetStateEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
*state = virDomainObjGetState(vm, reason);
ret = 0;
@@ -1870,6 +1942,9 @@ static char *umlDomainGetXMLDesc(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainGetXMLDescEnsureACL(dom->conn, vm->def, flags) < 0)
+ goto cleanup;
+
ret = virDomainDefFormat((flags & VIR_DOMAIN_XML_INACTIVE) && vm->newDef ?
vm->newDef : vm->def,
flags);
@@ -1886,6 +1961,9 @@ static int umlConnectListDefinedDomains(virConnectPtr conn,
struct uml_driver *driver = conn->privateData;
int n;
+ if (virConnectListDefinedDomainsEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
n = virDomainObjListGetInactiveNames(driver->domains, names, nnames);
umlDriverUnlock(driver);
@@ -1897,6 +1975,9 @@ static int umlConnectNumOfDefinedDomains(virConnectPtr conn) {
struct uml_driver *driver = conn->privateData;
int n;
+ if (virConnectNumOfDefinedDomainsEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
n = virDomainObjListNumOfDomains(driver->domains, 0);
umlDriverUnlock(driver);
@@ -1922,6 +2003,9 @@ static int umlDomainCreateWithFlags(virDomainPtr dom, unsigned int flags) {
goto cleanup;
}
+ if (virDomainCreateWithFlagsEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
ret = umlStartVMDaemon(dom->conn, driver, vm,
(flags & VIR_DOMAIN_START_AUTODESTROY));
virDomainAuditStart(vm, "booted", ret >= 0);
@@ -1955,6 +2039,9 @@ static virDomainPtr umlDomainDefineXML(virConnectPtr conn, const char *xml) {
VIR_DOMAIN_XML_INACTIVE)))
goto cleanup;
+ if (virDomainDefineXMLEnsureACL(conn, def) < 0)
+ goto cleanup;
+
if (!(vm = virDomainObjListAdd(driver->domains, def,
driver->xmlopt,
0, NULL)))
@@ -1998,6 +2085,9 @@ static int umlDomainUndefineFlags(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainUndefineFlagsEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!vm->persistent) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("cannot undefine transient domain"));
@@ -2098,6 +2188,9 @@ static int umlDomainAttachDevice(virDomainPtr dom, const char *xml)
goto cleanup;
}
+ if (virDomainAttachDeviceEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!virDomainObjIsActive(vm)) {
virReportError(VIR_ERR_OPERATION_INVALID,
"%s", _("cannot attach device on inactive domain"));
@@ -2216,6 +2309,9 @@ static int umlDomainDetachDevice(virDomainPtr dom, const char *xml) {
goto cleanup;
}
+ if (virDomainDetachDeviceEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!virDomainObjIsActive(vm)) {
virReportError(VIR_ERR_OPERATION_INVALID,
"%s", _("cannot detach device on inactive domain"));
@@ -2281,6 +2377,9 @@ static int umlDomainGetAutostart(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainGetAutostartEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
*autostart = vm->autostart;
ret = 0;
@@ -2307,6 +2406,9 @@ static int umlDomainSetAutostart(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainSetAutostartEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!vm->persistent) {
virReportError(VIR_ERR_OPERATION_INVALID, "%s",
_("cannot set autostart for transient domain"));
@@ -2382,6 +2484,9 @@ umlDomainBlockPeek(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainBlockPeekEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!path || path[0] == '\0') {
virReportError(VIR_ERR_INVALID_ARG, "%s",
_("NULL or empty path"));
@@ -2449,6 +2554,9 @@ umlDomainOpenConsole(virDomainPtr dom,
goto cleanup;
}
+ if (virDomainOpenConsoleEnsureACL(dom->conn, vm->def) < 0)
+ goto cleanup;
+
if (!virDomainObjIsActive(vm)) {
virReportError(VIR_ERR_OPERATION_INVALID,
"%s", _("domain is not running"));
@@ -2505,6 +2613,9 @@ umlConnectDomainEventRegister(virConnectPtr conn,
struct uml_driver *driver = conn->privateData;
int ret;
+ if (virConnectDomainEventRegisterEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
ret = virDomainEventStateRegister(conn,
driver->domainEventState,
@@ -2521,6 +2632,9 @@ umlConnectDomainEventDeregister(virConnectPtr conn,
struct uml_driver *driver = conn->privateData;
int ret;
+ if (virConnectDomainEventDeregisterEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
ret = virDomainEventStateDeregister(conn,
driver->domainEventState,
@@ -2541,6 +2655,9 @@ umlConnectDomainEventRegisterAny(virConnectPtr conn,
struct uml_driver *driver = conn->privateData;
int ret;
+ if (virConnectDomainEventRegisterAnyEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
if (virDomainEventStateRegisterID(conn,
driver->domainEventState,
@@ -2560,6 +2677,9 @@ umlConnectDomainEventDeregisterAny(virConnectPtr conn,
struct uml_driver *driver = conn->privateData;
int ret;
+ if (virConnectDomainEventDeregisterAnyEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
ret = virDomainEventStateDeregisterID(conn,
driver->domainEventState,
@@ -2586,6 +2706,9 @@ static int umlConnectListAllDomains(virConnectPtr conn,
virCheckFlags(VIR_CONNECT_LIST_DOMAINS_FILTERS_ALL, -1);
+ if (virConnectListAllDomainsEnsureACL(conn) < 0)
+ return -1;
+
umlDriverLock(driver);
ret = virDomainObjListExport(driver->domains, conn, domains, flags);
umlDriverUnlock(driver);
@@ -2595,88 +2718,115 @@ static int umlConnectListAllDomains(virConnectPtr conn,
static int
-umlNodeGetInfo(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetInfo(virConnectPtr conn,
virNodeInfoPtr nodeinfo)
{
+ if (virNodeGetInfoEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetInfo(nodeinfo);
}
static int
-umlNodeGetCPUStats(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetCPUStats(virConnectPtr conn,
int cpuNum,
virNodeCPUStatsPtr params,
int *nparams,
unsigned int flags)
{
+ if (virNodeGetCPUStatsEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetCPUStats(cpuNum, params, nparams, flags);
}
static int
-umlNodeGetMemoryStats(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetMemoryStats(virConnectPtr conn,
int cellNum,
virNodeMemoryStatsPtr params,
int *nparams,
unsigned int flags)
{
+ if (virNodeGetMemoryStatsEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetMemoryStats(cellNum, params, nparams, flags);
}
static int
-umlNodeGetCellsFreeMemory(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetCellsFreeMemory(virConnectPtr conn,
unsigned long long *freeMems,
int startCell,
int maxCells)
{
+ if (virNodeGetCellsFreeMemoryEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetCellsFreeMemory(freeMems, startCell, maxCells);
}
static unsigned long long
-umlNodeGetFreeMemory(virConnectPtr conn ATTRIBUTE_UNUSED)
+umlNodeGetFreeMemory(virConnectPtr conn)
{
+ if (virNodeGetFreeMemoryEnsureACL(conn) < 0)
+ return 0;
+
return nodeGetFreeMemory();
}
static int
-umlNodeGetMemoryParameters(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetMemoryParameters(virConnectPtr conn,
virTypedParameterPtr params,
int *nparams,
unsigned int flags)
{
+ if (virNodeGetMemoryParametersEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetMemoryParameters(params, nparams, flags);
}
static int
-umlNodeSetMemoryParameters(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeSetMemoryParameters(virConnectPtr conn,
virTypedParameterPtr params,
int nparams,
unsigned int flags)
{
+ if (virNodeSetMemoryParametersEnsureACL(conn) < 0)
+ return -1;
+
return nodeSetMemoryParameters(params, nparams, flags);
}
static int
-umlNodeGetCPUMap(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeGetCPUMap(virConnectPtr conn,
unsigned char **cpumap,
unsigned int *online,
unsigned int flags)
{
+ if (virNodeGetCPUMapEnsureACL(conn) < 0)
+ return -1;
+
return nodeGetCPUMap(cpumap, online, flags);
}
static int
-umlNodeSuspendForDuration(virConnectPtr conn ATTRIBUTE_UNUSED,
+umlNodeSuspendForDuration(virConnectPtr conn,
unsigned int target,
unsigned long long duration,
unsigned int flags)
{
+ if (virNodeSuspendForDurationEnsureACL(conn) < 0)
+ return -1;
+
return nodeSuspendForDuration(target, duration, flags);
}
--
1.8.1.4
More information about the libvir-list
mailing list