[libvirt] [PATCH 00/19] Support for access control
Michal Privoznik
mprivozn at redhat.com
Thu Jun 20 09:00:36 UTC 2013
On 09.05.2013 15:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
>
> This series (which depends on the Xen refactoring patches) adds
> support for access control checks on all APIs that run inside
> libvirtd.
>
> The first patch defines the basic objects which can be checked
> and the permissions associated with each object. In addition
> it provides the basic internal (pluggable) API for access
> control checks
>
> Later there are policykit and selinux drivers for the access
> control framework. Neither of these is currently optimal
> but they have basic functionality working
>
> To ensure that we don't forget access control checks when
> adding new APIs, we maintain metadata in the remote_protocol.x
> file against each method declaring what access control check
> must be done.
>
> There are actually two checks possible. The first check is
> against the object being used. The optional second check
> is against the objects being returned (if any). The latter
> is used to filter what can be seen when asking for a list
> of objects (eg 'virsh list' gets filtered)
>
> Again to ensure accurate checks, we automate the generation
> of methods for applying access control checks to each API.
> These helper methods are named to match the public API names.
> The last patch ensures that every method listed in the
> virXXXXDriverPtr tables has a call to an access control
> helper with the same name as the public API.
>
> And of course there are the patches which actually add
> the access control checks.
>
> Still todo
>
> - Not all Xen methods have access control checks yet.
> This causes the test case in the last patch to report
> failures
>
> - Have not wired up the checks for filtering the returned
> objects in any driver yet
>
> - The polkit driver is inefficient since it spawns
> pkcheck for each check. We need to talk to DBus
> directly since ACL checks will be very frequent
> and need to be lightweight
>
> - The SELinux driver is validating against the label
> of libvirtd. We need to validate against the label of
> the virDomainDefPtr security model or some equivalent
> for other objects.
>
> - Need to write a generic RBAC access control impl. It
> was hoped that new polkit would make this obsolete.
> Polkit is still unable to do access control checks
> for non-local users though eg it can't validate
> against SASL usernames or x509 certs.
>
> Daniel P. Berrange (19):
> Define basic internal API for access control
> Set conn->driver before running driver connectOpen method
> Setup default access control manager in libvirtd
> Add a policy kit access control driver
> Add an SELinux access control driver
> Add ACL annotations to all RPC messages
> Auto-generate helpers for checking access control rules
> Add ACL checks into the QEMU driver
> Add ACL checks into the LXC driver
> Add ACL checks into the UML driver
> Add ACL checks into the Xen driver
> Add ACL checks into the libxl driver
> Add ACL checks into the storage driver
> Add ACL checks into the network driver
> Add ACL checks into the interface driver
> Add ACL checks into the node device driver
> Add ACL checks into the nwfilter driver
> Add ACL checks into the secrets driver
> Add validation that all APIs contain ACL checks
>
> .gitignore | 10 +
> daemon/Makefile.am | 1 +
> daemon/libvirtd-config.c | 4 +
> daemon/libvirtd-config.h | 2 +
> daemon/libvirtd.aug | 1 +
> daemon/libvirtd.c | 27 ++
> daemon/libvirtd.conf | 9 +
> daemon/test_libvirtd.aug.in | 4 +
> include/libvirt/virterror.h | 4 +
> m4/virt-compile-warnings.m4 | 1 +
> m4/virt-selinux.m4 | 2 +
> po/POTFILES.in | 3 +
> src/Makefile.am | 128 +++++-
> src/access/genpolkit.pl | 119 ++++++
> src/access/viraccessdriver.h | 89 ++++
> src/access/viraccessdrivernop.c | 118 ++++++
> src/access/viraccessdrivernop.h | 28 ++
> src/access/viraccessdriverpolkit.c | 399 ++++++++++++++++++
> src/access/viraccessdriverpolkit.h | 28 ++
> src/access/viraccessdriverselinux.c | 565 +++++++++++++++++++++++++
> src/access/viraccessdriverselinux.h | 28 ++
> src/access/viraccessdriverstack.c | 285 +++++++++++++
> src/access/viraccessdriverstack.h | 32 ++
> src/access/viraccessmanager.c | 352 ++++++++++++++++
> src/access/viraccessmanager.h | 91 ++++
> src/access/viraccessperm.c | 84 ++++
> src/access/viraccessperm.h | 647 +++++++++++++++++++++++++++++
> src/check-aclrules.pl | 144 +++++++
> src/interface/interface_backend_netcf.c | 114 +++++
> src/interface/interface_backend_udev.c | 85 +++-
> src/internal.h | 4 +
> src/libvirt.c | 11 +-
> src/libvirt_private.syms | 37 ++
> src/libxl/libxl_driver.c | 187 ++++++++-
> src/locking/lock_protocol.x | 8 +
> src/lxc/lxc_driver.c | 219 +++++++++-
> src/network/bridge_driver.c | 61 +++
> src/node_device/node_device_driver.c | 36 ++
> src/nwfilter/nwfilter_driver.c | 26 ++
> src/qemu/qemu_driver.c | 716 ++++++++++++++++++++++++++++----
> src/remote/lxc_protocol.x | 1 +
> src/remote/qemu_protocol.x | 4 +
> src/remote/remote_protocol.x | 406 ++++++++++++++++++
> src/rpc/gendispatch.pl | 212 +++++++++-
> src/secret/secret_driver.c | 31 ++
> src/storage/storage_driver.c | 155 ++++++-
> src/uml/uml_driver.c | 174 +++++++-
> src/util/virerror.c | 8 +
> src/util/virlog.c | 3 +-
> src/util/virlog.h | 1 +
> src/xen/xen_driver.c | 217 +++++++++-
> 51 files changed, 5785 insertions(+), 136 deletions(-)
> create mode 100755 src/access/genpolkit.pl
> create mode 100644 src/access/viraccessdriver.h
> create mode 100644 src/access/viraccessdrivernop.c
> create mode 100644 src/access/viraccessdrivernop.h
> create mode 100644 src/access/viraccessdriverpolkit.c
> create mode 100644 src/access/viraccessdriverpolkit.h
> create mode 100644 src/access/viraccessdriverselinux.c
> create mode 100644 src/access/viraccessdriverselinux.h
> create mode 100644 src/access/viraccessdriverstack.c
> create mode 100644 src/access/viraccessdriverstack.h
> create mode 100644 src/access/viraccessmanager.c
> create mode 100644 src/access/viraccessmanager.h
> create mode 100644 src/access/viraccessperm.c
> create mode 100644 src/access/viraccessperm.h
> create mode 100644 src/check-aclrules.pl
>
I wanted to review this. But seems like patches don't apply cleanly. Can
you rebase and repost?
Michal
More information about the libvir-list
mailing list