[libvirt] [PATCH 0/8] Filtering of object lists via ACLs

Daniel P. Berrange berrange at redhat.com
Thu Jun 27 16:57:17 UTC 2013 

From: "Daniel P. Berrange" <berrange at redhat.com>

The current ACL checks validate access to the object being
passed in to the API calls.

There are a few APIs (all the virConnectList* / virConnectNum*
ones) which are used to get lists of objects in the first
place. Currently you could find out that there is a VM called
"foo", but you can't then do virDomainLookupByName since the
ACL check may block it.

This series introduces filtering in the object list APIs,
so you can't even see the existance of an object called
"foo", if you don't have permission over it.

This is not yet filtering the legacy Xen driver.

Daniel P. Berrange (8):
  Add access control filtering of domain objects
  Add access control filtering of network objects
  Add access control filtering of node device objects
  Add access control filtering of storage objects
  Add access control filtering of secret objects
  Add access control filtering of nwfilter objects
  Add access control filtering of interface objects
  Extend the ACL test case to validate filter rule checks

 src/Makefile.am                         |   1 +
 src/check-aclrules.pl                   |  97 ++++++++++++
 src/conf/domain_conf.c                  |  91 +++++++----
 src/conf/domain_conf.h                  |  17 ++-
 src/conf/interface_conf.h               |   3 +
 src/conf/network_conf.c                 |  12 +-
 src/conf/network_conf.h                 |  13 +-
 src/conf/node_device_conf.c             |  12 +-
 src/conf/node_device_conf.h             |  12 +-
 src/conf/storage_conf.c                 |  12 +-
 src/conf/storage_conf.h                 |  11 +-
 src/interface/interface_backend_netcf.c | 262 +++++++++++++++++++++++++++-----
 src/interface/interface_backend_udev.c  |  56 +++++--
 src/libvirt_private.syms                |   6 +-
 src/libxl/libxl_driver.c                |  15 +-
 src/lxc/lxc_driver.c                    |  15 +-
 src/network/bridge_driver.c             |  44 +++---
 src/node_device/node_device_driver.c    |  28 ++--
 src/nwfilter/nwfilter_driver.c          |  39 +++--
 src/openvz/openvz_driver.c              |   7 +-
 src/parallels/parallels_driver.c        |  14 +-
 src/parallels/parallels_network.c       |   2 +-
 src/qemu/qemu_driver.c                  |  24 +--
 src/rpc/gendispatch.pl                  |  42 +++--
 src/secret/secret_driver.c              |  14 +-
 src/storage/storage_driver.c            |  62 +++++---
 src/test/test_driver.c                  |  18 ++-
 src/uml/uml_driver.c                    |  15 +-
 src/vmware/vmware_driver.c              |  12 +-
 29 files changed, 716 insertions(+), 240 deletions(-)

-- 
1.8.1.4

More information about the libvir-list mailing list