[libvirt] [PATCH v2 08/21] access: add nwfilter binding object permissions
Daniel P. Berrangé
berrange at redhat.com
Tue May 15 17:43:24 UTC 2018
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
src/access/viraccessdriver.h | 5 ++++
src/access/viraccessdrivernop.c | 10 ++++++++
src/access/viraccessdriverpolkit.c | 21 ++++++++++++++++
src/access/viraccessdriverstack.c | 24 ++++++++++++++++++
src/access/viraccessmanager.c | 15 ++++++++++++
src/access/viraccessmanager.h | 5 ++++
src/access/viraccessperm.c | 7 +++++-
src/access/viraccessperm.h | 39 ++++++++++++++++++++++++++++++
src/rpc/gendispatch.pl | 3 ++-
9 files changed, 127 insertions(+), 2 deletions(-)
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index e3050b6439..3b25f36cab 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -47,6 +47,10 @@ typedef int (*virAccessDriverCheckNWFilterDrv)(virAccessManagerPtr manager,
const char *driverName,
virNWFilterDefPtr nwfilter,
virAccessPermNWFilter av);
+typedef int (*virAccessDriverCheckNWFilterBindingDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterBindingDefPtr binding,
+ virAccessPermNWFilterBinding av);
typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager,
const char *driverName,
virSecretDefPtr secret,
@@ -80,6 +84,7 @@ struct _virAccessDriver {
virAccessDriverCheckNetworkDrv checkNetwork;
virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
virAccessDriverCheckNWFilterDrv checkNWFilter;
+ virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
virAccessDriverCheckSecretDrv checkSecret;
virAccessDriverCheckStoragePoolDrv checkStoragePool;
virAccessDriverCheckStorageVolDrv checkStorageVol;
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 86ceef37c2..98ef9206c5 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -75,6 +75,15 @@ virAccessDriverNopCheckNWFilter(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
return 1; /* Allow */
}
+static int
+virAccessDriverNopCheckNWFilterBinding(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virNWFilterBindingDefPtr binding ATTRIBUTE_UNUSED,
+ virAccessPermNWFilterBinding perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
+
static int
virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED,
@@ -112,6 +121,7 @@ virAccessDriver accessDriverNop = {
.checkNetwork = virAccessDriverNopCheckNetwork,
.checkNodeDevice = virAccessDriverNopCheckNodeDevice,
.checkNWFilter = virAccessDriverNopCheckNWFilter,
+ .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
.checkSecret = virAccessDriverNopCheckSecret,
.checkStoragePool = virAccessDriverNopCheckStoragePool,
.checkStorageVol = virAccessDriverNopCheckStorageVol,
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 48a83f66d7..6954d74a15 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -276,6 +276,26 @@ virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
attrs);
}
+static int
+virAccessDriverPolkitCheckNWFilterBinding(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterBindingDefPtr binding,
+ virAccessPermNWFilterBinding perm)
+{
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "nwfilter_binding_portdev", binding->portdevname,
+ "nwfilter_binding_linkdev", binding->linkdevname,
+ "nwfilter_binding_filter", binding->filter,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "nwfilter_binding",
+ virAccessPermNWFilterBindingTypeToString(perm),
+ attrs);
+}
+
static int
virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
const char *driverName,
@@ -409,6 +429,7 @@ virAccessDriver accessDriverPolkit = {
.checkNetwork = virAccessDriverPolkitCheckNetwork,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter,
+ .checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
.checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol,
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index b43a743027..0ffc6abaf3 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -197,6 +197,29 @@ virAccessDriverStackCheckNWFilter(virAccessManagerPtr manager,
return ret;
}
+static int
+virAccessDriverStackCheckNWFilterBinding(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterBindingDefPtr binding,
+ virAccessPermNWFilterBinding perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckNWFilterBinding(priv->managers[i], driverName, binding, perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
static int
virAccessDriverStackCheckSecret(virAccessManagerPtr manager,
const char *driverName,
@@ -277,6 +300,7 @@ virAccessDriver accessDriverStack = {
.checkNetwork = virAccessDriverStackCheckNetwork,
.checkNodeDevice = virAccessDriverStackCheckNodeDevice,
.checkNWFilter = virAccessDriverStackCheckNWFilter,
+ .checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
.checkSecret = virAccessDriverStackCheckSecret,
.checkStoragePool = virAccessDriverStackCheckStoragePool,
.checkStorageVol = virAccessDriverStackCheckStorageVol,
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index b048a367e3..e7b5bf38da 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -296,6 +296,21 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret);
}
+int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterBindingDefPtr binding,
+ virAccessPermNWFilterBinding perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s binding=%p perm=%d",
+ manager, manager->drv->name, driverName, binding, perm);
+
+ if (manager->drv->checkNWFilterBinding)
+ ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
+
+ return virAccessManagerSanitizeError(ret);
+}
+
int virAccessManagerCheckSecret(virAccessManagerPtr manager,
const char *driverName,
virSecretDefPtr secret,
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index e7eb15d30c..4fc86a1ff2 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -29,6 +29,7 @@
# include "conf/storage_conf.h"
# include "conf/secret_conf.h"
# include "conf/interface_conf.h"
+# include "conf/virnwfilterbindingdef.h"
# include "access/viraccessperm.h"
typedef struct _virAccessManager virAccessManager;
@@ -73,6 +74,10 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
const char *driverName,
virNWFilterDefPtr nwfilter,
virAccessPermNWFilter perm);
+int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterBindingDefPtr binding,
+ virAccessPermNWFilterBinding perm);
int virAccessManagerCheckSecret(virAccessManagerPtr manager,
const char *driverName,
virSecretDefPtr secret,
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 0f58290173..d7cbb70b7b 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
"search_domains", "search_networks",
"search_storage_pools", "search_node_devices",
"search_interfaces", "search_secrets",
- "search_nwfilters",
+ "search_nwfilters", "search_nwfilter_bindings",
"detect_storage_pools", "pm_control",
"interface_transaction");
@@ -66,6 +66,11 @@ VIR_ENUM_IMPL(virAccessPermNWFilter,
"getattr", "read", "write",
"save", "delete");
+VIR_ENUM_IMPL(virAccessPermNWFilterBinding,
+ VIR_ACCESS_PERM_NWFILTER_BINDING_LAST,
+ "getattr", "read",
+ "create", "delete");
+
VIR_ENUM_IMPL(virAccessPermSecret,
VIR_ACCESS_PERM_SECRET_LAST,
"getattr", "read", "write",
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 1817da73bc..0ea1f7a489 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -94,6 +94,13 @@ typedef enum {
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS,
+ /**
+ * @desc: List network filter bindings
+ * @message: Listing network filter bindings requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS,
+
/**
* @desc: Detect storage pools
@@ -486,6 +493,37 @@ typedef enum {
VIR_ACCESS_PERM_NWFILTER_LAST
} virAccessPermNWFilter;
+typedef enum {
+
+ /**
+ * @desc: Access network filter
+ * @message: Accessing network filter requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR,
+
+ /**
+ * @desc: Read network filter binding
+ * @message: Reading network filter configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_NWFILTER_BINDING_READ,
+
+ /**
+ * @desc: Create network filter binding
+ * @message: Creating network filter binding requires authorization
+ */
+ VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE,
+
+ /**
+ * @desc: Delete network filter binding
+ * @message: Deleting network filter binding requires authorization
+ */
+ VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE,
+
+ VIR_ACCESS_PERM_NWFILTER_BINDING_LAST
+} virAccessPermNWFilterBinding;
+
typedef enum {
/**
@@ -657,6 +695,7 @@ VIR_ENUM_DECL(virAccessPermInterface);
VIR_ENUM_DECL(virAccessPermNetwork);
VIR_ENUM_DECL(virAccessPermNodeDevice);
VIR_ENUM_DECL(virAccessPermNWFilter);
+VIR_ENUM_DECL(virAccessPermNWFilterBinding);
VIR_ENUM_DECL(virAccessPermSecret);
VIR_ENUM_DECL(virAccessPermStoragePool);
VIR_ENUM_DECL(virAccessPermStorageVol);
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index b8b83b6b40..480ebe7b00 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -2033,7 +2033,8 @@ elsif ($mode eq "client") {
"storage_conf.h",
"nwfilter_conf.h",
"node_device_conf.h",
- "interface_conf.h"
+ "interface_conf.h",
+ "virnwfilterbindingdef.h",
);
foreach my $hdr (@headers) {
print "#include \"$hdr\"\n";
--
2.17.0
More information about the libvir-list
mailing list