[libvirt] [PATCH v5 15/24] access: add permissions for network port objects

Daniel P. Berrangé berrange at redhat.com
Tue May 14 15:48:27 UTC 2019


Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
 src/access/genpolkit.pl            |  2 +-
 src/access/viraccessdriver.h       |  6 ++++
 src/access/viraccessdrivernop.c    | 11 ++++++++
 src/access/viraccessdriverpolkit.c | 26 ++++++++++++++++++
 src/access/viraccessdriverstack.c  | 25 +++++++++++++++++
 src/access/viraccessmanager.c      | 16 +++++++++++
 src/access/viraccessmanager.h      |  6 ++++
 src/access/viraccessperm.c         |  6 ++++
 src/access/viraccessperm.h         | 44 ++++++++++++++++++++++++++++++
 9 files changed, 141 insertions(+), 1 deletion(-)

diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
index e074c90eb6..f8f20caf65 100755
--- a/src/access/genpolkit.pl
+++ b/src/access/genpolkit.pl
@@ -21,7 +21,7 @@ use strict;
 use warnings;
 
 my @objects = (
-    "CONNECT", "DOMAIN", "INTERFACE",
+    "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
     "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
     "SECRET", "STORAGE_POOL", "STORAGE_VOL",
     );
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index 2cc3950f60..590d86fdf0 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -39,6 +39,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
                                               const char *driverName,
                                               virNetworkDefPtr network,
                                               virAccessPermNetwork av);
+typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
+                                                  const char *driverName,
+                                                  virNetworkDefPtr network,
+                                                  virNetworkPortDefPtr port,
+                                                  virAccessPermNetworkPort av);
 typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
                                                  const char *driverName,
                                                  virNodeDeviceDefPtr nodedev,
@@ -82,6 +87,7 @@ struct _virAccessDriver {
     virAccessDriverCheckDomainDrv checkDomain;
     virAccessDriverCheckInterfaceDrv checkInterface;
     virAccessDriverCheckNetworkDrv checkNetwork;
+    virAccessDriverCheckNetworkPortDrv checkNetworkPort;
     virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
     virAccessDriverCheckNWFilterDrv checkNWFilter;
     virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 98ef9206c5..5e9d9db759 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
     return 1; /* Allow */
 }
 
+static int
+virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                                   const char *driverName ATTRIBUTE_UNUSED,
+                                   virNetworkDefPtr network ATTRIBUTE_UNUSED,
+                                   virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
+                                   virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
+{
+    return 1; /* Allow */
+}
+
 static int
 virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
                                   const char *driverName ATTRIBUTE_UNUSED,
@@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
     .checkDomain = virAccessDriverNopCheckDomain,
     .checkInterface = virAccessDriverNopCheckInterface,
     .checkNetwork = virAccessDriverNopCheckNetwork,
+    .checkNetworkPort = virAccessDriverNopCheckNetworkPort,
     .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
     .checkNWFilter = virAccessDriverNopCheckNWFilter,
     .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 6954d74a15..b1473cd0a4 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
                                       attrs);
 }
 
+static int
+virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
+                                      const char *driverName,
+                                      virNetworkDefPtr network,
+                                      virNetworkPortDefPtr port,
+                                      virAccessPermNetworkPort perm)
+{
+    char uuidstr1[VIR_UUID_STRING_BUFLEN];
+    char uuidstr2[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect_driver", driverName,
+        "network_name", network->name,
+        "network_uuid", uuidstr1,
+        "port_uuid", uuidstr2,
+        NULL,
+    };
+    virUUIDFormat(network->uuid, uuidstr1);
+    virUUIDFormat(port->uuid, uuidstr2);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "network-port",
+                                      virAccessPermNetworkPortTypeToString(perm),
+                                      attrs);
+}
+
 static int
 virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
                                      const char *driverName,
@@ -427,6 +452,7 @@ virAccessDriver accessDriverPolkit = {
     .checkDomain = virAccessDriverPolkitCheckDomain,
     .checkInterface = virAccessDriverPolkitCheckInterface,
     .checkNetwork = virAccessDriverPolkitCheckNetwork,
+    .checkNetworkPort = virAccessDriverPolkitCheckNetworkPort,
     .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
     .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
     .checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index 0ffc6abaf3..238caef115 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -151,6 +151,30 @@ virAccessDriverStackCheckNetwork(virAccessManagerPtr manager,
     return ret;
 }
 
+static int
+virAccessDriverStackCheckNetworkPort(virAccessManagerPtr manager,
+                                     const char *driverName,
+                                     virNetworkDefPtr network,
+                                     virNetworkPortDefPtr port,
+                                     virAccessPermNetworkPort perm)
+{
+    virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+    int ret = 1;
+    size_t i;
+
+    for (i = 0; i < priv->managersLen; i++) {
+        int rv;
+        /* We do not short-circuit on first denial - always check all drivers */
+        rv = virAccessManagerCheckNetworkPort(priv->managers[i], driverName, network, port, perm);
+        if (rv == 0 && ret != -1)
+            ret = 0;
+        else if (rv < 0)
+            ret = -1;
+    }
+
+    return ret;
+}
+
 static int
 virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager,
                                     const char *driverName,
@@ -298,6 +322,7 @@ virAccessDriver accessDriverStack = {
     .checkDomain = virAccessDriverStackCheckDomain,
     .checkInterface = virAccessDriverStackCheckInterface,
     .checkNetwork = virAccessDriverStackCheckNetwork,
+    .checkNetworkPort = virAccessDriverStackCheckNetworkPort,
     .checkNodeDevice = virAccessDriverStackCheckNodeDevice,
     .checkNWFilter = virAccessDriverStackCheckNWFilter,
     .checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index f5d62604cf..24d9713cfd 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -268,6 +268,22 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
     return virAccessManagerSanitizeError(ret, driverName);
 }
 
+int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
+                                     const char *driverName,
+                                     virNetworkDefPtr network,
+                                     virNetworkPortDefPtr port,
+                                     virAccessPermNetworkPort perm)
+{
+    int ret = 0;
+    VIR_DEBUG("manager=%p(name=%s) driver=%s network=%p port=%p perm=%d",
+              manager, manager->drv->name, driverName, network, port, perm);
+
+    if (manager->drv->checkNetworkPort)
+        ret = manager->drv->checkNetworkPort(manager, driverName, network, port, perm);
+
+    return virAccessManagerSanitizeError(ret, driverName);
+}
+
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
                                     const char *driverName,
                                     virNodeDeviceDefPtr nodedev,
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index ab5ef87585..bedd6ba475 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -30,6 +30,7 @@
 # include "conf/secret_conf.h"
 # include "conf/interface_conf.h"
 # include "conf/virnwfilterbindingdef.h"
+# include "conf/virnetworkportdef.h"
 # include "access/viraccessperm.h"
 
 typedef struct _virAccessManager virAccessManager;
@@ -66,6 +67,11 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
                                  const char *driverName,
                                  virNetworkDefPtr network,
                                  virAccessPermNetwork perm);
+int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
+                                     const char *driverName,
+                                     virNetworkDefPtr network,
+                                     virNetworkPortDefPtr port,
+                                     virAccessPermNetworkPort perm);
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
                                     const char *driverName,
                                     virNodeDeviceDefPtr nodedev,
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 67f751ef9c..74993e9f29 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -57,6 +57,12 @@ VIR_ENUM_IMPL(virAccessPermNetwork,
               VIR_ACCESS_PERM_NETWORK_LAST,
               "getattr", "read", "write",
               "save", "delete", "start", "stop",
+              "search_ports",
+);
+
+VIR_ENUM_IMPL(virAccessPermNetworkPort,
+              VIR_ACCESS_PERM_NETWORK_PORT_LAST,
+              "getattr", "read", "write", "create", "delete",
 );
 
 VIR_ENUM_IMPL(virAccessPermNodeDevice,
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index ed1f7168ca..0fe618328b 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -405,6 +405,12 @@ typedef enum {
      */
     VIR_ACCESS_PERM_NETWORK_START,
 
+    /**
+     * @desc: List network ports
+     * @message: Listing network ports requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+
     /**
      * @desc: Stop network
      * @message: Stopping network requires authorization
@@ -414,6 +420,43 @@ typedef enum {
     VIR_ACCESS_PERM_NETWORK_LAST
 } virAccessPermNetwork;
 
+typedef enum {
+
+    /**
+     * @desc: Access network port
+     * @message: Accessing network port requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_NETWORK_PORT_GETATTR,
+
+    /**
+     * @desc: Read network port
+     * @message: Reading network port configuration requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_NETWORK_PORT_READ,
+
+    /**
+     * @desc: Read network port
+     * @message: Writing network port configuration requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_PORT_WRITE,
+
+    /**
+     * @desc: Create network port
+     * @message: Creating network port configuration requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_PORT_CREATE,
+
+    /**
+     * @desc: Delete network port
+     * @message: Deleting network port configuration requires authorization
+     */
+    VIR_ACCESS_PERM_NETWORK_PORT_DELETE,
+
+    VIR_ACCESS_PERM_NETWORK_PORT_LAST
+} virAccessPermNetworkPort;
+
 typedef enum {
 
     /**
@@ -693,6 +736,7 @@ VIR_ENUM_DECL(virAccessPermConnect);
 VIR_ENUM_DECL(virAccessPermDomain);
 VIR_ENUM_DECL(virAccessPermInterface);
 VIR_ENUM_DECL(virAccessPermNetwork);
+VIR_ENUM_DECL(virAccessPermNetworkPort);
 VIR_ENUM_DECL(virAccessPermNodeDevice);
 VIR_ENUM_DECL(virAccessPermNWFilter);
 VIR_ENUM_DECL(virAccessPermNWFilterBinding);
-- 
2.21.0




More information about the libvir-list mailing list