[libvirt PATCH v3 06/10] util: helper to temporary elevate privileges of the current identity
Daniel P. Berrangé
berrange at redhat.com
Wed May 12 13:33:52 UTC 2021
When talking to the secret driver, the callers inside libvirt daemons
need to be able to run with an elevated privileges that prove the API
calls are made by a libvirt daemon, not an end user application.
The virIdentityElevateCurrent method will take the current identity
and, if not already present, add the system token. The old current
identity is returned to the caller. With the VIR_IDENTITY_AUTORESTORE
annotation, the old current identity will be restored upon leaving
the codeblock scope.
... early work with regular privileges ...
if (something needing elevated privs) {
VIR_IDENTITY_AUTORESTORE virIdentity *oldident =
virIdentityElevateCurrent();
if (!oldident)
return -1;
... do something with elevated privileges ...
}
... later work with regular privileges ...
Signed-off-by: Daniel P. Berrangé <berrange at redhat.com>
---
src/libvirt_private.syms | 2 ++
src/util/viridentity.c | 47 ++++++++++++++++++++++++++++++++++++++++
src/util/viridentity.h | 5 +++++
3 files changed, 54 insertions(+)
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 443a78e698..2ea950c5cd 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -2396,6 +2396,7 @@ virHostGetBootTime;
# util/viridentity.h
+virIdentityElevateCurrent;
virIdentityEnsureSystemToken;
virIdentityGetCurrent;
virIdentityGetGroupName;
@@ -2412,6 +2413,7 @@ virIdentityGetUserName;
virIdentityGetX509DName;
virIdentityNew;
virIdentityNewCopy;
+virIdentityRestoreHelper;
virIdentitySetCurrent;
virIdentitySetGroupName;
virIdentitySetParameters;
diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 01edabf2d7..2e3fcc5add 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -154,6 +154,53 @@ int virIdentitySetCurrent(virIdentity *ident)
}
+/**
+ * virIdentityElevateCurrent:
+ *
+ * Set the new identity to be associated with this thread,
+ * to an elevated copy of the current identity. The old
+ * current identity is returned and should be released by
+ * the caller when no longer required.
+ *
+ * Returns the previous identity, or NULL on error
+ */
+virIdentity *virIdentityElevateCurrent(void)
+{
+ g_autoptr(virIdentity) ident = virIdentityGetCurrent();
+ const char *token;
+ int rc;
+
+ if (!ident) {
+ virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No current identity to elevate"));
+ return NULL;
+ }
+
+ if ((rc = virIdentityGetSystemToken(ident, &token)) < 0)
+ return NULL;
+
+ if (rc == 0) {
+ g_autoptr(virIdentity) identel = virIdentityNewCopy(ident);
+
+ if (virIdentitySetSystemToken(identel, systemToken) < 0)
+ return NULL;
+
+ if (virIdentitySetCurrent(identel) < 0)
+ return NULL;
+ }
+
+ return g_steal_pointer(&ident);
+}
+
+
+void virIdentityRestoreHelper(virIdentity **identptr)
+{
+ virIdentity *ident = *identptr;
+
+ if (ident != NULL)
+ virIdentitySetCurrent(ident);
+}
+
#define TOKEN_BYTES 16
#define TOKEN_STRLEN (TOKEN_BYTES * 2)
diff --git a/src/util/viridentity.h b/src/util/viridentity.h
index 512bca286d..848e5b2056 100644
--- a/src/util/viridentity.h
+++ b/src/util/viridentity.h
@@ -27,8 +27,13 @@
#define VIR_TYPE_IDENTITY vir_identity_get_type()
G_DECLARE_FINAL_TYPE(virIdentity, vir_identity, VIR, IDENTITY, GObject);
+#define VIR_IDENTITY_AUTORESTORE __attribute__((cleanup(virIdentityRestoreHelper)))
+
virIdentity *virIdentityGetCurrent(void);
int virIdentitySetCurrent(virIdentity *ident);
+virIdentity *virIdentityElevateCurrent(void);
+
+void virIdentityRestoreHelper(virIdentity **identptr);
virIdentity *virIdentityGetSystem(void);
--
2.31.1
More information about the libvir-list
mailing list