mirror of https://gitee.com/openkylin/libvirt.git
access: add permissions for network port objects
Reviewed-by: Laine Stump <laine@laine.org> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé
parent
c08fc8d199
commit
e69444e179
|
|
@ -21,7 +21,7 @@ use strict;
|
|||
use warnings;
|
||||
|
||||
my @objects = (
|
||||
"CONNECT", "DOMAIN", "INTERFACE",
|
||||
"CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
|
||||
"NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
|
||||
"SECRET", "STORAGE_POOL", "STORAGE_VOL",
|
||||
);
|
||||
|
|
|
|||
|
|
@ -38,6 +38,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
|
|||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virAccessPermNetwork av);
|
||||
typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virNetworkPortDefPtr port,
|
||||
virAccessPermNetworkPort av);
|
||||
typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNodeDeviceDefPtr nodedev,
|
||||
|
|
@ -81,6 +86,7 @@ struct _virAccessDriver {
|
|||
virAccessDriverCheckDomainDrv checkDomain;
|
||||
virAccessDriverCheckInterfaceDrv checkInterface;
|
||||
virAccessDriverCheckNetworkDrv checkNetwork;
|
||||
virAccessDriverCheckNetworkPortDrv checkNetworkPort;
|
||||
virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
|
||||
virAccessDriverCheckNWFilterDrv checkNWFilter;
|
||||
virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
|
||||
|
|
|
|||
|
|
@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
|
|||
return 1; /* Allow */
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
|
||||
const char *driverName ATTRIBUTE_UNUSED,
|
||||
virNetworkDefPtr network ATTRIBUTE_UNUSED,
|
||||
virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
|
||||
virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
|
||||
{
|
||||
return 1; /* Allow */
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
|
||||
const char *driverName ATTRIBUTE_UNUSED,
|
||||
|
|
@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
|
|||
.checkDomain = virAccessDriverNopCheckDomain,
|
||||
.checkInterface = virAccessDriverNopCheckInterface,
|
||||
.checkNetwork = virAccessDriverNopCheckNetwork,
|
||||
.checkNetworkPort = virAccessDriverNopCheckNetworkPort,
|
||||
.checkNodeDevice = virAccessDriverNopCheckNodeDevice,
|
||||
.checkNWFilter = virAccessDriverNopCheckNWFilter,
|
||||
.checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
|
||||
|
|
|
|||
|
|
@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
|
|||
attrs);
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virNetworkPortDefPtr port,
|
||||
virAccessPermNetworkPort perm)
|
||||
{
|
||||
char uuidstr1[VIR_UUID_STRING_BUFLEN];
|
||||
char uuidstr2[VIR_UUID_STRING_BUFLEN];
|
||||
const char *attrs[] = {
|
||||
"connect_driver", driverName,
|
||||
"network_name", network->name,
|
||||
"network_uuid", uuidstr1,
|
||||
"port_uuid", uuidstr2,
|
||||
NULL,
|
||||
};
|
||||
virUUIDFormat(network->uuid, uuidstr1);
|
||||
virUUIDFormat(port->uuid, uuidstr2);
|
||||
|
||||
return virAccessDriverPolkitCheck(manager,
|
||||
"network-port",
|
||||
virAccessPermNetworkPortTypeToString(perm),
|
||||
attrs);
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
|
|
@ -427,6 +452,7 @@ virAccessDriver accessDriverPolkit = {
|
|||
.checkDomain = virAccessDriverPolkitCheckDomain,
|
||||
.checkInterface = virAccessDriverPolkitCheckInterface,
|
||||
.checkNetwork = virAccessDriverPolkitCheckNetwork,
|
||||
.checkNetworkPort = virAccessDriverPolkitCheckNetworkPort,
|
||||
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
|
||||
.checkNWFilter = virAccessDriverPolkitCheckNWFilter,
|
||||
.checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
|
||||
|
|
|
|||
|
|
@ -151,6 +151,30 @@ virAccessDriverStackCheckNetwork(virAccessManagerPtr manager,
|
|||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverStackCheckNetworkPort(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virNetworkPortDefPtr port,
|
||||
virAccessPermNetworkPort perm)
|
||||
{
|
||||
virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
|
||||
int ret = 1;
|
||||
size_t i;
|
||||
|
||||
for (i = 0; i < priv->managersLen; i++) {
|
||||
int rv;
|
||||
/* We do not short-circuit on first denial - always check all drivers */
|
||||
rv = virAccessManagerCheckNetworkPort(priv->managers[i], driverName, network, port, perm);
|
||||
if (rv == 0 && ret != -1)
|
||||
ret = 0;
|
||||
else if (rv < 0)
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
static int
|
||||
virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
|
|
@ -298,6 +322,7 @@ virAccessDriver accessDriverStack = {
|
|||
.checkDomain = virAccessDriverStackCheckDomain,
|
||||
.checkInterface = virAccessDriverStackCheckInterface,
|
||||
.checkNetwork = virAccessDriverStackCheckNetwork,
|
||||
.checkNetworkPort = virAccessDriverStackCheckNetworkPort,
|
||||
.checkNodeDevice = virAccessDriverStackCheckNodeDevice,
|
||||
.checkNWFilter = virAccessDriverStackCheckNWFilter,
|
||||
.checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
|
||||
|
|
|
|||
|
|
@ -268,6 +268,22 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|||
return virAccessManagerSanitizeError(ret, driverName);
|
||||
}
|
||||
|
||||
int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virNetworkPortDefPtr port,
|
||||
virAccessPermNetworkPort perm)
|
||||
{
|
||||
int ret = 0;
|
||||
VIR_DEBUG("manager=%p(name=%s) driver=%s network=%p port=%p perm=%d",
|
||||
manager, manager->drv->name, driverName, network, port, perm);
|
||||
|
||||
if (manager->drv->checkNetworkPort)
|
||||
ret = manager->drv->checkNetworkPort(manager, driverName, network, port, perm);
|
||||
|
||||
return virAccessManagerSanitizeError(ret, driverName);
|
||||
}
|
||||
|
||||
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNodeDeviceDefPtr nodedev,
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@
|
|||
#include "conf/secret_conf.h"
|
||||
#include "conf/interface_conf.h"
|
||||
#include "conf/virnwfilterbindingdef.h"
|
||||
#include "conf/virnetworkportdef.h"
|
||||
#include "access/viraccessperm.h"
|
||||
|
||||
typedef struct _virAccessManager virAccessManager;
|
||||
|
|
@ -65,6 +66,11 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virAccessPermNetwork perm);
|
||||
int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNetworkDefPtr network,
|
||||
virNetworkPortDefPtr port,
|
||||
virAccessPermNetworkPort perm);
|
||||
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
||||
const char *driverName,
|
||||
virNodeDeviceDefPtr nodedev,
|
||||
|
|
|
|||
|
|
@ -57,6 +57,12 @@ VIR_ENUM_IMPL(virAccessPermNetwork,
|
|||
VIR_ACCESS_PERM_NETWORK_LAST,
|
||||
"getattr", "read", "write",
|
||||
"save", "delete", "start", "stop",
|
||||
"search_ports",
|
||||
);
|
||||
|
||||
VIR_ENUM_IMPL(virAccessPermNetworkPort,
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_LAST,
|
||||
"getattr", "read", "write", "create", "delete",
|
||||
);
|
||||
|
||||
VIR_ENUM_IMPL(virAccessPermNodeDevice,
|
||||
|
|
|
|||
|
|
@ -404,6 +404,12 @@ typedef enum {
|
|||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_START,
|
||||
|
||||
/**
|
||||
* @desc: List network ports
|
||||
* @message: Listing network ports requires authorization
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
|
||||
|
||||
/**
|
||||
* @desc: Stop network
|
||||
* @message: Stopping network requires authorization
|
||||
|
|
@ -413,6 +419,43 @@ typedef enum {
|
|||
VIR_ACCESS_PERM_NETWORK_LAST
|
||||
} virAccessPermNetwork;
|
||||
|
||||
typedef enum {
|
||||
|
||||
/**
|
||||
* @desc: Access network port
|
||||
* @message: Accessing network port requires authorization
|
||||
* @anonymous: 1
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_GETATTR,
|
||||
|
||||
/**
|
||||
* @desc: Read network port
|
||||
* @message: Reading network port configuration requires authorization
|
||||
* @anonymous: 1
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_READ,
|
||||
|
||||
/**
|
||||
* @desc: Read network port
|
||||
* @message: Writing network port configuration requires authorization
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_WRITE,
|
||||
|
||||
/**
|
||||
* @desc: Create network port
|
||||
* @message: Creating network port configuration requires authorization
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_CREATE,
|
||||
|
||||
/**
|
||||
* @desc: Delete network port
|
||||
* @message: Deleting network port configuration requires authorization
|
||||
*/
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_DELETE,
|
||||
|
||||
VIR_ACCESS_PERM_NETWORK_PORT_LAST
|
||||
} virAccessPermNetworkPort;
|
||||
|
||||
typedef enum {
|
||||
|
||||
/**
|
||||
|
|
@ -692,6 +735,7 @@ VIR_ENUM_DECL(virAccessPermConnect);
|
|||
VIR_ENUM_DECL(virAccessPermDomain);
|
||||
VIR_ENUM_DECL(virAccessPermInterface);
|
||||
VIR_ENUM_DECL(virAccessPermNetwork);
|
||||
VIR_ENUM_DECL(virAccessPermNetworkPort);
|
||||
VIR_ENUM_DECL(virAccessPermNodeDevice);
|
||||
VIR_ENUM_DECL(virAccessPermNWFilter);
|
||||
VIR_ENUM_DECL(virAccessPermNWFilterBinding);
|
||||
|
|
|
|||
Loading…
Reference in New Issue