openkylin
/
libvirt
mirror of https://gitee.com/openkylin/libvirt.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

access: add permissions for network port objects 

Reviewed-by: Laine Stump <laine@laine.org>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-11-30 16:34:21 +00:00
parent c08fc8d199
commit e69444e179
9 changed files with 141 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/access/genpolkit.pl
View File

@ -21,7 +21,7 @@ use strict;
use warnings; use warnings;
my @objects = ( my @objects = (
"CONNECT", "DOMAIN", "INTERFACE", "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
"NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER", "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
"SECRET", "STORAGE_POOL", "STORAGE_VOL", "SECRET", "STORAGE_POOL", "STORAGE_VOL",
); );

6
src/access/viraccessdriver.h
View File

@ -38,6 +38,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNetworkDefPtr network, virNetworkDefPtr network,
virAccessPermNetwork av); virAccessPermNetwork av);
typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virNetworkPortDefPtr port,
virAccessPermNetworkPort av);
typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager, typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNodeDeviceDefPtr nodedev, virNodeDeviceDefPtr nodedev,
@ -81,6 +86,7 @@ struct _virAccessDriver {
virAccessDriverCheckDomainDrv checkDomain; virAccessDriverCheckDomainDrv checkDomain;
virAccessDriverCheckInterfaceDrv checkInterface; virAccessDriverCheckInterfaceDrv checkInterface;
virAccessDriverCheckNetworkDrv checkNetwork; virAccessDriverCheckNetworkDrv checkNetwork;
virAccessDriverCheckNetworkPortDrv checkNetworkPort;
virAccessDriverCheckNodeDeviceDrv checkNodeDevice; virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
virAccessDriverCheckNWFilterDrv checkNWFilter; virAccessDriverCheckNWFilterDrv checkNWFilter;
virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding; virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;

11
src/access/viraccessdrivernop.c
View File

@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
return 1; /* Allow */ return 1; /* Allow */
} }
static int
virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED,
virNetworkDefPtr network ATTRIBUTE_UNUSED,
virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
{
return 1; /* Allow */
}
static int static int
virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED, virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED, const char *driverName ATTRIBUTE_UNUSED,
@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
.checkDomain = virAccessDriverNopCheckDomain, .checkDomain = virAccessDriverNopCheckDomain,
.checkInterface = virAccessDriverNopCheckInterface, .checkInterface = virAccessDriverNopCheckInterface,
.checkNetwork = virAccessDriverNopCheckNetwork, .checkNetwork = virAccessDriverNopCheckNetwork,
.checkNetworkPort = virAccessDriverNopCheckNetworkPort,
.checkNodeDevice = virAccessDriverNopCheckNodeDevice, .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
.checkNWFilter = virAccessDriverNopCheckNWFilter, .checkNWFilter = virAccessDriverNopCheckNWFilter,
.checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding, .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,

26
src/access/viraccessdriverpolkit.c
View File

@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
attrs); attrs);
} }
static int
virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virNetworkPortDefPtr port,
virAccessPermNetworkPort perm)
{
char uuidstr1[VIR_UUID_STRING_BUFLEN];
char uuidstr2[VIR_UUID_STRING_BUFLEN];
const char *attrs[] = {
"connect_driver", driverName,
"network_name", network->name,
"network_uuid", uuidstr1,
"port_uuid", uuidstr2,
NULL,
};
virUUIDFormat(network->uuid, uuidstr1);
virUUIDFormat(port->uuid, uuidstr2);
return virAccessDriverPolkitCheck(manager,
"network-port",
virAccessPermNetworkPortTypeToString(perm),
attrs);
}
static int static int
virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager, virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
@ -427,6 +452,7 @@ virAccessDriver accessDriverPolkit = {
.checkDomain = virAccessDriverPolkitCheckDomain, .checkDomain = virAccessDriverPolkitCheckDomain,
.checkInterface = virAccessDriverPolkitCheckInterface, .checkInterface = virAccessDriverPolkitCheckInterface,
.checkNetwork = virAccessDriverPolkitCheckNetwork, .checkNetwork = virAccessDriverPolkitCheckNetwork,
.checkNetworkPort = virAccessDriverPolkitCheckNetworkPort,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice, .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter, .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
.checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding, .checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,

25
src/access/viraccessdriverstack.c
View File

@ -151,6 +151,30 @@ virAccessDriverStackCheckNetwork(virAccessManagerPtr manager,
return ret; return ret;
} }
static int
virAccessDriverStackCheckNetworkPort(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virNetworkPortDefPtr port,
virAccessPermNetworkPort perm)
{
virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
int ret = 1;
size_t i;
for (i = 0; i < priv->managersLen; i++) {
int rv;
/* We do not short-circuit on first denial - always check all drivers */
rv = virAccessManagerCheckNetworkPort(priv->managers[i], driverName, network, port, perm);
if (rv == 0 && ret != -1)
ret = 0;
else if (rv < 0)
ret = -1;
}
return ret;
}
static int static int
virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager, virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
@ -298,6 +322,7 @@ virAccessDriver accessDriverStack = {
.checkDomain = virAccessDriverStackCheckDomain, .checkDomain = virAccessDriverStackCheckDomain,
.checkInterface = virAccessDriverStackCheckInterface, .checkInterface = virAccessDriverStackCheckInterface,
.checkNetwork = virAccessDriverStackCheckNetwork, .checkNetwork = virAccessDriverStackCheckNetwork,
.checkNetworkPort = virAccessDriverStackCheckNetworkPort,
.checkNodeDevice = virAccessDriverStackCheckNodeDevice, .checkNodeDevice = virAccessDriverStackCheckNodeDevice,
.checkNWFilter = virAccessDriverStackCheckNWFilter, .checkNWFilter = virAccessDriverStackCheckNWFilter,
.checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding, .checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,

16
src/access/viraccessmanager.c
View File

@ -268,6 +268,22 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret, driverName); return virAccessManagerSanitizeError(ret, driverName);
} }
int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virNetworkPortDefPtr port,
virAccessPermNetworkPort perm)
{
int ret = 0;
VIR_DEBUG("manager=%p(name=%s) driver=%s network=%p port=%p perm=%d",
manager, manager->drv->name, driverName, network, port, perm);
if (manager->drv->checkNetworkPort)
ret = manager->drv->checkNetworkPort(manager, driverName, network, port, perm);
return virAccessManagerSanitizeError(ret, driverName);
}
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNodeDeviceDefPtr nodedev, virNodeDeviceDefPtr nodedev,

6
src/access/viraccessmanager.h
View File

@ -29,6 +29,7 @@
#include "conf/secret_conf.h" #include "conf/secret_conf.h"
#include "conf/interface_conf.h" #include "conf/interface_conf.h"
#include "conf/virnwfilterbindingdef.h" #include "conf/virnwfilterbindingdef.h"
#include "conf/virnetworkportdef.h"
#include "access/viraccessperm.h" #include "access/viraccessperm.h"
typedef struct _virAccessManager virAccessManager; typedef struct _virAccessManager virAccessManager;
@ -65,6 +66,11 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNetworkDefPtr network, virNetworkDefPtr network,
virAccessPermNetwork perm); virAccessPermNetwork perm);
int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virNetworkPortDefPtr port,
virAccessPermNetworkPort perm);
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName, const char *driverName,
virNodeDeviceDefPtr nodedev, virNodeDeviceDefPtr nodedev,

6
src/access/viraccessperm.c
View File

@ -57,6 +57,12 @@ VIR_ENUM_IMPL(virAccessPermNetwork,
VIR_ACCESS_PERM_NETWORK_LAST, VIR_ACCESS_PERM_NETWORK_LAST,
"getattr", "read", "write", "getattr", "read", "write",
"save", "delete", "start", "stop", "save", "delete", "start", "stop",
"search_ports",
);
VIR_ENUM_IMPL(virAccessPermNetworkPort,
VIR_ACCESS_PERM_NETWORK_PORT_LAST,
"getattr", "read", "write", "create", "delete",
); );
VIR_ENUM_IMPL(virAccessPermNodeDevice, VIR_ENUM_IMPL(virAccessPermNodeDevice,

44
src/access/viraccessperm.h
View File

@ -404,6 +404,12 @@ typedef enum {
*/ */
VIR_ACCESS_PERM_NETWORK_START, VIR_ACCESS_PERM_NETWORK_START,
/**
* @desc: List network ports
* @message: Listing network ports requires authorization
*/
VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
/** /**
* @desc: Stop network * @desc: Stop network
* @message: Stopping network requires authorization * @message: Stopping network requires authorization
@ -413,6 +419,43 @@ typedef enum {
VIR_ACCESS_PERM_NETWORK_LAST VIR_ACCESS_PERM_NETWORK_LAST
} virAccessPermNetwork; } virAccessPermNetwork;
typedef enum {
/**
* @desc: Access network port
* @message: Accessing network port requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_PORT_GETATTR,
/**
* @desc: Read network port
* @message: Reading network port configuration requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_NETWORK_PORT_READ,
/**
* @desc: Read network port
* @message: Writing network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_WRITE,
/**
* @desc: Create network port
* @message: Creating network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_CREATE,
/**
* @desc: Delete network port
* @message: Deleting network port configuration requires authorization
*/
VIR_ACCESS_PERM_NETWORK_PORT_DELETE,
VIR_ACCESS_PERM_NETWORK_PORT_LAST
} virAccessPermNetworkPort;
typedef enum { typedef enum {
/** /**
@ -692,6 +735,7 @@ VIR_ENUM_DECL(virAccessPermConnect);
VIR_ENUM_DECL(virAccessPermDomain); VIR_ENUM_DECL(virAccessPermDomain);
VIR_ENUM_DECL(virAccessPermInterface); VIR_ENUM_DECL(virAccessPermInterface);
VIR_ENUM_DECL(virAccessPermNetwork); VIR_ENUM_DECL(virAccessPermNetwork);
VIR_ENUM_DECL(virAccessPermNetworkPort);
VIR_ENUM_DECL(virAccessPermNodeDevice); VIR_ENUM_DECL(virAccessPermNodeDevice);
VIR_ENUM_DECL(virAccessPermNWFilter); VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermNWFilterBinding); VIR_ENUM_DECL(virAccessPermNWFilterBinding);