From nobody Wed May 14 01:06:04 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1526406249123904.7109188421716; Tue, 15 May 2018 10:44:09 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 9682F30CDD15; Tue, 15 May 2018 17:44:05 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 63B6130012DC; Tue, 15 May 2018 17:44:05 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 187034BB78; Tue, 15 May 2018 17:44:05 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w4FHhlAl004240 for ; Tue, 15 May 2018 13:43:47 -0400 Received: by smtp.corp.redhat.com (Postfix) id E7A74112D197; Tue, 15 May 2018 17:43:46 +0000 (UTC) Received: from t460.redhat.com (unknown [10.33.36.6]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6C96C112D198; Tue, 15 May 2018 17:43:46 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Tue, 15 May 2018 18:43:24 +0100 Message-Id: <20180515174337.11287-9-berrange@redhat.com> In-Reply-To: <20180515174337.11287-1-berrange@redhat.com> References: <20180515174337.11287-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH v2 08/21] access: add nwfilter binding object permissions X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.45]); Tue, 15 May 2018 17:44:07 +0000 (UTC) X-ZohoMail: RSF_0 Z_629925259 SPT_0 Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: John Ferlan --- src/access/viraccessdriver.h | 5 ++++ src/access/viraccessdrivernop.c | 10 ++++++++ src/access/viraccessdriverpolkit.c | 21 ++++++++++++++++ src/access/viraccessdriverstack.c | 24 ++++++++++++++++++ src/access/viraccessmanager.c | 15 ++++++++++++ src/access/viraccessmanager.h | 5 ++++ src/access/viraccessperm.c | 7 +++++- src/access/viraccessperm.h | 39 ++++++++++++++++++++++++++++++ src/rpc/gendispatch.pl | 3 ++- 9 files changed, 127 insertions(+), 2 deletions(-) diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h index e3050b6439..3b25f36cab 100644 --- a/src/access/viraccessdriver.h +++ b/src/access/viraccessdriver.h @@ -47,6 +47,10 @@ typedef int (*virAccessDriverCheckNWFilterDrv)(virAccess= ManagerPtr manager, const char *driverName, virNWFilterDefPtr nwfilter, virAccessPermNWFilter av); +typedef int (*virAccessDriverCheckNWFilterBindingDrv)(virAccessManagerPtr = manager, + const char *driverNa= me, + virNWFilterBindingDe= fPtr binding, + virAccessPermNWFilte= rBinding av); typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, @@ -80,6 +84,7 @@ struct _virAccessDriver { virAccessDriverCheckNetworkDrv checkNetwork; virAccessDriverCheckNodeDeviceDrv checkNodeDevice; virAccessDriverCheckNWFilterDrv checkNWFilter; + virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding; virAccessDriverCheckSecretDrv checkSecret; virAccessDriverCheckStoragePoolDrv checkStoragePool; virAccessDriverCheckStorageVolDrv checkStorageVol; diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdriverno= p.c index 86ceef37c2..98ef9206c5 100644 --- a/src/access/viraccessdrivernop.c +++ b/src/access/viraccessdrivernop.c @@ -75,6 +75,15 @@ virAccessDriverNopCheckNWFilter(virAccessManagerPtr mana= ger ATTRIBUTE_UNUSED, return 1; /* Allow */ } =20 +static int +virAccessDriverNopCheckNWFilterBinding(virAccessManagerPtr manager ATTRIBU= TE_UNUSED, + const char *driverName ATTRIBUTE_UN= USED, + virNWFilterBindingDefPtr binding AT= TRIBUTE_UNUSED, + virAccessPermNWFilterBinding perm A= TTRIBUTE_UNUSED) +{ + return 1; /* Allow */ +} + static int virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED, const char *driverName ATTRIBUTE_UNUSED, @@ -112,6 +121,7 @@ virAccessDriver accessDriverNop =3D { .checkNetwork =3D virAccessDriverNopCheckNetwork, .checkNodeDevice =3D virAccessDriverNopCheckNodeDevice, .checkNWFilter =3D virAccessDriverNopCheckNWFilter, + .checkNWFilterBinding =3D virAccessDriverNopCheckNWFilterBinding, .checkSecret =3D virAccessDriverNopCheckSecret, .checkStoragePool =3D virAccessDriverNopCheckStoragePool, .checkStorageVol =3D virAccessDriverNopCheckStorageVol, diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdrive= rpolkit.c index 48a83f66d7..6954d74a15 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -276,6 +276,26 @@ virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr= manager, attrs); } =20 +static int +virAccessDriverPolkitCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding per= m) +{ + const char *attrs[] =3D { + "connect_driver", driverName, + "nwfilter_binding_portdev", binding->portdevname, + "nwfilter_binding_linkdev", binding->linkdevname, + "nwfilter_binding_filter", binding->filter, + NULL, + }; + + return virAccessDriverPolkitCheck(manager, + "nwfilter_binding", + virAccessPermNWFilterBindingTypeToSt= ring(perm), + attrs); +} + static int virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager, const char *driverName, @@ -409,6 +429,7 @@ virAccessDriver accessDriverPolkit =3D { .checkNetwork =3D virAccessDriverPolkitCheckNetwork, .checkNodeDevice =3D virAccessDriverPolkitCheckNodeDevice, .checkNWFilter =3D virAccessDriverPolkitCheckNWFilter, + .checkNWFilterBinding =3D virAccessDriverPolkitCheckNWFilterBinding, .checkSecret =3D virAccessDriverPolkitCheckSecret, .checkStoragePool =3D virAccessDriverPolkitCheckStoragePool, .checkStorageVol =3D virAccessDriverPolkitCheckStorageVol, diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriver= stack.c index b43a743027..0ffc6abaf3 100644 --- a/src/access/viraccessdriverstack.c +++ b/src/access/viraccessdriverstack.c @@ -197,6 +197,29 @@ virAccessDriverStackCheckNWFilter(virAccessManagerPtr = manager, return ret; } =20 +static int +virAccessDriverStackCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm) +{ + virAccessDriverStackPrivatePtr priv =3D virAccessManagerGetPrivateData= (manager); + int ret =3D 1; + size_t i; + + for (i =3D 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all driv= ers */ + rv =3D virAccessManagerCheckNWFilterBinding(priv->managers[i], dri= verName, binding, perm); + if (rv =3D=3D 0 && ret !=3D -1) + ret =3D 0; + else if (rv < 0) + ret =3D -1; + } + + return ret; +} + static int virAccessDriverStackCheckSecret(virAccessManagerPtr manager, const char *driverName, @@ -277,6 +300,7 @@ virAccessDriver accessDriverStack =3D { .checkNetwork =3D virAccessDriverStackCheckNetwork, .checkNodeDevice =3D virAccessDriverStackCheckNodeDevice, .checkNWFilter =3D virAccessDriverStackCheckNWFilter, + .checkNWFilterBinding =3D virAccessDriverStackCheckNWFilterBinding, .checkSecret =3D virAccessDriverStackCheckSecret, .checkStoragePool =3D virAccessDriverStackCheckStoragePool, .checkStorageVol =3D virAccessDriverStackCheckStorageVol, diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index b048a367e3..e7b5bf38da 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -296,6 +296,21 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr = manager, return virAccessManagerSanitizeError(ret); } =20 +int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm) +{ + int ret =3D 0; + VIR_DEBUG("manager=3D%p(name=3D%s) driver=3D%s binding=3D%p perm=3D%d", + manager, manager->drv->name, driverName, binding, perm); + + if (manager->drv->checkNWFilterBinding) + ret =3D manager->drv->checkNWFilterBinding(manager, driverName, bi= nding, perm); + + return virAccessManagerSanitizeError(ret); +} + int virAccessManagerCheckSecret(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h index e7eb15d30c..4fc86a1ff2 100644 --- a/src/access/viraccessmanager.h +++ b/src/access/viraccessmanager.h @@ -29,6 +29,7 @@ # include "conf/storage_conf.h" # include "conf/secret_conf.h" # include "conf/interface_conf.h" +# include "conf/virnwfilterbindingdef.h" # include "access/viraccessperm.h" =20 typedef struct _virAccessManager virAccessManager; @@ -73,6 +74,10 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr ma= nager, const char *driverName, virNWFilterDefPtr nwfilter, virAccessPermNWFilter perm); +int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm= ); int virAccessManagerCheckSecret(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c index 0f58290173..d7cbb70b7b 100644 --- a/src/access/viraccessperm.c +++ b/src/access/viraccessperm.c @@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect, "search_domains", "search_networks", "search_storage_pools", "search_node_devices", "search_interfaces", "search_secrets", - "search_nwfilters", + "search_nwfilters", "search_nwfilter_bindings", "detect_storage_pools", "pm_control", "interface_transaction"); =20 @@ -66,6 +66,11 @@ VIR_ENUM_IMPL(virAccessPermNWFilter, "getattr", "read", "write", "save", "delete"); =20 +VIR_ENUM_IMPL(virAccessPermNWFilterBinding, + VIR_ACCESS_PERM_NWFILTER_BINDING_LAST, + "getattr", "read", + "create", "delete"); + VIR_ENUM_IMPL(virAccessPermSecret, VIR_ACCESS_PERM_SECRET_LAST, "getattr", "read", "write", diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index 1817da73bc..0ea1f7a489 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -94,6 +94,13 @@ typedef enum { */ VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS, =20 + /** + * @desc: List network filter bindings + * @message: Listing network filter bindings requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS, + =20 /** * @desc: Detect storage pools @@ -486,6 +493,37 @@ typedef enum { VIR_ACCESS_PERM_NWFILTER_LAST } virAccessPermNWFilter; =20 +typedef enum { + + /** + * @desc: Access network filter + * @message: Accessing network filter requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR, + + /** + * @desc: Read network filter binding + * @message: Reading network filter configuration requires authorizati= on + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_READ, + + /** + * @desc: Create network filter binding + * @message: Creating network filter binding requires authorization + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE, + + /** + * @desc: Delete network filter binding + * @message: Deleting network filter binding requires authorization + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE, + + VIR_ACCESS_PERM_NWFILTER_BINDING_LAST +} virAccessPermNWFilterBinding; + typedef enum { =20 /** @@ -657,6 +695,7 @@ VIR_ENUM_DECL(virAccessPermInterface); VIR_ENUM_DECL(virAccessPermNetwork); VIR_ENUM_DECL(virAccessPermNodeDevice); VIR_ENUM_DECL(virAccessPermNWFilter); +VIR_ENUM_DECL(virAccessPermNWFilterBinding); VIR_ENUM_DECL(virAccessPermSecret); VIR_ENUM_DECL(virAccessPermStoragePool); VIR_ENUM_DECL(virAccessPermStorageVol); diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index b8b83b6b40..480ebe7b00 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -2033,7 +2033,8 @@ elsif ($mode eq "client") { "storage_conf.h", "nwfilter_conf.h", "node_device_conf.h", - "interface_conf.h" + "interface_conf.h", + "virnwfilterbindingdef.h", ); foreach my $hdr (@headers) { print "#include \"$hdr\"\n"; --=20 2.17.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list