From: Olga Krishtal <okrishtal@xxxxxxxxxxxxx>
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@xxxxxxxxxxxxx>
---
src/access/viraccessdriver.h | 12 ++++
src/access/viraccessdrivernop.c | 19 ++++++
src/access/viraccessdriverpolkit.c | 47 ++++++++++++++
src/access/viraccessdriverstack.c | 49 +++++++++++++++
src/access/viraccessmanager.c | 31 ++++++++++
src/access/viraccessmanager.h | 11 ++++
src/access/viraccessperm.c | 15 ++++-
src/access/viraccessperm.h | 124 +++++++++++++++++++++++++++++++++++++
src/libvirt_private.syms | 6 ++
9 files changed, 313 insertions(+), 1 deletion(-)
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index e3050b6..e0d505e 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -61,6 +61,16 @@ typedef int (*virAccessDriverCheckStorageVolDrv)(virAccessManagerPtr manager,
virStorageVolDefPtr vol,
virAccessPermStorageVol av);
+typedef int (*virAccessDriverCheckFsPoolDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virAccessPermFsPool av);
+typedef int (*virAccessDriverCheckFsItemDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virFsItemDefPtr item,
+ virAccessPermFsItem av);
+
typedef int (*virAccessDriverSetupDrv)(virAccessManagerPtr manager);
typedef void (*virAccessDriverCleanupDrv)(virAccessManagerPtr manager);
@@ -83,6 +93,8 @@ struct _virAccessDriver {
virAccessDriverCheckSecretDrv checkSecret;
virAccessDriverCheckStoragePoolDrv checkStoragePool;
virAccessDriverCheckStorageVolDrv checkStorageVol;
+ virAccessDriverCheckFsPoolDrv checkFsPool;
+ virAccessDriverCheckFsItemDrv checkFsItem;
};
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 86ceef3..1ed8b35 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -103,7 +103,24 @@ virAccessDriverNopCheckStorageVol(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
return 1; /* Allow */
}
+static int
+virAccessDriverNopCheckFsPool(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virFsPoolDefPtr fspool ATTRIBUTE_UNUSED,
+ virAccessPermFsPool perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
+static int
+virAccessDriverNopCheckFsItem(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virFsPoolDefPtr fspool ATTRIBUTE_UNUSED,
+ virFsItemDefPtr item ATTRIBUTE_UNUSED,
+ virAccessPermFsItem perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
virAccessDriver accessDriverNop = {
.name = "none",
.checkConnect = virAccessDriverNopCheckConnect,
@@ -115,4 +132,6 @@ virAccessDriver accessDriverNop = {
.checkSecret = virAccessDriverNopCheckSecret,
.checkStoragePool = virAccessDriverNopCheckStoragePool,
.checkStorageVol = virAccessDriverNopCheckStorageVol,
+ .checkFsPool = virAccessDriverNopCheckFsPool,
+ .checkFsItem = virAccessDriverNopCheckFsItem,
};
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 89bc890..fae3f26 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -385,6 +385,50 @@ virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
virAccessPermStorageVolTypeToString(perm),
attrs);
}
+static int
+virAccessDriverPolkitCheckFsPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virAccessPermFsPool perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "fspool_name", fspool->name,
+ "fspool_uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(fspool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "fs-pool",
+ virAccessPermFsPoolTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckFsItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virFsItemDefPtr item,
+ virAccessPermFsItem perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "fspool_name", fspool->name,
+ "fspool_uuid", uuidstr,
+ "item_name", item->name,
+ "item_key", item->key,
+ NULL,
+ };
+ virUUIDFormat(fspool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "fs-item",
+ virAccessPermStorageVolTypeToString(perm),
+ attrs);
+}
virAccessDriver accessDriverPolkit = {
.privateDataLen = sizeof(virAccessDriverPolkitPrivate),
@@ -399,4 +443,7 @@ virAccessDriver accessDriverPolkit = {
.checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol,
+ .checkFsPool = virAccessDriverPolkitCheckFsPool,
+ .checkFsItem = virAccessDriverPolkitCheckFsItem,
+
};
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index b43a743..c78c321 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -267,6 +267,53 @@ virAccessDriverStackCheckStorageVol(virAccessManagerPtr manager,
return ret;
}
+static int
+virAccessDriverStackCheckFsPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virAccessPermFsPool perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckFsPool(priv->managers[i], driverName, fspool, perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
+static int
+virAccessDriverStackCheckFsItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virFsItemDefPtr item,
+ virAccessPermFsItem perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckFsItem(priv->managers[i], driverName, fspool, item, perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
virAccessDriver accessDriverStack = {
.privateDataLen = sizeof(virAccessDriverStackPrivate),
.name = "stack",
@@ -280,4 +327,6 @@ virAccessDriver accessDriverStack = {
.checkSecret = virAccessDriverStackCheckSecret,
.checkStoragePool = virAccessDriverStackCheckStoragePool,
.checkStorageVol = virAccessDriverStackCheckStorageVol,
+ .checkFsPool = virAccessDriverStackCheckFsPool,
+ .checkFsItem = virAccessDriverStackCheckFsItem,
};
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index bcf552b..6882c03 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -344,3 +344,34 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret);
}
+
+int virAccessManagerCheckFsPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virAccessPermFsPool perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p perm=%d",
+ manager, manager->drv->name, driverName, fspool, perm);
+
+ if (manager->drv->checkFsPool)
+ ret = manager->drv->checkFsPool(manager, driverName, fspool, perm);
+
+ return virAccessManagerSanitizeError(ret);
+}
+
+int virAccessManagerCheckFsItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virFsItemDefPtr item,
+ virAccessPermFsItem perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p vol=%p perm=%d",
+ manager, manager->drv->name, driverName, fspool, item, perm);
+
+ if (manager->drv->checkFsItem)
+ ret = manager->drv->checkFsItem(manager, driverName, fspool, item, perm);
+
+ return virAccessManagerSanitizeError(ret);
+}
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index e7eb15d..69cddb5 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -27,6 +27,7 @@
# include "conf/nwfilter_conf.h"
# include "conf/node_device_conf.h"
# include "conf/storage_conf.h"
+# include "conf/fs_conf.h"
# include "conf/secret_conf.h"
# include "conf/interface_conf.h"
# include "access/viraccessperm.h"
@@ -86,6 +87,16 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
virStoragePoolDefPtr pool,
virStorageVolDefPtr vol,
virAccessPermStorageVol perm);
+int virAccessManagerCheckFsPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virAccessPermFsPool perm);
+int virAccessManagerCheckFsItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFsPoolDefPtr fspool,
+ virFsItemDefPtr item,
+ virAccessPermFsItem perm);
+
#endif /* __VIR_ACCESS_MANAGER_H__ */
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 0f58290..5ac7162 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
"search_domains", "search_networks",
"search_storage_pools", "search_node_devices",
"search_interfaces", "search_secrets",
- "search_nwfilters",
+ "search_nwfilters", "search_fs_pools",
"detect_storage_pools", "pm_control",
"interface_transaction");
@@ -83,3 +83,16 @@ VIR_ENUM_IMPL(virAccessPermStorageVol,
"getattr", "read", "create", "delete",
"format", "resize", "data_read",
"data_write");
+
+VIR_ENUM_IMPL(virAccessPermFsPool,
+ VIR_ACCESS_PERM_FS_POOL_LAST,
+ "getattr", "read", "write",
+ "save", "delete", "start", "stop",
+ "refresh", "search_items",
+ "format");
+
+VIR_ENUM_IMPL(virAccessPermFsItem,
+ VIR_ACCESS_PERM_FS_ITEM_LAST,
+ "getattr", "read", "create", "delete",
+ "format", "data_read",
+ "data_write");
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 1817da7..7a29de5 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -67,6 +67,12 @@ typedef enum {
VIR_ACCESS_PERM_CONNECT_SEARCH_STORAGE_POOLS,
/**
+ * @desc: List fs pools
+ * @message: Listing fs pools requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_CONNECT_SEARCH_FS_POOLS,
+ /**
* @desc: List node devices
* @message: Listing node devices requires authorization
* @anonymous: 1
@@ -651,6 +657,122 @@ typedef enum {
VIR_ACCESS_PERM_STORAGE_VOL_LAST
} virAccessPermStorageVol;
+typedef enum {
+
+ /**
+ * @desc: Access fs pool
+ * @message: Accessing fs pool requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FS_POOL_GETATTR,
+
+ /**
+ * @desc: Read fs pool
+ * @message: Reading fs pool configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FS_POOL_READ,
+
+ /**
+ * @desc: Write fs pool
+ * @message: Writing fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_WRITE,
+
+ /**
+ * @desc: Save fs pool
+ * @message: Saving fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_SAVE,
+
+ /**
+ * @desc: Delete fs pool
+ * @message: Deleting fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_DELETE,
+
+ /**
+ * @desc: Start fs pool
+ * @message: Starting fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_START,
+
+ /**
+ * @desc: Stop fs pool
+ * @message: Stopping fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_STOP,
+
+ /**
+ * @desc: Refresh fs pool
+ * @message: Refreshing fs pool items requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_REFRESH,
+
+ /**
+ * @desc: List fs pool items
+ * @message: Listing fs pool items requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_SEARCH_ITEMS,
+
+ /**
+ * @desc: Format fs pool
+ * @message: Formatting fs pool data requires authorization
+ */
+ VIR_ACCESS_PERM_FS_POOL_FORMAT,
+
+ VIR_ACCESS_PERM_FS_POOL_LAST
+} virAccessPermFsPool;
+
+typedef enum {
+
+ /**
+ * @desc: Access fs item
+ * @message: Acceessing fs item requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FS_ITEM_GETATTR,
+
+ /**
+ * @desc: Read fs item
+ * @message: Reading fs item configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FS_ITEM_READ,
+
+ /**
+ * @desc: Create fs item
+ * @message: Creating fs item requires authorization
+ */
+ VIR_ACCESS_PERM_FS_ITEM_CREATE,
+
+ /**
+ * @desc: Delete fs item
+ * @message: Deleting fs item requires authorization
+ */
+ VIR_ACCESS_PERM_FS_ITEM_DELETE,
+
+ /**
+ * @desc: Format fs item
+ * @message: Formatting fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FS_ITEM_FORMAT,
+
+ /**
+ * @desc: Read fs item data
+ * @message: Reading fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FS_ITEM_DATA_READ,
+
+ /**
+ * @desc: Write fs item data
+ * @message: Writing fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FS_ITEM_DATA_WRITE,
+
+ VIR_ACCESS_PERM_FS_ITEM_LAST
+} virAccessPermFsItem;
+
VIR_ENUM_DECL(virAccessPermConnect);
VIR_ENUM_DECL(virAccessPermDomain);
VIR_ENUM_DECL(virAccessPermInterface);
@@ -660,5 +782,7 @@ VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermSecret);
VIR_ENUM_DECL(virAccessPermStoragePool);
VIR_ENUM_DECL(virAccessPermStorageVol);
+VIR_ENUM_DECL(virAccessPermFsPool);
+VIR_ENUM_DECL(virAccessPermFsItem);
#endif /* __VIR_ACCESS_PERM_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 9c3fe6a..4b87c37 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -8,6 +8,8 @@
# access/viraccessmanager.h
virAccessManagerCheckConnect;
virAccessManagerCheckDomain;
+virAccessManagerCheckFsItem;
+virAccessManagerCheckFsPool;
virAccessManagerCheckInterface;
virAccessManagerCheckNetwork;
virAccessManagerCheckNodeDevice;
@@ -26,6 +28,10 @@ virAccessPermConnectTypeFromString;
virAccessPermConnectTypeToString;
virAccessPermDomainTypeFromString;
virAccessPermDomainTypeToString;
+virAccessPermFsItemTypeFromString;
+virAccessPermFsItemTypeToString;
+virAccessPermFsPoolTypeFromString;
+virAccessPermFsPoolTypeToString;
virAccessPermInterfaceTypeFromString;
virAccessPermInterfaceTypeToString;
virAccessPermNetworkTypeFromString;
--
1.8.3.1
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list