Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy@xxxxxxxxxxxxx> --- src/access/viraccessdriver.h | 12 ++++ src/access/viraccessdrivernop.c | 19 ++++++ src/access/viraccessdriverpolkit.c | 47 ++++++++++++++ src/access/viraccessdriverstack.c | 49 +++++++++++++++ src/access/viraccessmanager.c | 31 ++++++++++ src/access/viraccessmanager.h | 11 ++++ src/access/viraccessperm.c | 15 ++++- src/access/viraccessperm.h | 124 +++++++++++++++++++++++++++++++++++++ src/libvirt_private.syms | 6 ++ 9 files changed, 313 insertions(+), 1 deletion(-) diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h index e3050b6..e0d505e 100644 --- a/src/access/viraccessdriver.h +++ b/src/access/viraccessdriver.h @@ -61,6 +61,16 @@ typedef int (*virAccessDriverCheckStorageVolDrv)(virAccessManagerPtr manager, virStorageVolDefPtr vol, virAccessPermStorageVol av); +typedef int (*virAccessDriverCheckFsPoolDrv)(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virAccessPermFsPool av); +typedef int (*virAccessDriverCheckFsItemDrv)(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virFsItemDefPtr item, + virAccessPermFsItem av); + typedef int (*virAccessDriverSetupDrv)(virAccessManagerPtr manager); typedef void (*virAccessDriverCleanupDrv)(virAccessManagerPtr manager); @@ -83,6 +93,8 @@ struct _virAccessDriver { virAccessDriverCheckSecretDrv checkSecret; virAccessDriverCheckStoragePoolDrv checkStoragePool; virAccessDriverCheckStorageVolDrv checkStorageVol; + virAccessDriverCheckFsPoolDrv checkFsPool; + virAccessDriverCheckFsItemDrv checkFsItem; }; diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c index 86ceef3..1ed8b35 100644 --- a/src/access/viraccessdrivernop.c +++ b/src/access/viraccessdrivernop.c @@ -103,7 +103,24 @@ virAccessDriverNopCheckStorageVol(virAccessManagerPtr manager ATTRIBUTE_UNUSED, return 1; /* Allow */ } +static int +virAccessDriverNopCheckFsPool(virAccessManagerPtr manager ATTRIBUTE_UNUSED, + const char *driverName ATTRIBUTE_UNUSED, + virFsPoolDefPtr fspool ATTRIBUTE_UNUSED, + virAccessPermFsPool perm ATTRIBUTE_UNUSED) +{ + return 1; /* Allow */ +} +static int +virAccessDriverNopCheckFsItem(virAccessManagerPtr manager ATTRIBUTE_UNUSED, + const char *driverName ATTRIBUTE_UNUSED, + virFsPoolDefPtr fspool ATTRIBUTE_UNUSED, + virFsItemDefPtr item ATTRIBUTE_UNUSED, + virAccessPermFsItem perm ATTRIBUTE_UNUSED) +{ + return 1; /* Allow */ +} virAccessDriver accessDriverNop = { .name = "none", .checkConnect = virAccessDriverNopCheckConnect, @@ -115,4 +132,6 @@ virAccessDriver accessDriverNop = { .checkSecret = virAccessDriverNopCheckSecret, .checkStoragePool = virAccessDriverNopCheckStoragePool, .checkStorageVol = virAccessDriverNopCheckStorageVol, + .checkFsPool = virAccessDriverNopCheckFsPool, + .checkFsItem = virAccessDriverNopCheckFsItem, }; diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c index 89bc890..fae3f26 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -385,6 +385,50 @@ virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager, virAccessPermStorageVolTypeToString(perm), attrs); } +static int +virAccessDriverPolkitCheckFsPool(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virAccessPermFsPool perm) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + const char *attrs[] = { + "connect_driver", driverName, + "fspool_name", fspool->name, + "fspool_uuid", uuidstr, + NULL, + }; + virUUIDFormat(fspool->uuid, uuidstr); + + return virAccessDriverPolkitCheck(manager, + "fs-pool", + virAccessPermFsPoolTypeToString(perm), + attrs); +} + +static int +virAccessDriverPolkitCheckFsItem(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virFsItemDefPtr item, + virAccessPermFsItem perm) +{ + char uuidstr[VIR_UUID_STRING_BUFLEN]; + const char *attrs[] = { + "connect_driver", driverName, + "fspool_name", fspool->name, + "fspool_uuid", uuidstr, + "item_name", item->name, + "item_key", item->key, + NULL, + }; + virUUIDFormat(fspool->uuid, uuidstr); + + return virAccessDriverPolkitCheck(manager, + "fs-item", + virAccessPermStorageVolTypeToString(perm), + attrs); +} virAccessDriver accessDriverPolkit = { .privateDataLen = sizeof(virAccessDriverPolkitPrivate), @@ -399,4 +443,7 @@ virAccessDriver accessDriverPolkit = { .checkSecret = virAccessDriverPolkitCheckSecret, .checkStoragePool = virAccessDriverPolkitCheckStoragePool, .checkStorageVol = virAccessDriverPolkitCheckStorageVol, + .checkFsPool = virAccessDriverPolkitCheckFsPool, + .checkFsItem = virAccessDriverPolkitCheckFsItem, + }; diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c index b43a743..c78c321 100644 --- a/src/access/viraccessdriverstack.c +++ b/src/access/viraccessdriverstack.c @@ -267,6 +267,53 @@ virAccessDriverStackCheckStorageVol(virAccessManagerPtr manager, return ret; } +static int +virAccessDriverStackCheckFsPool(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virAccessPermFsPool perm) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + int ret = 1; + size_t i; + + for (i = 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all drivers */ + rv = virAccessManagerCheckFsPool(priv->managers[i], driverName, fspool, perm); + if (rv == 0 && ret != -1) + ret = 0; + else if (rv < 0) + ret = -1; + } + + return ret; +} + +static int +virAccessDriverStackCheckFsItem(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virFsItemDefPtr item, + virAccessPermFsItem perm) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + int ret = 1; + size_t i; + + for (i = 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all drivers */ + rv = virAccessManagerCheckFsItem(priv->managers[i], driverName, fspool, item, perm); + if (rv == 0 && ret != -1) + ret = 0; + else if (rv < 0) + ret = -1; + } + + return ret; +} + virAccessDriver accessDriverStack = { .privateDataLen = sizeof(virAccessDriverStackPrivate), .name = "stack", @@ -280,4 +327,6 @@ virAccessDriver accessDriverStack = { .checkSecret = virAccessDriverStackCheckSecret, .checkStoragePool = virAccessDriverStackCheckStoragePool, .checkStorageVol = virAccessDriverStackCheckStorageVol, + .checkFsPool = virAccessDriverStackCheckFsPool, + .checkFsItem = virAccessDriverStackCheckFsItem, }; diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index bcf552b..6882c03 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -344,3 +344,34 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, return virAccessManagerSanitizeError(ret); } + +int virAccessManagerCheckFsPool(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virAccessPermFsPool perm) +{ + int ret = 0; + VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p perm=%d", + manager, manager->drv->name, driverName, fspool, perm); + + if (manager->drv->checkFsPool) + ret = manager->drv->checkFsPool(manager, driverName, fspool, perm); + + return virAccessManagerSanitizeError(ret); +} + +int virAccessManagerCheckFsItem(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virFsItemDefPtr item, + virAccessPermFsItem perm) +{ + int ret = 0; + VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p vol=%p perm=%d", + manager, manager->drv->name, driverName, fspool, item, perm); + + if (manager->drv->checkFsItem) + ret = manager->drv->checkFsItem(manager, driverName, fspool, item, perm); + + return virAccessManagerSanitizeError(ret); +} diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h index e7eb15d..69cddb5 100644 --- a/src/access/viraccessmanager.h +++ b/src/access/viraccessmanager.h @@ -27,6 +27,7 @@ # include "conf/nwfilter_conf.h" # include "conf/node_device_conf.h" # include "conf/storage_conf.h" +# include "conf/fs_conf.h" # include "conf/secret_conf.h" # include "conf/interface_conf.h" # include "access/viraccessperm.h" @@ -86,6 +87,16 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, virStoragePoolDefPtr pool, virStorageVolDefPtr vol, virAccessPermStorageVol perm); +int virAccessManagerCheckFsPool(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virAccessPermFsPool perm); +int virAccessManagerCheckFsItem(virAccessManagerPtr manager, + const char *driverName, + virFsPoolDefPtr fspool, + virFsItemDefPtr item, + virAccessPermFsItem perm); + #endif /* __VIR_ACCESS_MANAGER_H__ */ diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c index 0f58290..5ac7162 100644 --- a/src/access/viraccessperm.c +++ b/src/access/viraccessperm.c @@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect, "search_domains", "search_networks", "search_storage_pools", "search_node_devices", "search_interfaces", "search_secrets", - "search_nwfilters", + "search_nwfilters", "search_fs_pools", "detect_storage_pools", "pm_control", "interface_transaction"); @@ -83,3 +83,16 @@ VIR_ENUM_IMPL(virAccessPermStorageVol, "getattr", "read", "create", "delete", "format", "resize", "data_read", "data_write"); + +VIR_ENUM_IMPL(virAccessPermFsPool, + VIR_ACCESS_PERM_FS_POOL_LAST, + "getattr", "read", "write", + "save", "delete", "start", "stop", + "refresh", "search_items", + "format"); + +VIR_ENUM_IMPL(virAccessPermFsItem, + VIR_ACCESS_PERM_FS_ITEM_LAST, + "getattr", "read", "create", "delete", + "format", "data_read", + "data_write"); diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index 1817da7..7a29de5 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -67,6 +67,12 @@ typedef enum { VIR_ACCESS_PERM_CONNECT_SEARCH_STORAGE_POOLS, /** + * @desc: List fs pools + * @message: Listing fs pools requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_CONNECT_SEARCH_FS_POOLS, + /** * @desc: List node devices * @message: Listing node devices requires authorization * @anonymous: 1 @@ -651,6 +657,122 @@ typedef enum { VIR_ACCESS_PERM_STORAGE_VOL_LAST } virAccessPermStorageVol; +typedef enum { + + /** + * @desc: Access fs pool + * @message: Accessing fs pool requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_FS_POOL_GETATTR, + + /** + * @desc: Read fs pool + * @message: Reading fs pool configuration requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_FS_POOL_READ, + + /** + * @desc: Write fs pool + * @message: Writing fs pool configuration requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_WRITE, + + /** + * @desc: Save fs pool + * @message: Saving fs pool configuration requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_SAVE, + + /** + * @desc: Delete fs pool + * @message: Deleting fs pool configuration requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_DELETE, + + /** + * @desc: Start fs pool + * @message: Starting fs pool configuration requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_START, + + /** + * @desc: Stop fs pool + * @message: Stopping fs pool configuration requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_STOP, + + /** + * @desc: Refresh fs pool + * @message: Refreshing fs pool items requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_REFRESH, + + /** + * @desc: List fs pool items + * @message: Listing fs pool items requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_SEARCH_ITEMS, + + /** + * @desc: Format fs pool + * @message: Formatting fs pool data requires authorization + */ + VIR_ACCESS_PERM_FS_POOL_FORMAT, + + VIR_ACCESS_PERM_FS_POOL_LAST +} virAccessPermFsPool; + +typedef enum { + + /** + * @desc: Access fs item + * @message: Acceessing fs item requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_FS_ITEM_GETATTR, + + /** + * @desc: Read fs item + * @message: Reading fs item configuration requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_FS_ITEM_READ, + + /** + * @desc: Create fs item + * @message: Creating fs item requires authorization + */ + VIR_ACCESS_PERM_FS_ITEM_CREATE, + + /** + * @desc: Delete fs item + * @message: Deleting fs item requires authorization + */ + VIR_ACCESS_PERM_FS_ITEM_DELETE, + + /** + * @desc: Format fs item + * @message: Formatting fs item data requires authorization + */ + VIR_ACCESS_PERM_FS_ITEM_FORMAT, + + /** + * @desc: Read fs item data + * @message: Reading fs item data requires authorization + */ + VIR_ACCESS_PERM_FS_ITEM_DATA_READ, + + /** + * @desc: Write fs item data + * @message: Writing fs item data requires authorization + */ + VIR_ACCESS_PERM_FS_ITEM_DATA_WRITE, + + VIR_ACCESS_PERM_FS_ITEM_LAST +} virAccessPermFsItem; + VIR_ENUM_DECL(virAccessPermConnect); VIR_ENUM_DECL(virAccessPermDomain); VIR_ENUM_DECL(virAccessPermInterface); @@ -660,5 +782,7 @@ VIR_ENUM_DECL(virAccessPermNWFilter); VIR_ENUM_DECL(virAccessPermSecret); VIR_ENUM_DECL(virAccessPermStoragePool); VIR_ENUM_DECL(virAccessPermStorageVol); +VIR_ENUM_DECL(virAccessPermFsPool); +VIR_ENUM_DECL(virAccessPermFsItem); #endif /* __VIR_ACCESS_PERM_H__ */ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 026543c..68150d6 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -8,6 +8,8 @@ # access/viraccessmanager.h virAccessManagerCheckConnect; virAccessManagerCheckDomain; +virAccessManagerCheckFsItem; +virAccessManagerCheckFsPool; virAccessManagerCheckInterface; virAccessManagerCheckNetwork; virAccessManagerCheckNodeDevice; @@ -26,6 +28,10 @@ virAccessPermConnectTypeFromString; virAccessPermConnectTypeToString; virAccessPermDomainTypeFromString; virAccessPermDomainTypeToString; +virAccessPermFsItemTypeFromString; +virAccessPermFsItemTypeToString; +virAccessPermFsPoolTypeFromString; +virAccessPermFsPoolTypeToString; virAccessPermInterfaceTypeFromString; virAccessPermInterfaceTypeToString; virAccessPermNetworkTypeFromString; -- 1.8.3.1 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list