Re: [PATCH v5 15/24] access: add permissions for network port objects

Laine Stump <laine@xxxxxxxxx> · Thu, 23 May 2019 12:11:46 -0400

On 5/14/19 11:48 AM, Daniel P. Berrangé wrote:
Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
  src/access/genpolkit.pl            |  2 +-
  src/access/viraccessdriver.h       |  6 ++++
  src/access/viraccessdrivernop.c    | 11 ++++++++
  src/access/viraccessdriverpolkit.c | 26 ++++++++++++++++++
  src/access/viraccessdriverstack.c  | 25 +++++++++++++++++
  src/access/viraccessmanager.c      | 16 +++++++++++
  src/access/viraccessmanager.h      |  6 ++++
  src/access/viraccessperm.c         |  6 ++++
  src/access/viraccessperm.h         | 44 ++++++++++++++++++++++++++++++
  9 files changed, 141 insertions(+), 1 deletion(-)

diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
index e074c90eb6..f8f20caf65 100755
--- a/src/access/genpolkit.pl
+++ b/src/access/genpolkit.pl
@@ -21,7 +21,7 @@ use strict;
  use warnings;
  
  my @objects = (
-    "CONNECT", "DOMAIN", "INTERFACE",
+    "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
      "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
      "SECRET", "STORAGE_POOL", "STORAGE_VOL",
      );
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index 2cc3950f60..590d86fdf0 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -39,6 +39,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
                                                const char *driverName,
                                                virNetworkDefPtr network,
                                                virAccessPermNetwork av);
+typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
+                                                  const char *driverName,
+                                                  virNetworkDefPtr network,
+                                                  virNetworkPortDefPtr port,
+                                                  virAccessPermNetworkPort av);
  typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
                                                   const char *driverName,
                                                   virNodeDeviceDefPtr nodedev,
@@ -82,6 +87,7 @@ struct _virAccessDriver {
      virAccessDriverCheckDomainDrv checkDomain;
      virAccessDriverCheckInterfaceDrv checkInterface;
      virAccessDriverCheckNetworkDrv checkNetwork;
+    virAccessDriverCheckNetworkPortDrv checkNetworkPort;
      virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
      virAccessDriverCheckNWFilterDrv checkNWFilter;
      virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 98ef9206c5..5e9d9db759 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
      return 1; /* Allow */
  }
  
+static int
+virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                                   const char *driverName ATTRIBUTE_UNUSED,
+                                   virNetworkDefPtr network ATTRIBUTE_UNUSED,
+                                   virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
+                                   virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
+{
+    return 1; /* Allow */
+}
+
  static int
  virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
                                    const char *driverName ATTRIBUTE_UNUSED,
@@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
      .checkDomain = virAccessDriverNopCheckDomain,
      .checkInterface = virAccessDriverNopCheckInterface,
      .checkNetwork = virAccessDriverNopCheckNetwork,
+    .checkNetworkPort = virAccessDriverNopCheckNetworkPort,
      .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
      .checkNWFilter = virAccessDriverNopCheckNWFilter,
      .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 6954d74a15..b1473cd0a4 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
                                        attrs);
  }
  
+static int
+virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
+                                      const char *driverName,
+                                      virNetworkDefPtr network,
+                                      virNetworkPortDefPtr port,
+                                      virAccessPermNetworkPort perm)
+{
+    char uuidstr1[VIR_UUID_STRING_BUFLEN];
+    char uuidstr2[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect_driver", driverName,
+        "network_name", network->name,
+        "network_uuid", uuidstr1,
+        "port_uuid", uuidstr2,
+        NULL,
+    };
+    virUUIDFormat(network->uuid, uuidstr1);
+    virUUIDFormat(port->uuid, uuidstr2);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "network-port",


Bah. Most of the other calls to virAccessDriverPolkitCheck with 
"typename" that is two words separate it with a "-", but the one for 
nwfilter binding  uses an underscore :-/ (I only noticed this because 
the names of the attributes to check always use underscore, and I've 
always been bothered by mixing of - and _ - too bad they don't all use 
_, that would allow the same name to be used as a C identifier, and make 
searching easier).


Anyway, pointless rant, sorry :-)


I can't claim to have deep knowledge of the access driver, but this 
addition follows the pattern of what's already there, so:


Reviewed-by: Laine Stump <laine@xxxxxxxxx>


--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







