[PATCH v3 43/48] api: introduce virConnectSetIdentity for pasing uid, gid, selinux info

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



When using the fine grained access control mechanism for APIs, when a
client connects to libvirtd, it will fetch the uid, gid, selinux
info of the remote client on the UNIX domain socket. This is then used
as the identity when checking ACLs.

With the new split daemons things are a bit more complicated. The user
can connect to virtproxyd, which in turn connects to virtqemud. When
virtqemud requests the identity over the UNIX domain socket, it will
get the identity that the virtproxyd is running as, not the identity of
the real end user/application.

virproxyd knows what the real identity is, and needs to be able to
forward this information to virtqemud. The virConnectSetIdentity API
provides a mechanism for doing this. Obviously virtqemud should not
accept such identity overrides from any client, it must only honour it
from a trusted client, aka one running as the same uid/gid as itself.

The typed parameters exposed in the API are the same as those currently
supported by the internal virIdentity class.

Signed-off-by: Daniel P. Berrangé <berrange@xxxxxxxxxx>
---
 include/libvirt/libvirt-host.h | 75 ++++++++++++++++++++++++++++++++++
 src/driver-hypervisor.h        |  7 ++++
 src/libvirt-host.c             | 51 +++++++++++++++++++++++
 src/libvirt_public.syms        |  1 +
 4 files changed, 134 insertions(+)

diff --git a/include/libvirt/libvirt-host.h b/include/libvirt/libvirt-host.h
index 7debb5f829..8ea3531750 100644
--- a/include/libvirt/libvirt-host.h
+++ b/include/libvirt/libvirt-host.h
@@ -579,6 +579,81 @@ virConnectPtr           virConnectOpenAuth      (const char *name,
                                                  unsigned int flags);
 int                     virConnectRef           (virConnectPtr conn);
 int                     virConnectClose         (virConnectPtr conn);
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_USER_NAME:
+ *
+ * The operating system user name as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_OS_USER_NAME "os-user-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_USER_ID:
+ *
+ * The operating system user ID as VIR_TYPED_PARAM_ULLONG
+ */
+# define VIR_CONNECT_IDENTITY_OS_USER_ID "os-user-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_GROUP_NAME:
+ *
+ * The operating system user ID as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_OS_GROUP_NAME "os-group-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_GROUP_ID:
+ *
+ * The operating system user ID as VIR_TYPED_PARAM_ULLONG
+ */
+# define VIR_CONNECT_IDENTITY_OS_GROUP_ID "os-group-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_PROCESS_ID:
+ *
+ * The operating system user ID as VIR_TYPED_PARAM_LLONG
+ */
+# define VIR_CONNECT_IDENTITY_OS_PROCESS_ID "os-process-id"
+
+/**
+ * VIR_CONNECT_IDENTITY_OS_PROCESS_TIME:
+ *
+ * The operating system process start time as VIR_TYPED_PARAM_ULLONG
+ *
+ * The units the time is measured in vary according to the
+ * host operating system. On Linux this is usually clock
+ * ticks (as reported in /proc/$PID/stat field 22).
+ */
+# define VIR_CONNECT_IDENTITY_OS_PROCESS_TIME "os-process-time"
+
+/**
+ * VIR_CONNECT_IDENTITY_SASL_USER_NAME:
+ *
+ * The SASL authenticated username as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_SASL_USER_NAME "sasl-user-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_X509_DISTINGUISHED_NAME:
+ *
+ * The TLS x509 certificate distinguished named as VIR_TYPED_PARAM_STRING
+ */
+# define VIR_CONNECT_IDENTITY_X509_DISTINGUISHED_NAME "x509-distinguished-name"
+
+/**
+ * VIR_CONNECT_IDENTITY_SELINUX_CONTEXT:
+ *
+ * The application's SELinux context as VIR_TYPED_PARAM_STRING
+ *
+ */
+# define VIR_CONNECT_IDENTITY_SELINUX_CONTEXT "selinux-context"
+
+
+int                     virConnectSetIdentity   (virConnectPtr conn,
+                                                 virTypedParameterPtr params,
+                                                 int nparams,
+                                                 unsigned int flags);
+
 const char *            virConnectGetType       (virConnectPtr conn);
 int                     virConnectGetVersion    (virConnectPtr conn,
                                                  unsigned long *hvVer);
diff --git a/src/driver-hypervisor.h b/src/driver-hypervisor.h
index c1632ae4c6..f1bc355b65 100644
--- a/src/driver-hypervisor.h
+++ b/src/driver-hypervisor.h
@@ -36,6 +36,12 @@ typedef virDrvOpenStatus
 typedef int
 (*virDrvConnectClose)(virConnectPtr conn);
 
+typedef int
+(*virDrvConnectSetIdentity)(virConnectPtr conn,
+                            virTypedParameterPtr params,
+                            int nparams,
+                            unsigned int flags);
+
 typedef int
 (*virDrvConnectSupportsFeature)(virConnectPtr conn,
                                 int feature);
@@ -1378,6 +1384,7 @@ struct _virHypervisorDriver {
     virDrvConnectURIProbe connectURIProbe;
     virDrvConnectOpen connectOpen;
     virDrvConnectClose connectClose;
+    virDrvConnectSetIdentity connectSetIdentity;
     virDrvConnectSupportsFeature connectSupportsFeature;
     virDrvConnectGetType connectGetType;
     virDrvConnectGetVersion connectGetVersion;
diff --git a/src/libvirt-host.c b/src/libvirt-host.c
index e5c4e5f72a..d7b1b82277 100644
--- a/src/libvirt-host.c
+++ b/src/libvirt-host.c
@@ -61,6 +61,57 @@ virConnectRef(virConnectPtr conn)
 }
 
 
+/**
+ * virConnectSetIdentity:
+ * @conn: pointer to the hypervisor connection
+ * @params: parameters containing the identity attributes
+ * @nparams: size of @params array
+ * @flags: currently unused, pass 0
+ *
+ * Override the default identity information associated with
+ * the connection. When connecting to a stateful driver over
+ * a UNIX socket, the daemon will interrogate the remote end
+ * of the UNIX socket to acquire the application's identity.
+ * This identity is used for the fine grained access control
+ * checks on API calls.
+ *
+ * There may be times when application is operating on behalf
+ * of a variety of users, and thus the identity that the
+ * application runs as is not appropriate for access control
+ * checks. In this case, if the application is considered
+ * trustworthy, it can supply alternative identity information.
+ *
+ * The driver may reject the request to change the identity
+ * on a connection if the application is not trustworthy.
+ *
+ * Returns: 0 if the identity change was accepted, -1 on error
+ */
+int
+virConnectSetIdentity(virConnectPtr conn,
+                      virTypedParameterPtr params,
+                      int nparams,
+                      unsigned int flags)
+{
+    VIR_DEBUG("conn=%p params=%p nparams=%d flags=0x%x", conn, params, nparams, flags);
+    VIR_TYPED_PARAMS_DEBUG(params, nparams);
+
+    virResetLastError();
+
+    if (conn->driver->connectSetIdentity) {
+        int ret = conn->driver->connectSetIdentity(conn, params, nparams, flags);
+        if (ret < 0)
+            goto error;
+        return ret;
+    }
+
+    virReportUnsupportedError();
+
+ error:
+    virDispatchError(conn);
+    return -1;
+}
+
+
 /*
  * Not for public use.  This function is part of the internal
  * implementation of driver features in the remote case.
diff --git a/src/libvirt_public.syms b/src/libvirt_public.syms
index 54256b6317..580b14b6a0 100644
--- a/src/libvirt_public.syms
+++ b/src/libvirt_public.syms
@@ -838,6 +838,7 @@ LIBVIRT_5.5.0 {
 
 LIBVIRT_5.6.0 {
     global:
+        virConnectSetIdentity;
         virDomainCheckpointCreateXML;
         virDomainCheckpointDelete;
         virDomainCheckpointFree;
-- 
2.21.0

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]

  Powered by Linux