Signed-off-by: Andrea Bolognani <abologna@xxxxxxxxxx>
---
src/remote/remote_daemon.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/remote/remote_daemon.c b/src/remote/remote_daemon.c
index 59170373cb..fc5e543470 100644
--- a/src/remote/remote_daemon.c
+++ b/src/remote/remote_daemon.c
@@ -411,16 +411,29 @@ daemonSetupNetDevOpenvswitch(struct daemonConfig *config)
static int
-daemonSetupAccessManager(struct daemonConfig *config)
+daemonSetupAccessManager(struct daemonConfig *config,
+ bool *granularPolkit)
{
virAccessManager *mgr;
const char *none[] = { "none", NULL };
const char **drv = (const char **)config->access_drivers;
+ const char **iter;
if (!drv ||
!drv[0])
drv = none;
+ /* We only declare support for granular Polkit access when Polkit
+ * is the only configured access driver, to avoid scenarios in
+ * which the Polkit policy would deny access to a certain action
+ * but another (possibly misconfigured) driver would allow it */
+ *granularPolkit = false;
+ iter = drv;
+ while (*iter) {
+ *granularPolkit = STREQ(*iter, "polkit");
+ iter++;
+ }
+
if (!(mgr = virAccessManagerNewStack(drv)))
return -1;
@@ -805,6 +818,7 @@ int main(int argc, char **argv) {
bool implicit_conf = false;
char *run_dir = NULL;
mode_t old_umask;
+ bool granularPolkit = false;
struct option opts[] = {
{ "verbose", no_argument, &verbose, 'v' },
@@ -946,7 +960,7 @@ int main(int argc, char **argv) {
daemonSetupNetDevOpenvswitch(config);
- if (daemonSetupAccessManager(config) < 0) {
+ if (daemonSetupAccessManager(config, &granularPolkit) < 0) {
VIR_ERROR(_("Can't initialize access manager"));
exit(EXIT_FAILURE);
}
@@ -1036,7 +1050,7 @@ int main(int argc, char **argv) {
NULL,
remoteClientFree,
NULL,
- false))) {
+ granularPolkit))) {
ret = VIR_DAEMON_ERR_INIT;
goto cleanup;
}
--
2.42.0
_______________________________________________
Devel mailing list -- devel@xxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxx
