[PATCH 14/19] Add ACL checks into the network driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

Insert calls to the ACL checking APIs in all network driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
 src/Makefile.am             |  7 ++++--
 src/network/bridge_driver.c | 61 +++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 66 insertions(+), 2 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index 1d43e0d..a76c27e 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1230,8 +1230,11 @@ noinst_LTLIBRARIES += libvirt_driver_network.la
 endif
 
 libvirt_driver_network_impl_la_CFLAGS = \
-		$(LIBNL_CFLAGS) $(DBUS_CFLAGS) \
-		-I$(top_srcdir)/src/conf $(AM_CFLAGS) $(DBUS_CFLAGS)
+		$(LIBNL_CFLAGS) \
+		$(DBUS_CFLAGS) \
+		-I$(top_srcdir)/src/access \
+		-I$(top_srcdir)/src/conf \
+		$(AM_CFLAGS)
 libvirt_driver_network_impl_la_SOURCES = $(NETWORK_DRIVER_SOURCES)
 endif
 EXTRA_DIST += network/default.xml
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index d5886fe..d19ae47 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -65,6 +65,7 @@
 #include "virdbus.h"
 #include "virfile.h"
 #include "virstring.h"
+#include "viraccessapicheck.h"
 
 #define VIR_FROM_THIS VIR_FROM_NETWORK
 
@@ -2833,6 +2834,9 @@ static virNetworkPtr networkLookupByUUID(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virNetworkLookupByUUIDEnsureACL(conn, network->def) < 0)
+        goto cleanup;
+
     ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 
 cleanup:
@@ -2856,6 +2860,9 @@ static virNetworkPtr networkLookupByName(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virNetworkLookupByNameEnsureACL(conn, network->def) < 0)
+        goto cleanup;
+
     ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 
 cleanup:
@@ -2886,6 +2893,9 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {
     int nactive = 0, i;
     struct network_driver *driver = conn->networkPrivateData;
 
+    if (virConnectNumOfNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2902,6 +2912,9 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in
     struct network_driver *driver = conn->networkPrivateData;
     int got = 0, i;
 
+    if (virConnectListNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count && got < nnames; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2929,6 +2942,9 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) {
     int ninactive = 0, i;
     struct network_driver *driver = conn->networkPrivateData;
 
+    if (virConnectNumOfDefinedNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2945,6 +2961,9 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na
     struct network_driver *driver = conn->networkPrivateData;
     int got = 0, i;
 
+    if (virConnectListDefinedNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count && got < nnames; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2977,10 +2996,14 @@ networkConnectListAllNetworks(virConnectPtr conn,
 
     virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
 
+    if (virConnectListAllNetworksEnsureACL(conn) < 0)
+        goto cleanup;
+
     networkDriverLock(driver);
     ret = virNetworkList(conn, driver->networks, nets, flags);
     networkDriverUnlock(driver);
 
+cleanup:
     return ret;
 }
 
@@ -2997,6 +3020,10 @@ static int networkIsActive(virNetworkPtr net)
         virReportError(VIR_ERR_NO_NETWORK, NULL);
         goto cleanup;
     }
+
+    if (virNetworkIsActiveEnsureACL(net->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = virNetworkObjIsActive(obj);
 
 cleanup:
@@ -3018,6 +3045,10 @@ static int networkIsPersistent(virNetworkPtr net)
         virReportError(VIR_ERR_NO_NETWORK, NULL);
         goto cleanup;
     }
+
+    if (virNetworkIsPersistentEnsureACL(net->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = obj->persistent;
 
 cleanup:
@@ -3185,6 +3216,9 @@ static virNetworkPtr networkCreateXML(virConnectPtr conn, const char *xml) {
     if (!(def = virNetworkDefParseString(xml)))
         goto cleanup;
 
+    if (virNetworkCreateXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (networkValidate(driver, def, true) < 0)
        goto cleanup;
 
@@ -3225,6 +3259,9 @@ static virNetworkPtr networkDefineXML(virConnectPtr conn, const char *xml) {
     if (!(def = virNetworkDefParseString(xml)))
         goto cleanup;
 
+    if (virNetworkDefineXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (networkValidate(driver, def, false) < 0)
        goto cleanup;
 
@@ -3283,6 +3320,9 @@ networkUndefine(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkUndefineEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (virNetworkObjIsActive(network))
         active = true;
 
@@ -3343,6 +3383,9 @@ networkUpdate(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkUpdateEnsureACL(net->conn, network->def, flags) < 0)
+        goto cleanup;
+
     /* see if we are listening for dhcp pre-modification */
     for (ii = 0;
          (ipdef = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
@@ -3478,6 +3521,9 @@ static int networkCreate(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkCreateEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     ret = networkStartNetwork(driver, network);
 
 cleanup:
@@ -3501,6 +3547,9 @@ static int networkDestroy(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkDestroyEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!virNetworkObjIsActive(network)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        "%s", _("network is not active"));
@@ -3546,6 +3595,9 @@ static char *networkGetXMLDesc(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkGetXMLDescEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if ((flags & VIR_NETWORK_XML_INACTIVE) && network->newDef)
         def = network->newDef;
     else
@@ -3574,6 +3626,9 @@ static char *networkGetBridgeName(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkGetBridgeNameEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!(network->def->bridge)) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("network '%s' does not have a bridge name."),
@@ -3604,6 +3659,9 @@ static int networkGetAutostart(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkGetAutostartEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     *autostart = network->autostart;
     ret = 0;
 
@@ -3629,6 +3687,9 @@ static int networkSetAutostart(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkSetAutostartEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!network->persistent) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        "%s", _("cannot set autostart for transient network"));
-- 
1.8.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]