On 09.05.2013 15:26, Daniel P. Berrange wrote: > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> > > This series (which depends on the Xen refactoring patches) adds > support for access control checks on all APIs that run inside > libvirtd. > > The first patch defines the basic objects which can be checked > and the permissions associated with each object. In addition > it provides the basic internal (pluggable) API for access > control checks > > Later there are policykit and selinux drivers for the access > control framework. Neither of these is currently optimal > but they have basic functionality working > > To ensure that we don't forget access control checks when > adding new APIs, we maintain metadata in the remote_protocol.x > file against each method declaring what access control check > must be done. > > There are actually two checks possible. The first check is > against the object being used. The optional second check > is against the objects being returned (if any). The latter > is used to filter what can be seen when asking for a list > of objects (eg 'virsh list' gets filtered) > > Again to ensure accurate checks, we automate the generation > of methods for applying access control checks to each API. > These helper methods are named to match the public API names. > The last patch ensures that every method listed in the > virXXXXDriverPtr tables has a call to an access control > helper with the same name as the public API. > > And of course there are the patches which actually add > the access control checks. > > Still todo > > - Not all Xen methods have access control checks yet. > This causes the test case in the last patch to report > failures > > - Have not wired up the checks for filtering the returned > objects in any driver yet > > - The polkit driver is inefficient since it spawns > pkcheck for each check. We need to talk to DBus > directly since ACL checks will be very frequent > and need to be lightweight > > - The SELinux driver is validating against the label > of libvirtd. We need to validate against the label of > the virDomainDefPtr security model or some equivalent > for other objects. > > - Need to write a generic RBAC access control impl. It > was hoped that new polkit would make this obsolete. > Polkit is still unable to do access control checks > for non-local users though eg it can't validate > against SASL usernames or x509 certs. > > Daniel P. Berrange (19): > Define basic internal API for access control > Set conn->driver before running driver connectOpen method > Setup default access control manager in libvirtd > Add a policy kit access control driver > Add an SELinux access control driver > Add ACL annotations to all RPC messages > Auto-generate helpers for checking access control rules > Add ACL checks into the QEMU driver > Add ACL checks into the LXC driver > Add ACL checks into the UML driver > Add ACL checks into the Xen driver > Add ACL checks into the libxl driver > Add ACL checks into the storage driver > Add ACL checks into the network driver > Add ACL checks into the interface driver > Add ACL checks into the node device driver > Add ACL checks into the nwfilter driver > Add ACL checks into the secrets driver > Add validation that all APIs contain ACL checks > > .gitignore | 10 + > daemon/Makefile.am | 1 + > daemon/libvirtd-config.c | 4 + > daemon/libvirtd-config.h | 2 + > daemon/libvirtd.aug | 1 + > daemon/libvirtd.c | 27 ++ > daemon/libvirtd.conf | 9 + > daemon/test_libvirtd.aug.in | 4 + > include/libvirt/virterror.h | 4 + > m4/virt-compile-warnings.m4 | 1 + > m4/virt-selinux.m4 | 2 + > po/POTFILES.in | 3 + > src/Makefile.am | 128 +++++- > src/access/genpolkit.pl | 119 ++++++ > src/access/viraccessdriver.h | 89 ++++ > src/access/viraccessdrivernop.c | 118 ++++++ > src/access/viraccessdrivernop.h | 28 ++ > src/access/viraccessdriverpolkit.c | 399 ++++++++++++++++++ > src/access/viraccessdriverpolkit.h | 28 ++ > src/access/viraccessdriverselinux.c | 565 +++++++++++++++++++++++++ > src/access/viraccessdriverselinux.h | 28 ++ > src/access/viraccessdriverstack.c | 285 +++++++++++++ > src/access/viraccessdriverstack.h | 32 ++ > src/access/viraccessmanager.c | 352 ++++++++++++++++ > src/access/viraccessmanager.h | 91 ++++ > src/access/viraccessperm.c | 84 ++++ > src/access/viraccessperm.h | 647 +++++++++++++++++++++++++++++ > src/check-aclrules.pl | 144 +++++++ > src/interface/interface_backend_netcf.c | 114 +++++ > src/interface/interface_backend_udev.c | 85 +++- > src/internal.h | 4 + > src/libvirt.c | 11 +- > src/libvirt_private.syms | 37 ++ > src/libxl/libxl_driver.c | 187 ++++++++- > src/locking/lock_protocol.x | 8 + > src/lxc/lxc_driver.c | 219 +++++++++- > src/network/bridge_driver.c | 61 +++ > src/node_device/node_device_driver.c | 36 ++ > src/nwfilter/nwfilter_driver.c | 26 ++ > src/qemu/qemu_driver.c | 716 ++++++++++++++++++++++++++++---- > src/remote/lxc_protocol.x | 1 + > src/remote/qemu_protocol.x | 4 + > src/remote/remote_protocol.x | 406 ++++++++++++++++++ > src/rpc/gendispatch.pl | 212 +++++++++- > src/secret/secret_driver.c | 31 ++ > src/storage/storage_driver.c | 155 ++++++- > src/uml/uml_driver.c | 174 +++++++- > src/util/virerror.c | 8 + > src/util/virlog.c | 3 +- > src/util/virlog.h | 1 + > src/xen/xen_driver.c | 217 +++++++++- > 51 files changed, 5785 insertions(+), 136 deletions(-) > create mode 100755 src/access/genpolkit.pl > create mode 100644 src/access/viraccessdriver.h > create mode 100644 src/access/viraccessdrivernop.c > create mode 100644 src/access/viraccessdrivernop.h > create mode 100644 src/access/viraccessdriverpolkit.c > create mode 100644 src/access/viraccessdriverpolkit.h > create mode 100644 src/access/viraccessdriverselinux.c > create mode 100644 src/access/viraccessdriverselinux.h > create mode 100644 src/access/viraccessdriverstack.c > create mode 100644 src/access/viraccessdriverstack.h > create mode 100644 src/access/viraccessmanager.c > create mode 100644 src/access/viraccessmanager.h > create mode 100644 src/access/viraccessperm.c > create mode 100644 src/access/viraccessperm.h > create mode 100644 src/check-aclrules.pl > I wanted to review this. But seems like patches don't apply cleanly. Can you rebase and repost? Michal -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list