Re: [PATCH 00/19] Fine grained access control for libvirt APIs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jun 21, 2013 at 11:17:08AM +0200, Michal Privoznik wrote:
> On 19.06.2013 19:00, Daniel P. Berrange wrote:
> > From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
> > 
> > This is a repost of
> > 
> >   http://www.redhat.com/archives/libvir-list/2012-May/msg00090.html
> > 
> > Most of the early patches in that series are now merged. What is
> > left is the actual access control work. The first patches setup
> > the infrastructure and provide two drivers (policy kit and selinux).
> > The remaining patches add access control checks to all the public
> > APIs in each driver. The final patch adds a test case to validate
> > that every driver API impl has an access control check present.
> > 
> > Still todo
> > 
> >  - Optimize the polkit driver by making direct dbus calls
> >    instead of spawning the polkit helper program
> > 
> >  - Add filtering of returned objects from the various
> >    vir*List* APIs
> > 
> >  - Finish adding acl checks to the legacy Xen driver in
> >    about 6 apis.
> > 
> >  - Write a standalone access control driver as alternative
> >    to polkit
> > 
> >  - Audit permission names & groups to ensure we have an
> >    optimial set of permissions defined to cover all our
> >    APIs.
> > 
> > Daniel P. Berrange (19):
> >   Define basic internal API for access control
> >   Set conn->driver before running driver connectOpen method
> >   Setup default access control manager in libvirtd
> >   Add a policy kit access control driver
> >   Add an SELinux access control driver
> >   Add ACL annotations to all RPC messages
> >   Auto-generate helpers for checking access control rules
> >   Add ACL checks into the QEMU driver
> >   Add ACL checks into the LXC driver
> >   Add ACL checks into the UML driver
> >   Add ACL checks into the Xen driver
> >   Add ACL checks into the libxl driver
> >   Add ACL checks into the storage driver
> >   Add ACL checks into the network driver
> >   Add ACL checks into the interface driver
> >   Add ACL checks into the node device driver
> >   Add ACL checks into the nwfilter driver
> >   Add ACL checks into the secrets driver
> >   Add validation that all APIs contain ACL checks
> > 
> >  .gitignore                              |  10 +
> >  daemon/Makefile.am                      |   1 +
> >  daemon/libvirtd-config.c                |   4 +
> >  daemon/libvirtd-config.h                |   2 +
> >  daemon/libvirtd.aug                     |   1 +
> >  daemon/libvirtd.c                       |  28 +-
> >  daemon/libvirtd.conf                    |   9 +
> >  daemon/test_libvirtd.aug.in             |   4 +
> >  include/libvirt/virterror.h             |   4 +
> >  m4/virt-compile-warnings.m4             |   1 +
> >  m4/virt-selinux.m4                      |   2 +
> >  po/POTFILES.in                          |   3 +
> >  src/Makefile.am                         | 187 ++++++++-
> >  src/access/genpolkit.pl                 | 119 ++++++
> >  src/access/viraccessdriver.h            |  89 ++++
> >  src/access/viraccessdrivernop.c         | 118 ++++++
> >  src/access/viraccessdrivernop.h         |  28 ++
> >  src/access/viraccessdriverpolkit.c      | 399 ++++++++++++++++++
> >  src/access/viraccessdriverpolkit.h      |  28 ++
> >  src/access/viraccessdriverselinux.c     | 565 +++++++++++++++++++++++++
> >  src/access/viraccessdriverselinux.h     |  28 ++
> >  src/access/viraccessdriverstack.c       | 285 +++++++++++++
> >  src/access/viraccessdriverstack.h       |  32 ++
> >  src/access/viraccessmanager.c           | 351 ++++++++++++++++
> >  src/access/viraccessmanager.h           |  91 ++++
> >  src/access/viraccessperm.c              |  84 ++++
> >  src/access/viraccessperm.h              | 647 +++++++++++++++++++++++++++++
> >  src/check-aclrules.pl                   | 144 +++++++
> >  src/interface/interface_backend_netcf.c | 115 +++++
> >  src/interface/interface_backend_udev.c  |  85 +++-
> >  src/internal.h                          |   4 +
> >  src/libvirt.c                           |  11 +-
> >  src/libvirt_private.syms                |  37 ++
> >  src/libxl/libxl_driver.c                | 187 ++++++++-
> >  src/locking/lock_protocol.x             |   8 +
> >  src/lxc/lxc_driver.c                    | 219 +++++++++-
> >  src/network/bridge_driver.c             |  61 +++
> >  src/node_device/node_device_driver.c    |  36 ++
> >  src/nwfilter/nwfilter_driver.c          |  26 ++
> >  src/qemu/qemu_driver.c                  | 716 ++++++++++++++++++++++++++++----
> >  src/remote/lxc_protocol.x               |   1 +
> >  src/remote/qemu_protocol.x              |   4 +
> >  src/remote/remote_protocol.x            | 406 ++++++++++++++++++
> >  src/rpc/gendispatch.pl                  | 211 +++++++++-
> >  src/secret/secret_driver.c              |  31 ++
> >  src/storage/storage_driver.c            | 155 ++++++-
> >  src/uml/uml_driver.c                    | 174 +++++++-
> >  src/util/virerror.c                     |   8 +
> >  src/util/virlog.c                       |   3 +-
> >  src/util/virlog.h                       |   1 +
> >  src/xen/xen_driver.c                    | 217 +++++++++-
> >  51 files changed, 5827 insertions(+), 153 deletions(-)
> >  create mode 100755 src/access/genpolkit.pl
> >  create mode 100644 src/access/viraccessdriver.h
> >  create mode 100644 src/access/viraccessdrivernop.c
> >  create mode 100644 src/access/viraccessdrivernop.h
> >  create mode 100644 src/access/viraccessdriverpolkit.c
> >  create mode 100644 src/access/viraccessdriverpolkit.h
> >  create mode 100644 src/access/viraccessdriverselinux.c
> >  create mode 100644 src/access/viraccessdriverselinux.h
> >  create mode 100644 src/access/viraccessdriverstack.c
> >  create mode 100644 src/access/viraccessdriverstack.h
> >  create mode 100644 src/access/viraccessmanager.c
> >  create mode 100644 src/access/viraccessmanager.h
> >  create mode 100644 src/access/viraccessperm.c
> >  create mode 100644 src/access/viraccessperm.h
> >  create mode 100644 src/check-aclrules.pl
> > 
> 
> 
> ACK series, but see my comments to patches.

I have pushed all except the last patch (test case) and the SELinux
driver impl. The SELinux driver impl isn't useful without some selinux
policy work, so that can wait.

I need to fix some things in the legacy xen driver before the test
case can pass.

Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list




[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]