[PATCH 0/8] Filtering of object lists via ACLs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>

The current ACL checks validate access to the object being
passed in to the API calls.

There are a few APIs (all the virConnectList* / virConnectNum*
ones) which are used to get lists of objects in the first
place. Currently you could find out that there is a VM called
"foo", but you can't then do virDomainLookupByName since the
ACL check may block it.

This series introduces filtering in the object list APIs,
so you can't even see the existance of an object called
"foo", if you don't have permission over it.

This is not yet filtering the legacy Xen driver.

Daniel P. Berrange (8):
  Add access control filtering of domain objects
  Add access control filtering of network objects
  Add access control filtering of node device objects
  Add access control filtering of storage objects
  Add access control filtering of secret objects
  Add access control filtering of nwfilter objects
  Add access control filtering of interface objects
  Extend the ACL test case to validate filter rule checks

 src/Makefile.am                         |   1 +
 src/check-aclrules.pl                   |  97 ++++++++++++
 src/conf/domain_conf.c                  |  91 +++++++----
 src/conf/domain_conf.h                  |  17 ++-
 src/conf/interface_conf.h               |   3 +
 src/conf/network_conf.c                 |  12 +-
 src/conf/network_conf.h                 |  13 +-
 src/conf/node_device_conf.c             |  12 +-
 src/conf/node_device_conf.h             |  12 +-
 src/conf/storage_conf.c                 |  12 +-
 src/conf/storage_conf.h                 |  11 +-
 src/interface/interface_backend_netcf.c | 262 +++++++++++++++++++++++++++-----
 src/interface/interface_backend_udev.c  |  56 +++++--
 src/libvirt_private.syms                |   6 +-
 src/libxl/libxl_driver.c                |  15 +-
 src/lxc/lxc_driver.c                    |  15 +-
 src/network/bridge_driver.c             |  44 +++---
 src/node_device/node_device_driver.c    |  28 ++--
 src/nwfilter/nwfilter_driver.c          |  39 +++--
 src/openvz/openvz_driver.c              |   7 +-
 src/parallels/parallels_driver.c        |  14 +-
 src/parallels/parallels_network.c       |   2 +-
 src/qemu/qemu_driver.c                  |  24 +--
 src/rpc/gendispatch.pl                  |  42 +++--
 src/secret/secret_driver.c              |  14 +-
 src/storage/storage_driver.c            |  62 +++++---
 src/test/test_driver.c                  |  18 ++-
 src/uml/uml_driver.c                    |  15 +-
 src/vmware/vmware_driver.c              |  12 +-
 29 files changed, 716 insertions(+), 240 deletions(-)

-- 
1.8.1.4

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list
[Index of Archives]     [Virt Tools]     [Libvirt Users]     [Lib OS Info]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Tools]