From: "Daniel P. Berrange" <berrange@xxxxxxxxxx>
Ensure that all APIs which list secret objects filter
them against the access control system.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
---
src/secret/secret_driver.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/secret/secret_driver.c b/src/secret/secret_driver.c
index fbe49d7..71b3fe7 100644
--- a/src/secret/secret_driver.c
+++ b/src/secret/secret_driver.c
@@ -566,8 +566,11 @@ secretConnectNumOfSecrets(virConnectPtr conn)
secretDriverLock(driver);
i = 0;
- for (secret = driver->secrets; secret != NULL; secret = secret->next)
- i++;
+ for (secret = driver->secrets; secret != NULL; secret = secret->next) {
+ if (virConnectNumOfSecretsCheckACL(conn,
+ secret->def))
+ i++;
+ }
secretDriverUnlock(driver);
return i;
@@ -590,6 +593,9 @@ secretConnectListSecrets(virConnectPtr conn, char **uuids, int maxuuids)
i = 0;
for (secret = driver->secrets; secret != NULL; secret = secret->next) {
char *uuidstr;
+ if (!virConnectListSecretsCheckACL(conn,
+ secret->def))
+ continue;
if (i == maxuuids)
break;
if (VIR_ALLOC_N(uuidstr, VIR_UUID_STRING_BUFLEN) < 0) {
@@ -666,6 +672,10 @@ secretConnectListAllSecrets(virConnectPtr conn,
}
for (entry = driver->secrets; entry != NULL; entry = entry->next) {
+ if (!virConnectListAllSecretsCheckACL(conn,
+ entry->def))
+ continue;
+
/* filter by whether it's ephemeral */
if (MATCH(VIR_CONNECT_LIST_SECRETS_FILTERS_EPHEMERAL) &&
!((MATCH(VIR_CONNECT_LIST_SECRETS_EPHEMERAL) &&
--
1.8.1.4
--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list