From: "Daniel P. Berrange" <berrange@xxxxxxxxxx> Ensure that all APIs which list network objects filter them against the access control system. Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx> --- src/conf/network_conf.c | 12 ++++++----- src/conf/network_conf.h | 13 ++++++++---- src/libvirt_private.syms | 2 +- src/network/bridge_driver.c | 44 ++++++++++++++++++++++++--------------- src/parallels/parallels_network.c | 2 +- src/test/test_driver.c | 2 +- 6 files changed, 46 insertions(+), 29 deletions(-) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 2b4845c..64fd581 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -4289,10 +4289,11 @@ virNetworkMatch(virNetworkObjPtr netobj, #undef MATCH int -virNetworkList(virConnectPtr conn, - virNetworkObjList netobjs, - virNetworkPtr **nets, - unsigned int flags) +virNetworkObjListExport(virConnectPtr conn, + virNetworkObjList netobjs, + virNetworkPtr **nets, + virNetworkObjListFilter filter, + unsigned int flags) { virNetworkPtr *tmp_nets = NULL; virNetworkPtr net = NULL; @@ -4310,7 +4311,8 @@ virNetworkList(virConnectPtr conn, for (i = 0; i < netobjs.count; i++) { virNetworkObjPtr netobj = netobjs.objs[i]; virNetworkObjLock(netobj); - if (virNetworkMatch(netobj, flags)) { + if ((!filter || filter(conn, netobj->def)) && + virNetworkMatch(netobj, flags)) { if (nets) { if (!(net = virGetNetwork(conn, netobj->def->name, diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index 43f80d4..a1d3282 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -296,6 +296,10 @@ void virNetworkDefFree(virNetworkDefPtr def); void virNetworkObjFree(virNetworkObjPtr net); void virNetworkObjListFree(virNetworkObjListPtr vms); + +typedef bool (*virNetworkObjListFilter)(virConnectPtr conn, + virNetworkDefPtr def); + virNetworkObjPtr virNetworkAssignDef(virNetworkObjListPtr nets, const virNetworkDefPtr def, bool live); @@ -417,9 +421,10 @@ VIR_ENUM_DECL(virNetworkForward) VIR_CONNECT_LIST_NETWORKS_FILTERS_PERSISTENT | \ VIR_CONNECT_LIST_NETWORKS_FILTERS_AUTOSTART) -int virNetworkList(virConnectPtr conn, - virNetworkObjList netobjs, - virNetworkPtr **nets, - unsigned int flags); +int virNetworkObjListExport(virConnectPtr conn, + virNetworkObjList netobjs, + virNetworkPtr **nets, + virNetworkObjListFilter filter, + unsigned int flags); #endif /* __NETWORK_CONF_H__ */ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index f08ac64..bd52b3d 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -495,13 +495,13 @@ virNetworkFindByUUID; virNetworkForwardTypeToString; virNetworkIpDefNetmask; virNetworkIpDefPrefix; -virNetworkList; virNetworkLoadAllConfigs; virNetworkLoadAllState; virNetworkObjAssignDef; virNetworkObjFree; virNetworkObjGetPersistentDef; virNetworkObjIsDuplicate; +virNetworkObjListExport; virNetworkObjListFree; virNetworkObjLock; virNetworkObjReplacePersistentDef; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index fb1741f..742b492 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2899,10 +2899,12 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) { networkDriverLock(driver); for (i = 0; i < driver->networks.count; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (virNetworkObjIsActive(driver->networks.objs[i])) + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectNumOfNetworksCheckACL(conn, obj->def) && + virNetworkObjIsActive(obj)) nactive++; - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2918,15 +2920,17 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in networkDriverLock(driver); for (i = 0; i < driver->networks.count && got < nnames; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (virNetworkObjIsActive(driver->networks.objs[i])) { - if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) { - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectListNetworksCheckACL(conn, obj->def) && + virNetworkObjIsActive(obj)) { + if (VIR_STRDUP(names[got], obj->def->name) < 0) { + virNetworkObjUnlock(obj); goto cleanup; } got++; } - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2948,10 +2952,12 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) { networkDriverLock(driver); for (i = 0; i < driver->networks.count; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (!virNetworkObjIsActive(driver->networks.objs[i])) + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectNumOfDefinedNetworksCheckACL(conn, obj->def) && + !virNetworkObjIsActive(obj)) ninactive++; - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2967,15 +2973,17 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na networkDriverLock(driver); for (i = 0; i < driver->networks.count && got < nnames; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (!virNetworkObjIsActive(driver->networks.objs[i])) { - if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) { - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectListDefinedNetworksCheckACL(conn, obj->def) && + !virNetworkObjIsActive(obj)) { + if (VIR_STRDUP(names[got], obj->def->name) < 0) { + virNetworkObjUnlock(obj); goto cleanup; } got++; } - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); return got; @@ -3001,7 +3009,9 @@ networkConnectListAllNetworks(virConnectPtr conn, goto cleanup; networkDriverLock(driver); - ret = virNetworkList(conn, driver->networks, nets, flags); + ret = virNetworkObjListExport(conn, driver->networks, nets, + virConnectListAllNetworksCheckACL, + flags); networkDriverUnlock(driver); cleanup: diff --git a/src/parallels/parallels_network.c b/src/parallels/parallels_network.c index c126e31..26a3f13 100644 --- a/src/parallels/parallels_network.c +++ b/src/parallels/parallels_network.c @@ -463,7 +463,7 @@ static int parallelsConnectListAllNetworks(virConnectPtr conn, virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1); parallelsDriverLock(privconn); - ret = virNetworkList(conn, privconn->networks, nets, flags); + ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags); parallelsDriverUnlock(privconn); return ret; diff --git a/src/test/test_driver.c b/src/test/test_driver.c index 88e23a3..d4c339e 100644 --- a/src/test/test_driver.c +++ b/src/test/test_driver.c @@ -3092,7 +3092,7 @@ testConnectListAllNetworks(virConnectPtr conn, virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1); testDriverLock(privconn); - ret = virNetworkList(conn, privconn->networks, nets, flags); + ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags); testDriverUnlock(privconn); return ret; -- 1.8.1.4 -- libvir-list mailing list libvir-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/libvir-list