On Fri, Jan 31, 2025 at 03:34:03AM -0300, Rodrigo Prieto wrote:
Hello,
I am configuring Polkit using an example I found on the web. It correctly
displays the assigned domain for a given user, but when I try to start the
VM, I get the following error:
error: Failed to start domain 'debian12'
error: access denied: 'network' denied access
Here is my configuration:
polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.domain.") == 0 &&
subject.user == "lolo") {
if (action.lookup("connect_driver") == 'QEMU' &&
action.lookup("domain_name") == 'debian12') {
return polkit.Result.YES;
} else {
return polkit.Result.NO;
}
}
});
So doing this allows you to do anything with debian12 domain on the QEMU connection driver.
To grant network access, I have to configure the following:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.libvirt.api.network") == 0 &&
subject.user == "lolo") {
return polkit.Result.YES;
}
});
Adding this allows you to do anything with any network. This rule does omit a condition similar to the above one from the api.domain rule.
The problem with the previous configuration is that it allows full access to the network, requiring the following configuration:
*to all the networks
polkit.addRule(function(action, subject) {
if ((action.id == "org.libvirt.api.network.stop" ||
action.id == "org.libvirt.api.network.delete" ||
action.id == "org.libvirt.api.network.write") &&
subject.user == "lolo") {
return polkit.Result.NO;
}
});
By default, shouldn't network access behave like domains or pools, which
cannot be deleted?
Can you not? The domain undefine API checks domain:delete ACL with the domain name and network undefine API checks network:delete ACL with the network name. I'll have to test it, but in the meantime could you try reproducing that with the same polkit rules (obviously modified to fit the domain/network difference)?
I tested it on Libvirt 9.0.0 and 10.0.0
I did not find any difference between 9.0.0 and the current master with a quick git-fu. I tested it on current git master and it works fine, the user can undefine both the network and the domain, but only the one named as specified.
If you can help me, I would really appreciate it.
Be sure to check that both virtqemud and virtnetworkd use polkit as their access driver in their respective configs. Have a nice day, Martin
Attachment:
signature.asc
Description: PGP signature
