From nobody Wed Nov 27 18:35:33 2024 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1539614235299121.79801861378166; Mon, 15 Oct 2018 07:37:15 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 5F1E130588D2; Mon, 15 Oct 2018 14:37:12 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 213927A25F; Mon, 15 Oct 2018 14:37:12 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id BDF23180613A; Mon, 15 Oct 2018 14:37:11 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id w9FEQe61006933 for ; Mon, 15 Oct 2018 10:26:40 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2EAC0850F; Mon, 15 Oct 2018 14:26:40 +0000 (UTC) Received: from unknown54ee7586bd10.attlocal.net.com (ovpn-116-156.phx2.redhat.com [10.3.116.156]) by smtp.corp.redhat.com (Postfix) with ESMTP id DB05A770EF for ; Mon, 15 Oct 2018 14:26:39 +0000 (UTC) From: John Ferlan To: libvir-list@redhat.com Date: Mon, 15 Oct 2018 10:26:33 -0400 Message-Id: <20181015142634.26205-2-jferlan@redhat.com> In-Reply-To: <20181015142634.26205-1-jferlan@redhat.com> References: <20181015142634.26205-1-jferlan@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 X-loop: libvir-list@redhat.com Subject: [libvirt] [PATCH 1/2] access: Modify the VIR_ERR_ACCESS_DENIED to include driverName X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.41]); Mon, 15 Oct 2018 14:37:13 +0000 (UTC) X-ZohoMail: RDMRC_0 RSF_0 Z_629925259 SPT_0 Content-Type: text/plain; charset="utf-8" https://bugzilla.redhat.com/show_bug.cgi?id=3D1631606 Changes made to manage and utilize a secondary connection driver to APIs outside the scope of the primary connection driver have resulted in some confusion processing polkit rules since the simple "access denied" error message doesn't provide enough of a clue when combined with the "authentication failed: access denied by policy" as to which connection driver refused or failed the ACL check. In order to provide some context, let's modify the existing "access denied" error returne from the various vir*EnsureACL API's to provide the connection driver name that is causing the failure. This should provide the context for writing the polkit rules that would allow access via the driver. Signed-off-by: John Ferlan --- src/access/viraccessmanager.c | 25 +++++++++++++------------ src/rpc/gendispatch.pl | 2 +- src/util/virerror.c | 4 ++-- 3 files changed, 16 insertions(+), 15 deletions(-) diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index e7b5bf38da..1dfff32b9d 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -196,11 +196,12 @@ static void virAccessManagerDispose(void *object) * should the admin need to debug things */ static int -virAccessManagerSanitizeError(int ret) +virAccessManagerSanitizeError(int ret, + const char *driverName) { if (ret < 0) { virResetLastError(); - virAccessError(VIR_ERR_ACCESS_DENIED, NULL); + virAccessError(VIR_ERR_ACCESS_DENIED, driverName, NULL); } =20 return ret; @@ -217,7 +218,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr ma= nager, if (manager->drv->checkConnect) ret =3D manager->drv->checkConnect(manager, driverName, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 =20 @@ -233,7 +234,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr man= ager, if (manager->drv->checkDomain) ret =3D manager->drv->checkDomain(manager, driverName, domain, per= m); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckInterface(virAccessManagerPtr manager, @@ -248,7 +249,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr = manager, if (manager->drv->checkInterface) ret =3D manager->drv->checkInterface(manager, driverName, iface, p= erm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNetwork(virAccessManagerPtr manager, @@ -263,7 +264,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr ma= nager, if (manager->drv->checkNetwork) ret =3D manager->drv->checkNetwork(manager, driverName, network, p= erm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, @@ -278,7 +279,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr= manager, if (manager->drv->checkNodeDevice) ret =3D manager->drv->checkNodeDevice(manager, driverName, nodedev= , perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, @@ -293,7 +294,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr m= anager, if (manager->drv->checkNWFilter) ret =3D manager->drv->checkNWFilter(manager, driverName, nwfilter,= perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, @@ -308,7 +309,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManag= erPtr manager, if (manager->drv->checkNWFilterBinding) ret =3D manager->drv->checkNWFilterBinding(manager, driverName, bi= nding, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckSecret(virAccessManagerPtr manager, @@ -323,7 +324,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr man= ager, if (manager->drv->checkSecret) ret =3D manager->drv->checkSecret(manager, driverName, secret, per= m); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager, @@ -338,7 +339,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPt= r manager, if (manager->drv->checkStoragePool) ret =3D manager->drv->checkStoragePool(manager, driverName, pool, = perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } =20 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager, @@ -354,5 +355,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr= manager, if (manager->drv->checkStorageVol) ret =3D manager->drv->checkStorageVol(manager, driverName, pool, v= ol, perm); =20 - return virAccessManagerSanitizeError(ret); + return virAccessManagerSanitizeError(ret, driverName); } diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index 0c4648c0fb..f599002056 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -2199,7 +2199,7 @@ elsif ($mode eq "client") { print " virObjectUnref(mgr);\n"; if ($action eq "Ensure") { print " if (rv =3D=3D 0)\n"; - print " virReportError(VIR_ERR_ACCESS_D= ENIED, NULL);\n"; + print " virReportError(VIR_ERR_ACCESS_D= ENIED, conn->driver->name, NULL);\n"; print " return $fail;\n"; } else { print " virResetLastError();\n"; diff --git a/src/util/virerror.c b/src/util/virerror.c index 683e51aa19..10f1b55c5f 100644 --- a/src/util/virerror.c +++ b/src/util/virerror.c @@ -1442,9 +1442,9 @@ virErrorMsg(virErrorNumber error, const char *info) break; case VIR_ERR_ACCESS_DENIED: if (info =3D=3D NULL) - errmsg =3D _("access denied"); + errmsg =3D _("access denied from '%s'"); else - errmsg =3D _("access denied: %s"); + errmsg =3D _("access denied from '%s': %s"); break; case VIR_ERR_DBUS_SERVICE: if (info =3D=3D NULL) --=20 2.17.2 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list