Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
src/access/genpolkit.pl | 2 +-
src/access/viraccessdriver.h | 6 ++++
src/access/viraccessdrivernop.c | 11 ++++++++
src/access/viraccessdriverpolkit.c | 26 ++++++++++++++++++
src/access/viraccessdriverstack.c | 25 +++++++++++++++++
src/access/viraccessmanager.c | 16 +++++++++++
src/access/viraccessmanager.h | 6 ++++
src/access/viraccessperm.c | 6 ++++
src/access/viraccessperm.h | 44 ++++++++++++++++++++++++++++++
9 files changed, 141 insertions(+), 1 deletion(-)
diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
index e074c90eb6..f8f20caf65 100755
--- a/src/access/genpolkit.pl
+++ b/src/access/genpolkit.pl
@@ -21,7 +21,7 @@ use strict;
use warnings;
my @objects = (
- "CONNECT", "DOMAIN", "INTERFACE",
+ "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
"NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
"SECRET", "STORAGE_POOL", "STORAGE_VOL",
);
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index 2cc3950f60..590d86fdf0 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -39,6 +39,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virAccessPermNetwork av);
+typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virNetworkPortDefPtr port,
+ virAccessPermNetworkPort av);
typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
const char *driverName,
virNodeDeviceDefPtr nodedev,
@@ -82,6 +87,7 @@ struct _virAccessDriver {
virAccessDriverCheckDomainDrv checkDomain;
virAccessDriverCheckInterfaceDrv checkInterface;
virAccessDriverCheckNetworkDrv checkNetwork;
+ virAccessDriverCheckNetworkPortDrv checkNetworkPort;
virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
virAccessDriverCheckNWFilterDrv checkNWFilter;
virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 98ef9206c5..5e9d9db759 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
return 1; /* Allow */
}
+static int
+virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virNetworkDefPtr network ATTRIBUTE_UNUSED,
+ virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
+ virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
+
static int
virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
const char *driverName ATTRIBUTE_UNUSED,
@@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
.checkDomain = virAccessDriverNopCheckDomain,
.checkInterface = virAccessDriverNopCheckInterface,
.checkNetwork = virAccessDriverNopCheckNetwork,
+ .checkNetworkPort = virAccessDriverNopCheckNetworkPort,
.checkNodeDevice = virAccessDriverNopCheckNodeDevice,
.checkNWFilter = virAccessDriverNopCheckNWFilter,
.checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 6954d74a15..b1473cd0a4 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
attrs);
}
+static int
+virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virNetworkPortDefPtr port,
+ virAccessPermNetworkPort perm)
+{
+ char uuidstr1[VIR_UUID_STRING_BUFLEN];
+ char uuidstr2[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "network_name", network->name,
+ "network_uuid", uuidstr1,
+ "port_uuid", uuidstr2,
+ NULL,
+ };
+ virUUIDFormat(network->uuid, uuidstr1);
+ virUUIDFormat(port->uuid, uuidstr2);
+
+ return virAccessDriverPolkitCheck(manager,
+ "network-port",
+ virAccessPermNetworkPortTypeToString(perm),
+ attrs);
+}
+
static int
virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName,
@@ -427,6 +452,7 @@ virAccessDriver accessDriverPolkit = {
.checkDomain = virAccessDriverPolkitCheckDomain,
.checkInterface = virAccessDriverPolkitCheckInterface,
.checkNetwork = virAccessDriverPolkitCheckNetwork,
+ .checkNetworkPort = virAccessDriverPolkitCheckNetworkPort,
.checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
.checkNWFilter = virAccessDriverPolkitCheckNWFilter,
.checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index 0ffc6abaf3..238caef115 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -151,6 +151,30 @@ virAccessDriverStackCheckNetwork(virAccessManagerPtr manager,
return ret;
}
+static int
+virAccessDriverStackCheckNetworkPort(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virNetworkPortDefPtr port,
+ virAccessPermNetworkPort perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckNetworkPort(priv->managers[i], driverName, network, port, perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
static int
virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName,
@@ -298,6 +322,7 @@ virAccessDriver accessDriverStack = {
.checkDomain = virAccessDriverStackCheckDomain,
.checkInterface = virAccessDriverStackCheckInterface,
.checkNetwork = virAccessDriverStackCheckNetwork,
+ .checkNetworkPort = virAccessDriverStackCheckNetworkPort,
.checkNodeDevice = virAccessDriverStackCheckNodeDevice,
.checkNWFilter = virAccessDriverStackCheckNWFilter,
.checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index f5d62604cf..24d9713cfd 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -268,6 +268,22 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret, driverName);
}
+int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virNetworkPortDefPtr port,
+ virAccessPermNetworkPort perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s network=%p port=%p perm=%d",
+ manager, manager->drv->name, driverName, network, port, perm);
+
+ if (manager->drv->checkNetworkPort)
+ ret = manager->drv->checkNetworkPort(manager, driverName, network, port, perm);
+
+ return virAccessManagerSanitizeError(ret, driverName);
+}
+
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName,
virNodeDeviceDefPtr nodedev,
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index ab5ef87585..bedd6ba475 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -30,6 +30,7 @@
# include "conf/secret_conf.h"
# include "conf/interface_conf.h"
# include "conf/virnwfilterbindingdef.h"
+# include "conf/virnetworkportdef.h"
# include "access/viraccessperm.h"
typedef struct _virAccessManager virAccessManager;
@@ -66,6 +67,11 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
const char *driverName,
virNetworkDefPtr network,
virAccessPermNetwork perm);
+int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virNetworkPortDefPtr port,
+ virAccessPermNetworkPort perm);
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
const char *driverName,
virNodeDeviceDefPtr nodedev,
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 67f751ef9c..74993e9f29 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -57,6 +57,12 @@ VIR_ENUM_IMPL(virAccessPermNetwork,
VIR_ACCESS_PERM_NETWORK_LAST,
"getattr", "read", "write",
"save", "delete", "start", "stop",
+ "search_ports",
+);
+
+VIR_ENUM_IMPL(virAccessPermNetworkPort,
+ VIR_ACCESS_PERM_NETWORK_PORT_LAST,
+ "getattr", "read", "write", "create", "delete",
);
VIR_ENUM_IMPL(virAccessPermNodeDevice,
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index ed1f7168ca..0fe618328b 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -405,6 +405,12 @@ typedef enum {
*/
VIR_ACCESS_PERM_NETWORK_START,
+ /**
+ * @desc: List network ports
+ * @message: Listing network ports requires authorization
+ */
+ VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS,
+
/**
* @desc: Stop network
* @message: Stopping network requires authorization
@@ -414,6 +420,43 @@ typedef enum {
VIR_ACCESS_PERM_NETWORK_LAST
} virAccessPermNetwork;
+typedef enum {
+
+ /**
+ * @desc: Access network port
+ * @message: Accessing network port requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_NETWORK_PORT_GETATTR,
+
+ /**
+ * @desc: Read network port
+ * @message: Reading network port configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_NETWORK_PORT_READ,
+
+ /**
+ * @desc: Read network port
+ * @message: Writing network port configuration requires authorization
+ */
+ VIR_ACCESS_PERM_NETWORK_PORT_WRITE,
+
+ /**
+ * @desc: Create network port
+ * @message: Creating network port configuration requires authorization
+ */
+ VIR_ACCESS_PERM_NETWORK_PORT_CREATE,
+
+ /**
+ * @desc: Delete network port
+ * @message: Deleting network port configuration requires authorization
+ */
+ VIR_ACCESS_PERM_NETWORK_PORT_DELETE,
+
+ VIR_ACCESS_PERM_NETWORK_PORT_LAST
+} virAccessPermNetworkPort;
+
typedef enum {
/**
@@ -693,6 +736,7 @@ VIR_ENUM_DECL(virAccessPermConnect);
VIR_ENUM_DECL(virAccessPermDomain);
VIR_ENUM_DECL(virAccessPermInterface);
VIR_ENUM_DECL(virAccessPermNetwork);
+VIR_ENUM_DECL(virAccessPermNetworkPort);
VIR_ENUM_DECL(virAccessPermNodeDevice);
VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermNWFilterBinding);
--
2.21.0
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-listOn 5/14/19 11:48 AM, Daniel P. Berrangé wrote:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
> src/access/genpolkit.pl | 2 +-
> src/access/viraccessdriver.h | 6 ++++
> src/access/viraccessdrivernop.c | 11 ++++++++
> src/access/viraccessdriverpolkit.c | 26 ++++++++++++++++++
> src/access/viraccessdriverstack.c | 25 +++++++++++++++++
> src/access/viraccessmanager.c | 16 +++++++++++
> src/access/viraccessmanager.h | 6 ++++
> src/access/viraccessperm.c | 6 ++++
> src/access/viraccessperm.h | 44 ++++++++++++++++++++++++++++++
> 9 files changed, 141 insertions(+), 1 deletion(-)
>
> diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
> index e074c90eb6..f8f20caf65 100755
> --- a/src/access/genpolkit.pl
> +++ b/src/access/genpolkit.pl
> @@ -21,7 +21,7 @@ use strict;
> use warnings;
>
> my @objects = (
> - "CONNECT", "DOMAIN", "INTERFACE",
> + "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT",
> "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER",
> "SECRET", "STORAGE_POOL", "STORAGE_VOL",
> );
> diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
> index 2cc3950f60..590d86fdf0 100644
> --- a/src/access/viraccessdriver.h
> +++ b/src/access/viraccessdriver.h
> @@ -39,6 +39,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessManagerPtr manager,
> const char *driverName,
> virNetworkDefPtr network,
> virAccessPermNetwork av);
> +typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr manager,
> + const char *driverName,
> + virNetworkDefPtr network,
> + virNetworkPortDefPtr port,
> + virAccessPermNetworkPort av);
> typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manager,
> const char *driverName,
> virNodeDeviceDefPtr nodedev,
> @@ -82,6 +87,7 @@ struct _virAccessDriver {
> virAccessDriverCheckDomainDrv checkDomain;
> virAccessDriverCheckInterfaceDrv checkInterface;
> virAccessDriverCheckNetworkDrv checkNetwork;
> + virAccessDriverCheckNetworkPortDrv checkNetworkPort;
> virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
> virAccessDriverCheckNWFilterDrv checkNWFilter;
> virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
> diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
> index 98ef9206c5..5e9d9db759 100644
> --- a/src/access/viraccessdrivernop.c
> +++ b/src/access/viraccessdrivernop.c
> @@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
> return 1; /* Allow */
> }
>
> +static int
> +virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
> + const char *driverName ATTRIBUTE_UNUSED,
> + virNetworkDefPtr network ATTRIBUTE_UNUSED,
> + virNetworkPortDefPtr port ATTRIBUTE_UNUSED,
> + virAccessPermNetworkPort perm ATTRIBUTE_UNUSED)
> +{
> + return 1; /* Allow */
> +}
> +
> static int
> virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
> const char *driverName ATTRIBUTE_UNUSED,
> @@ -119,6 +129,7 @@ virAccessDriver accessDriverNop = {
> .checkDomain = virAccessDriverNopCheckDomain,
> .checkInterface = virAccessDriverNopCheckInterface,
> .checkNetwork = virAccessDriverNopCheckNetwork,
> + .checkNetworkPort = virAccessDriverNopCheckNetworkPort,
> .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
> .checkNWFilter = virAccessDriverNopCheckNWFilter,
> .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
> diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
> index 6954d74a15..b1473cd0a4 100644
> --- a/src/access/viraccessdriverpolkit.c
> +++ b/src/access/viraccessdriverpolkit.c
> @@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
> attrs);
> }
>
> +static int
> +virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager,
> + const char *driverName,
> + virNetworkDefPtr network,
> + virNetworkPortDefPtr port,
> + virAccessPermNetworkPort perm)
> +{
> + char uuidstr1[VIR_UUID_STRING_BUFLEN];
> + char uuidstr2[VIR_UUID_STRING_BUFLEN];
> + const char *attrs[] = {
> + "connect_driver", driverName,
> + "network_name", network->name,
> + "network_uuid", uuidstr1,
> + "port_uuid", uuidstr2,
> + NULL,
> + };
> + virUUIDFormat(network->uuid, uuidstr1);
> + virUUIDFormat(port->uuid, uuidstr2);
> +
> + return virAccessDriverPolkitCheck(manager,
> + "network-port",
Bah. Most of the other calls to virAccessDriverPolkitCheck with
"typename" that is two words separate it with a "-", but the one for
nwfilter binding uses an underscore :-/ (I only noticed this because
the names of the attributes to check always use underscore, and I've
always been bothered by mixing of - and _ - too bad they don't all use
_, that would allow the same name to be used as a C identifier, and make
searching easier).
Anyway, pointless rant, sorry :-)
I can't claim to have deep knowledge of the access driver, but this
addition follows the pattern of what's already there, so:
Reviewed-by: Laine Stump <laine@laine.org>
--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list
© 2016 - 2026 Red Hat, Inc.