From nobody Sat Feb 7 15:15:34 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28; envelope-from=libvir-list-bounces@redhat.com; helo=mx1.redhat.com; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass(p=none dis=none) header.from=redhat.com ARC-Seal: i=1; a=rsa-sha256; t=1558627715; cv=none; d=zoho.com; s=zohoarc; b=VE5VlBCfXCkpEnOYhLB6HTKowdBUUD0MD6kj6ownrRI8Jc7lVB4eSHFhue+CavAOvqjJ1hgqApzGsz3j1IS+RNo9Alt0FD9rwI+4D9nAlOARbwN7z3/v1zf9OqFD8oqgjV5D6rgOQBQJGevZoJ380SLu8IFVACmTl3ACbV2zExM= ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=zoho.com; s=zohoarc; t=1558627715; h=Content-Type:Content-Transfer-Encoding:Cc:Date:From:In-Reply-To:List-Subscribe:List-Post:List-Id:List-Archive:List-Help:List-Unsubscribe:MIME-Version:Message-ID:References:Sender:Subject:To:ARC-Authentication-Results; bh=vYCwy8VLh/nMsiiJBgG4V43SQWQi+2P2hK2+7ZMcbNs=; b=T1G03kg2aUFV+tEltAihIXpIzTp4SMWJWKOs9w1v06n2pxf44I+q5ylWqNNLaHsGXRqCOw5rcCEI9iEbHOFuyJSGT9KDWOtUKH0IwsRzWKZ13sNaTKqCaR7AB+ohYuxiXzx6Giq4iFd4JaoLRH5yXbksXQ1BqcmvuhvYhxCkVyk= ARC-Authentication-Results: i=1; mx.zoho.com; spf=pass (zoho.com: domain of redhat.com designates 209.132.183.28 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=pass header.from= (p=none dis=none) header.from= Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by mx.zohomail.com with SMTPS id 1558627715569887.6179572446626; Thu, 23 May 2019 09:08:35 -0700 (PDT) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3B7047EBC1; Thu, 23 May 2019 16:08:15 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0EF3179599; Thu, 23 May 2019 16:08:14 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A9933C57C; Thu, 23 May 2019 16:08:12 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id x4NFXdvm006854 for ; Thu, 23 May 2019 11:33:39 -0400 Received: by smtp.corp.redhat.com (Postfix) id 2A21F79599; Thu, 23 May 2019 15:33:39 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-112-64.ams2.redhat.com [10.36.112.64]) by smtp.corp.redhat.com (Postfix) with ESMTP id 22994620CA; Thu, 23 May 2019 15:33:37 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: libvir-list@redhat.com Date: Thu, 23 May 2019 16:32:54 +0100 Message-Id: <20190523153302.28526-16-berrange@redhat.com> In-Reply-To: <20190523153302.28526-1-berrange@redhat.com> References: <20190523153302.28526-1-berrange@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-loop: libvir-list@redhat.com Cc: Laine Stump Subject: [libvirt] [PATCH v6 15/23] access: add permissions for network port objects X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 23 May 2019 16:08:29 +0000 (UTC) Signed-off-by: Daniel P. Berrang=C3=A9 Reviewed-by: Laine Stump --- src/access/genpolkit.pl | 2 +- src/access/viraccessdriver.h | 6 ++++ src/access/viraccessdrivernop.c | 11 ++++++++ src/access/viraccessdriverpolkit.c | 26 ++++++++++++++++++ src/access/viraccessdriverstack.c | 25 +++++++++++++++++ src/access/viraccessmanager.c | 16 +++++++++++ src/access/viraccessmanager.h | 6 ++++ src/access/viraccessperm.c | 6 ++++ src/access/viraccessperm.h | 44 ++++++++++++++++++++++++++++++ 9 files changed, 141 insertions(+), 1 deletion(-) diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl index e074c90eb6..f8f20caf65 100755 --- a/src/access/genpolkit.pl +++ b/src/access/genpolkit.pl @@ -21,7 +21,7 @@ use strict; use warnings; =20 my @objects =3D ( - "CONNECT", "DOMAIN", "INTERFACE", + "CONNECT", "DOMAIN", "INTERFACE", "NETWORK_PORT", "NETWORK","NODE_DEVICE", "NWFILTER_BINDING", "NWFILTER", "SECRET", "STORAGE_POOL", "STORAGE_VOL", ); diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h index 2cc3950f60..590d86fdf0 100644 --- a/src/access/viraccessdriver.h +++ b/src/access/viraccessdriver.h @@ -39,6 +39,11 @@ typedef int (*virAccessDriverCheckNetworkDrv)(virAccessM= anagerPtr manager, const char *driverName, virNetworkDefPtr network, virAccessPermNetwork av); +typedef int (*virAccessDriverCheckNetworkPortDrv)(virAccessManagerPtr mana= ger, + const char *driverName, + virNetworkDefPtr network, + virNetworkPortDefPtr por= t, + virAccessPermNetworkPort= av); typedef int (*virAccessDriverCheckNodeDeviceDrv)(virAccessManagerPtr manag= er, const char *driverName, virNodeDeviceDefPtr noded= ev, @@ -82,6 +87,7 @@ struct _virAccessDriver { virAccessDriverCheckDomainDrv checkDomain; virAccessDriverCheckInterfaceDrv checkInterface; virAccessDriverCheckNetworkDrv checkNetwork; + virAccessDriverCheckNetworkPortDrv checkNetworkPort; virAccessDriverCheckNodeDeviceDrv checkNodeDevice; virAccessDriverCheckNWFilterDrv checkNWFilter; virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding; diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdriverno= p.c index 98ef9206c5..5e9d9db759 100644 --- a/src/access/viraccessdrivernop.c +++ b/src/access/viraccessdrivernop.c @@ -57,6 +57,16 @@ virAccessDriverNopCheckNetwork(virAccessManagerPtr manag= er ATTRIBUTE_UNUSED, return 1; /* Allow */ } =20 +static int +virAccessDriverNopCheckNetworkPort(virAccessManagerPtr manager ATTRIBUTE_U= NUSED, + const char *driverName ATTRIBUTE_UNUSED, + virNetworkDefPtr network ATTRIBUTE_UNUS= ED, + virNetworkPortDefPtr port ATTRIBUTE_UNU= SED, + virAccessPermNetworkPort perm ATTRIBUTE= _UNUSED) +{ + return 1; /* Allow */ +} + static int virAccessDriverNopCheckNodeDevice(virAccessManagerPtr manager ATTRIBUTE_UN= USED, const char *driverName ATTRIBUTE_UNUSED, @@ -119,6 +129,7 @@ virAccessDriver accessDriverNop =3D { .checkDomain =3D virAccessDriverNopCheckDomain, .checkInterface =3D virAccessDriverNopCheckInterface, .checkNetwork =3D virAccessDriverNopCheckNetwork, + .checkNetworkPort =3D virAccessDriverNopCheckNetworkPort, .checkNodeDevice =3D virAccessDriverNopCheckNodeDevice, .checkNWFilter =3D virAccessDriverNopCheckNWFilter, .checkNWFilterBinding =3D virAccessDriverNopCheckNWFilterBinding, diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdrive= rpolkit.c index 6954d74a15..b1473cd0a4 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -237,6 +237,31 @@ virAccessDriverPolkitCheckNetwork(virAccessManagerPtr = manager, attrs); } =20 +static int +virAccessDriverPolkitCheckNetworkPort(virAccessManagerPtr manager, + const char *driverName, + virNetworkDefPtr network, + virNetworkPortDefPtr port, + virAccessPermNetworkPort perm) +{ + char uuidstr1[VIR_UUID_STRING_BUFLEN]; + char uuidstr2[VIR_UUID_STRING_BUFLEN]; + const char *attrs[] =3D { + "connect_driver", driverName, + "network_name", network->name, + "network_uuid", uuidstr1, + "port_uuid", uuidstr2, + NULL, + }; + virUUIDFormat(network->uuid, uuidstr1); + virUUIDFormat(port->uuid, uuidstr2); + + return virAccessDriverPolkitCheck(manager, + "network-port", + virAccessPermNetworkPortTypeToString= (perm), + attrs); +} + static int virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager, const char *driverName, @@ -427,6 +452,7 @@ virAccessDriver accessDriverPolkit =3D { .checkDomain =3D virAccessDriverPolkitCheckDomain, .checkInterface =3D virAccessDriverPolkitCheckInterface, .checkNetwork =3D virAccessDriverPolkitCheckNetwork, + .checkNetworkPort =3D virAccessDriverPolkitCheckNetworkPort, .checkNodeDevice =3D virAccessDriverPolkitCheckNodeDevice, .checkNWFilter =3D virAccessDriverPolkitCheckNWFilter, .checkNWFilterBinding =3D virAccessDriverPolkitCheckNWFilterBinding, diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriver= stack.c index 0ffc6abaf3..238caef115 100644 --- a/src/access/viraccessdriverstack.c +++ b/src/access/viraccessdriverstack.c @@ -151,6 +151,30 @@ virAccessDriverStackCheckNetwork(virAccessManagerPtr m= anager, return ret; } =20 +static int +virAccessDriverStackCheckNetworkPort(virAccessManagerPtr manager, + const char *driverName, + virNetworkDefPtr network, + virNetworkPortDefPtr port, + virAccessPermNetworkPort perm) +{ + virAccessDriverStackPrivatePtr priv =3D virAccessManagerGetPrivateData= (manager); + int ret =3D 1; + size_t i; + + for (i =3D 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all driv= ers */ + rv =3D virAccessManagerCheckNetworkPort(priv->managers[i], driverN= ame, network, port, perm); + if (rv =3D=3D 0 && ret !=3D -1) + ret =3D 0; + else if (rv < 0) + ret =3D -1; + } + + return ret; +} + static int virAccessDriverStackCheckNodeDevice(virAccessManagerPtr manager, const char *driverName, @@ -298,6 +322,7 @@ virAccessDriver accessDriverStack =3D { .checkDomain =3D virAccessDriverStackCheckDomain, .checkInterface =3D virAccessDriverStackCheckInterface, .checkNetwork =3D virAccessDriverStackCheckNetwork, + .checkNetworkPort =3D virAccessDriverStackCheckNetworkPort, .checkNodeDevice =3D virAccessDriverStackCheckNodeDevice, .checkNWFilter =3D virAccessDriverStackCheckNWFilter, .checkNWFilterBinding =3D virAccessDriverStackCheckNWFilterBinding, diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index f5d62604cf..24d9713cfd 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -268,6 +268,22 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr m= anager, return virAccessManagerSanitizeError(ret, driverName); } =20 +int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager, + const char *driverName, + virNetworkDefPtr network, + virNetworkPortDefPtr port, + virAccessPermNetworkPort perm) +{ + int ret =3D 0; + VIR_DEBUG("manager=3D%p(name=3D%s) driver=3D%s network=3D%p port=3D%p = perm=3D%d", + manager, manager->drv->name, driverName, network, port, perm= ); + + if (manager->drv->checkNetworkPort) + ret =3D manager->drv->checkNetworkPort(manager, driverName, networ= k, port, perm); + + return virAccessManagerSanitizeError(ret, driverName); +} + int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, const char *driverName, virNodeDeviceDefPtr nodedev, diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h index ab5ef87585..bedd6ba475 100644 --- a/src/access/viraccessmanager.h +++ b/src/access/viraccessmanager.h @@ -30,6 +30,7 @@ # include "conf/secret_conf.h" # include "conf/interface_conf.h" # include "conf/virnwfilterbindingdef.h" +# include "conf/virnetworkportdef.h" # include "access/viraccessperm.h" =20 typedef struct _virAccessManager virAccessManager; @@ -66,6 +67,11 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr man= ager, const char *driverName, virNetworkDefPtr network, virAccessPermNetwork perm); +int virAccessManagerCheckNetworkPort(virAccessManagerPtr manager, + const char *driverName, + virNetworkDefPtr network, + virNetworkPortDefPtr port, + virAccessPermNetworkPort perm); int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager, const char *driverName, virNodeDeviceDefPtr nodedev, diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c index 67f751ef9c..74993e9f29 100644 --- a/src/access/viraccessperm.c +++ b/src/access/viraccessperm.c @@ -57,6 +57,12 @@ VIR_ENUM_IMPL(virAccessPermNetwork, VIR_ACCESS_PERM_NETWORK_LAST, "getattr", "read", "write", "save", "delete", "start", "stop", + "search_ports", +); + +VIR_ENUM_IMPL(virAccessPermNetworkPort, + VIR_ACCESS_PERM_NETWORK_PORT_LAST, + "getattr", "read", "write", "create", "delete", ); =20 VIR_ENUM_IMPL(virAccessPermNodeDevice, diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index ed1f7168ca..0fe618328b 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -405,6 +405,12 @@ typedef enum { */ VIR_ACCESS_PERM_NETWORK_START, =20 + /** + * @desc: List network ports + * @message: Listing network ports requires authorization + */ + VIR_ACCESS_PERM_NETWORK_SEARCH_PORTS, + /** * @desc: Stop network * @message: Stopping network requires authorization @@ -414,6 +420,43 @@ typedef enum { VIR_ACCESS_PERM_NETWORK_LAST } virAccessPermNetwork; =20 +typedef enum { + + /** + * @desc: Access network port + * @message: Accessing network port requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NETWORK_PORT_GETATTR, + + /** + * @desc: Read network port + * @message: Reading network port configuration requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NETWORK_PORT_READ, + + /** + * @desc: Read network port + * @message: Writing network port configuration requires authorization + */ + VIR_ACCESS_PERM_NETWORK_PORT_WRITE, + + /** + * @desc: Create network port + * @message: Creating network port configuration requires authorization + */ + VIR_ACCESS_PERM_NETWORK_PORT_CREATE, + + /** + * @desc: Delete network port + * @message: Deleting network port configuration requires authorization + */ + VIR_ACCESS_PERM_NETWORK_PORT_DELETE, + + VIR_ACCESS_PERM_NETWORK_PORT_LAST +} virAccessPermNetworkPort; + typedef enum { =20 /** @@ -693,6 +736,7 @@ VIR_ENUM_DECL(virAccessPermConnect); VIR_ENUM_DECL(virAccessPermDomain); VIR_ENUM_DECL(virAccessPermInterface); VIR_ENUM_DECL(virAccessPermNetwork); +VIR_ENUM_DECL(virAccessPermNetworkPort); VIR_ENUM_DECL(virAccessPermNodeDevice); VIR_ENUM_DECL(virAccessPermNWFilter); VIR_ENUM_DECL(virAccessPermNWFilterBinding); --=20 2.21.0 -- libvir-list mailing list libvir-list@redhat.com https://www.redhat.com/mailman/listinfo/libvir-list