Pass identity information between daemons

[libvirt] [PATCH 0/9] Pass identity information between daemons

Daniel P. Berrangé posted 9 patches 4 years, 7 months ago

Download series mbox

Test syntax-check passed

Patches applied successfully (tree, apply log)
git fetch https://github.com/patchew-project/libvirt tags/patchew/20190905115627.11493-1-berrange@redhat.com

include/libvirt/libvirt-host.h      |  74 +++++
src/access/viraccessdriverpolkit.c  |  22 +-
src/admin/admin_server.c            |  52 +--
src/driver-hypervisor.h             |   7 +
src/libvirt-host.c                  |  51 +++
src/libvirt_private.syms            |  21 +-
src/libvirt_public.syms             |   4 +
src/libvirt_remote.syms             |   1 +
src/remote/remote_daemon_dispatch.c | 112 ++++++-
src/remote/remote_driver.c          |   1 +
src/remote/remote_protocol.x        |  16 +-
src/remote_protocol-structs         |   8 +
src/rpc/virnetserverclient.c        |  20 +-
src/rpc/virnetserverclient.h        |   2 +
src/util/viridentity.c              | 488 ++++++++++++++++------------
src/util/viridentity.h              |  71 ++--
tests/viridentitytest.c             | 115 ++-----
tests/virnetserverclienttest.c      |  40 +--
18 files changed, 672 insertions(+), 433 deletions(-)

Expand all Fold all

[libvirt] [PATCH 0/9] Pass identity information between daemons

Posted by Daniel P. Berrangé 4 years, 7 months ago

This was previously posted as part of the daemon split series:

  https://www.redhat.com/archives/libvir-list/2019-July/msg01754.html

The patches were not merged at the time since they needed more work
which is now done by this series.

This is all about enabling the polkit fine grain auth checks to
work correctly with the split daemons

A mgmt app running non-root will connect to virtqemud. virtqemud
sees the client identity as the non-root user.  virtqemud in turn
may connect to virtnetworkd, forwarding API calls that the mgmt
app makes. virtnetworkd sees the client identity as the root user.

This series allows virtqemud to pass on the non-root identity of
the mgmt app to virtnetworkd, so that polkit checks are done against
the correct identity.

Daniel P. Berrangé (9):
  api: introduce virConnectSetIdentity for passing uid, gid, selinux
    info
  util: change identity class attribute names
  tests: fix debug messages wrt selinux context when test fails
  util: make generic identity accessors private
  util: removed unused virIdentityIsEqual method
  util: sanitize return values for virIdentity getters
  util: store identity attrs as virTypedParameter internally
  util: allow identity to be imported/exported as typed parameters
  remote: pass identity across to newly opened daemons

 include/libvirt/libvirt-host.h      |  74 +++++
 src/access/viraccessdriverpolkit.c  |  22 +-
 src/admin/admin_server.c            |  52 +--
 src/driver-hypervisor.h             |   7 +
 src/libvirt-host.c                  |  51 +++
 src/libvirt_private.syms            |  21 +-
 src/libvirt_public.syms             |   4 +
 src/libvirt_remote.syms             |   1 +
 src/remote/remote_daemon_dispatch.c | 112 ++++++-
 src/remote/remote_driver.c          |   1 +
 src/remote/remote_protocol.x        |  16 +-
 src/remote_protocol-structs         |   8 +
 src/rpc/virnetserverclient.c        |  20 +-
 src/rpc/virnetserverclient.h        |   2 +
 src/util/viridentity.c              | 488 ++++++++++++++++------------
 src/util/viridentity.h              |  71 ++--
 tests/viridentitytest.c             | 115 ++-----
 tests/virnetserverclienttest.c      |  40 +--
 18 files changed, 672 insertions(+), 433 deletions(-)

-- 
2.21.0

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list