The current identity object represents the identity of the application
which initiated the currently executing public API operation. Normally
this is the libvirt client application identity.

There are times when the libvirt daemon has to make extra public API
calls on behalf of the client application. We want these API calls to
still use the client appication's identity for ACL checking. At the
same time we need to be able to show that the API call is coming from
the daemon.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
 src/util/viridentity.c | 36 ++++++++++++++++++++++++++++++++++++
 src/util/viridentity.h |  1 +
 2 files changed, 37 insertions(+)

diff --git a/src/util/viridentity.c b/src/util/viridentity.c
index 3b523d7a2d..9fa6ab0dd0 100644
--- a/src/util/viridentity.c
+++ b/src/util/viridentity.c
@@ -123,6 +123,42 @@ virIdentity *virIdentityGetCurrent(void)
 }
 
 
+/**
+ * virIdentityGetCurrentElevated:
+ *
+ * Get a copy of the current identity associated with this thread,
+ * with elevated privileges to allow it to identity a system
+ * initiated operation. The caller will own a reference to the
+ * returned identity, but must not modify the object in any way,
+ * other than to release the reference when done with g_object_unref
+ *
+ * Returns: a reference to the current identity, or NULL
+ */
+virIdentity *virIdentityGetCurrentElevated(void)
+{
+    g_autoptr(virIdentity) ident = virIdentityGetCurrent();
+    const char *token;
+    int rc;
+
+    if (!ident) {
+        return NULL;
+    }
+
+    if ((rc = virIdentityGetSystemToken(ident, &token)) < 0)
+        return NULL;
+
+    if (rc == 0) {
+        g_autoptr(virIdentity) identel = virIdentityNewCopy(ident);
+
+        if (virIdentitySetSystemToken(identel, systemToken) < 0)
+            return NULL;
+
+        return g_steal_pointer(&identel);
+    }
+
+    return g_steal_pointer(&ident);
+}
+
 /**
  * virIdentitySetCurrent:
  *
diff --git a/src/util/viridentity.h b/src/util/viridentity.h
index 512bca286d..420cd82854 100644
--- a/src/util/viridentity.h
+++ b/src/util/viridentity.h
@@ -28,6 +28,7 @@
 G_DECLARE_FINAL_TYPE(virIdentity, vir_identity, VIR, IDENTITY, GObject);
 
 virIdentity *virIdentityGetCurrent(void);
+virIdentity *virIdentityGetCurrentElevated(void);
 int virIdentitySetCurrent(virIdentity *ident);
 
 virIdentity *virIdentityGetSystem(void);
-- 
2.31.1

On 5/4/21 7:43 PM, Daniel P. Berrangé wrote:
> The current identity object represents the identity of the application
> which initiated the currently executing public API operation. Normally
> this is the libvirt client application identity.
> 
> There are times when the libvirt daemon has to make extra public API
> calls on behalf of the client application. We want these API calls to
> still use the client appication's identity for ACL checking. At the
> same time we need to be able to show that the API call is coming from
> the daemon.
> 
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  src/util/viridentity.c | 36 ++++++++++++++++++++++++++++++++++++
>  src/util/viridentity.h |  1 +
>  2 files changed, 37 insertions(+)

Don't forget to expose the symbol in libvirt_private.syms.

Michal