From nobody Mon Feb 9 19:52:36 2026 Delivered-To: importer@patchew.org Received-SPF: none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) client-ip=8.43.85.245; envelope-from=devel-bounces@lists.libvirt.org; helo=lists.libvirt.org; Authentication-Results: mx.zohomail.com; spf=none (zohomail.com: 8.43.85.245 is neither permitted nor denied by domain of lists.libvirt.org) smtp.mailfrom=devel-bounces@lists.libvirt.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.libvirt.org (lists.libvirt.org [8.43.85.245]) by mx.zohomail.com with SMTPS id 1700492127203326.67434177732775; Mon, 20 Nov 2023 06:55:27 -0800 (PST) Received: by lists.libvirt.org (Postfix, from userid 996) id 0718D1863; Mon, 20 Nov 2023 09:55:26 -0500 (EST) Received: from lists.libvirt.org (localhost [IPv6:::1]) by lists.libvirt.org (Postfix) with ESMTP id 459F917C7; Mon, 20 Nov 2023 09:50:40 -0500 (EST) Received: by lists.libvirt.org (Postfix, from userid 996) id B075B17A9; Mon, 20 Nov 2023 09:50:06 -0500 (EST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.libvirt.org (Postfix) with ESMTPS id 16837179F for ; Mon, 20 Nov 2023 09:50:05 -0500 (EST) Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-592-tS-I_FFbNySXZo6_7mBnQA-1; Mon, 20 Nov 2023 09:50:03 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 288F783FC34 for ; Mon, 20 Nov 2023 14:50:03 +0000 (UTC) Received: from harajuku.usersys.redhat.com.homenet.telecomitalia.it (unknown [10.45.225.177]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B13A1502A for ; Mon, 20 Nov 2023 14:50:02 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on lists.libvirt.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.4 X-MC-Unique: tS-I_FFbNySXZo6_7mBnQA-1 From: Andrea Bolognani To: devel@lists.libvirt.org Subject: [libvirt PATCH 5/6] remote: Expose granularPolkit attribute to rules Date: Mon, 20 Nov 2023 15:49:56 +0100 Message-ID: <20231120144957.13720-6-abologna@redhat.com> In-Reply-To: <20231120144957.13720-1-abologna@redhat.com> References: <20231120144957.13720-1-abologna@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Message-ID-Hash: YNXDNDFTFMQNHU2WKS3R422DMHUNHTHU X-Message-ID-Hash: YNXDNDFTFMQNHU2WKS3R422DMHUNHTHU X-MailFrom: abologna@redhat.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-config-1; header-match-config-2; header-match-config-3; header-match-devel.lists.libvirt.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.2 Precedence: list List-Id: Development discussions about the libvirt library & tools Archived-At: List-Archive: List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="utf-8"; x-default="true" Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1700492128331100001 This makes it possible to write Polkit rules that won't accidentally grant undesired privileges to users. To understand why this is necessary, suppose we wanted to grant user "fred" full access to the QEMU domain "demo". A JavaScript rule along the lines of polkit.addRule(function(action, subject) { // user "fred" if (subject.user =3D=3D "fred") { // can authenticate in read/write mode if (action.id =3D=3D "org.libvirt.unix.manage") { return polkit.Result.YES; } // and manage the QEMU domain "demo" if (action.id.indexOf("org.libvirt.api.domain.") =3D=3D 0 && action.lookup("connect_driver") =3D=3D "QEMU" && action.lookup("domain_name") =3D=3D "demo") { return polkit.Result.YES; } } }); would do the trick. However, suppose that at some point after creating this rule we disabled the Polkit access control driver and forgot to delete the file. All of a sudden, allowing "org.libvirt.unix.manage" is no longer a trivial matter: since the Polkit access driver doesn't broker access to subsequent API calls anymore, user "fred" now has full administrative access to all drivers. Rewriting the check seen above as if (action.id =3D=3D "org.libvirt.unix.manage" && action.lookup("granular") =3D=3D "true") { return polkit.Result.YES; } ensures that this undesired scenario will not happen, by only allowing "org.libvirt.unix.manage" when the Polkit access driver is enabled. Signed-off-by: Andrea Bolognani --- src/remote/remote_daemon_dispatch.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/remote/remote_daemon_dispatch.c b/src/remote/remote_daemon= _dispatch.c index 7daf503b51..2a9ee19cc3 100644 --- a/src/remote/remote_daemon_dispatch.c +++ b/src/remote/remote_daemon_dispatch.c @@ -3975,6 +3975,10 @@ remoteDispatchAuthPolkit(virNetServer *server, uid_t callerUid =3D -1; unsigned long long timestamp; const char *action; + const char *attrs[] =3D { + "granular", virNetServerHasGranularPolkit(server) ? "true" : "fals= e", + NULL, + }; char *ident =3D NULL; struct daemonClientPrivate *priv =3D virNetServerClientGetPrivateData(client); @@ -4009,7 +4013,7 @@ remoteDispatchAuthPolkit(virNetServer *server, callerPid, timestamp, callerUid, - NULL, + attrs, true); if (rv =3D=3D -1) goto authfail; --=20 2.42.0 _______________________________________________ Devel mailing list -- devel@lists.libvirt.org To unsubscribe send an email to devel-leave@lists.libvirt.org