From nobody Wed Nov 5 12:43:56 2025 Delivered-To: importer@patchew.org Received-SPF: pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) client-ip=208.118.235.17; envelope-from=qemu-devel-bounces+importer=patchew.org@nongnu.org; helo=lists.gnu.org; Authentication-Results: mx.zohomail.com; spf=pass (zoho.com: domain of gnu.org designates 208.118.235.17 as permitted sender) smtp.mailfrom=qemu-devel-bounces+importer=patchew.org@nongnu.org; dmarc=fail(p=none dis=none) header.from=redhat.com Return-Path: Received: from lists.gnu.org (lists.gnu.org [208.118.235.17]) by mx.zohomail.com with SMTPS id 1534424776925780.8538920877997; Thu, 16 Aug 2018 06:06:16 -0700 (PDT) Received: from localhost ([::1]:55486 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqHyh-00089n-L7 for importer@patchew.org; Thu, 16 Aug 2018 09:06:15 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:48609) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1fqHuH-0003V5-DV for qemu-devel@nongnu.org; Thu, 16 Aug 2018 09:01:47 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1fqHuA-0001VS-R1 for qemu-devel@nongnu.org; Thu, 16 Aug 2018 09:01:41 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:34190 helo=mx1.redhat.com) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1fqHuA-0001UU-Hm for qemu-devel@nongnu.org; Thu, 16 Aug 2018 09:01:34 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DC806CFB57; Thu, 16 Aug 2018 13:01:33 +0000 (UTC) Received: from localhost.localdomain.com (ovpn-117-135.ams2.redhat.com [10.36.117.135]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4F1DD2156712; Thu, 16 Aug 2018 13:01:32 +0000 (UTC) From: =?UTF-8?q?Daniel=20P=2E=20Berrang=C3=A9?= To: qemu-devel@nongnu.org Date: Thu, 16 Aug 2018 14:01:13 +0100 Message-Id: <20180816130118.31841-7-berrange@redhat.com> In-Reply-To: <20180816130118.31841-1-berrange@redhat.com> References: <20180816130118.31841-1-berrange@redhat.com> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 16 Aug 2018 13:01:33 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Thu, 16 Aug 2018 13:01:33 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'berrange@redhat.com' RCPT:'' X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 66.187.233.73 Subject: [Qemu-devel] [PATCH v4 06/11] authz: add QAuthZ object as an authorization base class X-BeenThere: qemu-devel@nongnu.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Markus Armbruster , "Dr. David Alan Gilbert" , Gerd Hoffmann , =?UTF-8?q?Andreas=20F=C3=A4rber?= Errors-To: qemu-devel-bounces+importer=patchew.org@nongnu.org Sender: "Qemu-devel" X-ZohoMail: RDMRC_1 RSF_0 Z_629925259 SPT_0 Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" From: "Daniel P. Berrange" The current qemu_acl module provides a simple access control list facility inside QEMU, which is used via a set of monitor commands acl_show, acl_policy, acl_add, acl_remove & acl_reset. Note there is no ability to create ACLs - the network services (eg VNC server) were expected to create ACLs that they want to check. There is also no way to define ACLs on the command line, nor potentially integrate with external authorization systems like polkit, pam, ldap lookup, etc. The QAuthZ object defines a minimal abstract QOM class that can be subclassed for creating different authorization providers. Signed-off-by: Daniel P. Berrange --- MAINTAINERS | 7 +++ Makefile | 10 ++-- Makefile.objs | 6 +++ Makefile.target | 2 + authz/Makefile.objs | 1 + authz/base.c | 82 +++++++++++++++++++++++++++++++ authz/trace-events | 4 ++ include/authz/base.h | 112 +++++++++++++++++++++++++++++++++++++++++++ 8 files changed, 220 insertions(+), 4 deletions(-) create mode 100644 authz/Makefile.objs create mode 100644 authz/base.c create mode 100644 authz/trace-events create mode 100644 include/authz/base.h diff --git a/MAINTAINERS b/MAINTAINERS index 1284bb3443..999541b7c6 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -1794,6 +1794,13 @@ F: io/ F: include/io/ F: tests/test-io-* =20 +User authorization +M: Daniel P. Berrange +S: Maintained +F: authz/ +F: include/authz/ +F: tests/test-authz-* + Sockets M: Daniel P. Berrange M: Gerd Hoffmann diff --git a/Makefile b/Makefile index 2da686be33..7c414d9918 100644 --- a/Makefile +++ b/Makefile @@ -411,6 +411,7 @@ endif =20 dummy :=3D $(call unnest-vars,, \ stub-obj-y \ + authz-obj-y \ chardev-obj-y \ util-obj-y \ qga-obj-y \ @@ -472,6 +473,7 @@ qemu-options.def: $(SRC_PATH)/qemu-options.hx $(SRC_PAT= H)/scripts/hxtool SUBDIR_RULES=3D$(patsubst %,subdir-%, $(TARGET_DIRS)) SOFTMMU_SUBDIR_RULES=3D$(filter %-softmmu,$(SUBDIR_RULES)) =20 +$(SOFTMMU_SUBDIR_RULES): $(authz-obj-y) $(SOFTMMU_SUBDIR_RULES): $(block-obj-y) $(SOFTMMU_SUBDIR_RULES): $(crypto-obj-y) $(SOFTMMU_SUBDIR_RULES): $(io-obj-y) @@ -534,9 +536,9 @@ COMMON_LDADDS =3D libqemuutil.a =20 qemu-img.o: qemu-img-cmds.h =20 -qemu-img$(EXESUF): qemu-img.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $= (qom-obj-y) $(COMMON_LDADDS) -qemu-nbd$(EXESUF): qemu-nbd.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $= (qom-obj-y) $(COMMON_LDADDS) -qemu-io$(EXESUF): qemu-io.o $(block-obj-y) $(crypto-obj-y) $(io-obj-y) $(q= om-obj-y) $(COMMON_LDADDS) +qemu-img$(EXESUF): qemu-img.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y= ) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) +qemu-nbd$(EXESUF): qemu-nbd.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y= ) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) +qemu-io$(EXESUF): qemu-io.o $(authz-obj-y) $(block-obj-y) $(crypto-obj-y) = $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) =20 qemu-bridge-helper$(EXESUF): qemu-bridge-helper.o $(COMMON_LDADDS) =20 @@ -545,7 +547,7 @@ qemu-keymap$(EXESUF): qemu-keymap.o ui/input-keymap.o $= (COMMON_LDADDS) fsdev/virtfs-proxy-helper$(EXESUF): fsdev/virtfs-proxy-helper.o fsdev/9p-m= arshal.o fsdev/9p-iov-marshal.o $(COMMON_LDADDS) fsdev/virtfs-proxy-helper$(EXESUF): LIBS +=3D -lcap =20 -scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o $(crypto-= obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) +scsi/qemu-pr-helper$(EXESUF): scsi/qemu-pr-helper.o scsi/utils.o $(authz-o= bj-y) $(crypto-obj-y) $(io-obj-y) $(qom-obj-y) $(COMMON_LDADDS) ifdef CONFIG_MPATH scsi/qemu-pr-helper$(EXESUF): LIBS +=3D -ludev -lmultipath -lmpathpersist endif diff --git a/Makefile.objs b/Makefile.objs index 7a9828da28..42cdb1c1c3 100644 --- a/Makefile.objs +++ b/Makefile.objs @@ -62,6 +62,11 @@ util-obj-y +=3D qapi/qapi-introspect.o =20 chardev-obj-y =3D chardev/ =20 +####################################################################### +# authz-obj-y is code used by both qemu system emulation and qemu-img + +authz-obj-y =3D authz/ + ####################################################################### # block-obj-y is code used by both qemu system emulation and qemu-img =20 @@ -199,6 +204,7 @@ trace-events-subdirs =3D trace-events-subdirs +=3D accel/kvm trace-events-subdirs +=3D accel/tcg trace-events-subdirs +=3D audio +trace-events-subdirs +=3D authz trace-events-subdirs +=3D block trace-events-subdirs +=3D chardev trace-events-subdirs +=3D crypto diff --git a/Makefile.target b/Makefile.target index 4d56298bbf..c08461726d 100644 --- a/Makefile.target +++ b/Makefile.target @@ -172,6 +172,7 @@ include $(SRC_PATH)/Makefile.objs dummy :=3D $(call unnest-vars,,target-obj-y) target-obj-y-save :=3D $(target-obj-y) dummy :=3D $(call unnest-vars,.., \ + authz-obj-y \ block-obj-y \ block-obj-m \ chardev-obj-y \ @@ -185,6 +186,7 @@ target-obj-y :=3D $(target-obj-y-save) all-obj-y +=3D $(common-obj-y) all-obj-y +=3D $(target-obj-y) all-obj-y +=3D $(qom-obj-y) +all-obj-$(CONFIG_SOFTMMU) +=3D $(authz-obj-y) all-obj-$(CONFIG_SOFTMMU) +=3D $(block-obj-y) $(chardev-obj-y) all-obj-$(CONFIG_USER_ONLY) +=3D $(crypto-aes-obj-y) all-obj-$(CONFIG_SOFTMMU) +=3D $(crypto-obj-y) diff --git a/authz/Makefile.objs b/authz/Makefile.objs new file mode 100644 index 0000000000..12597c9528 --- /dev/null +++ b/authz/Makefile.objs @@ -0,0 +1 @@ +authz-obj-y +=3D base.o diff --git a/authz/base.c b/authz/base.c new file mode 100644 index 0000000000..5b15811384 --- /dev/null +++ b/authz/base.c @@ -0,0 +1,82 @@ +/* + * QEMU authorization framework base class + * + * Copyright (c) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + * + */ + +#include "qemu/osdep.h" +#include "authz/base.h" +#include "authz/trace.h" + +bool qauthz_is_allowed(QAuthZ *authz, + const char *identity, + Error **errp) +{ + QAuthZClass *cls =3D QAUTHZ_GET_CLASS(authz); + bool allowed; + + allowed =3D cls->is_allowed(authz, identity, errp); + trace_qauthz_is_allowed(authz, identity, allowed); + + return allowed; +} + + +bool qauthz_is_allowed_by_id(const char *authzid, + const char *identity, + Error **errp) +{ + QAuthZ *authz; + Object *obj; + Object *container; + + container =3D object_get_objects_root(); + obj =3D object_resolve_path_component(container, + authzid); + if (!obj) { + error_setg(errp, "Cannot find QAuthZ object ID %s", + authzid); + return 0; + } + + if (!object_dynamic_cast(obj, TYPE_QAUTHZ)) { + error_setg(errp, "Object '%s' is not a QAuthZ subclass", + authzid); + return 0; + } + + authz =3D QAUTHZ(obj); + + return qauthz_is_allowed(authz, identity, errp); +} + + +static const TypeInfo authz_info =3D { + .parent =3D TYPE_OBJECT, + .name =3D TYPE_QAUTHZ, + .instance_size =3D sizeof(QAuthZ), + .class_size =3D sizeof(QAuthZClass), + .abstract =3D true, +}; + +static void qauthz_register_types(void) +{ + type_register_static(&authz_info); +} + +type_init(qauthz_register_types) + diff --git a/authz/trace-events b/authz/trace-events new file mode 100644 index 0000000000..481c90f511 --- /dev/null +++ b/authz/trace-events @@ -0,0 +1,4 @@ +# See docs/devel/tracing.txt for syntax documentation. + +# authz/base.c +qauthz_is_allowed(void *authz, const char *identity, bool allowed) "AuthZ = %p check identity=3D%s allowed=3D%d" diff --git a/include/authz/base.h b/include/authz/base.h new file mode 100644 index 0000000000..77dcd54c4c --- /dev/null +++ b/include/authz/base.h @@ -0,0 +1,112 @@ +/* + * QEMU authorization framework base class + * + * Copyright (c) 2018 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, see . + * + */ + +#ifndef QAUTHZ_BASE_H__ +#define QAUTHZ_BASE_H__ + +#include "qemu-common.h" +#include "qapi/error.h" +#include "qom/object.h" + + +#define TYPE_QAUTHZ "authz" + +#define QAUTHZ_CLASS(klass) \ + OBJECT_CLASS_CHECK(QAuthZClass, (klass), \ + TYPE_QAUTHZ) +#define QAUTHZ_GET_CLASS(obj) \ + OBJECT_GET_CLASS(QAuthZClass, (obj), \ + TYPE_QAUTHZ) +#define QAUTHZ(obj) \ + INTERFACE_CHECK(QAuthZ, (obj), \ + TYPE_QAUTHZ) + +typedef struct QAuthZ QAuthZ; +typedef struct QAuthZClass QAuthZClass; + +/** + * QAuthZ: + * + * The QAuthZ class defines an API contract to be used + * for providing an authorization driver for services + * with user identities. + */ + +struct QAuthZ { + Object parent_obj; +}; + + +struct QAuthZClass { + ObjectClass parent_class; + + bool (*is_allowed)(QAuthZ *authz, + const char *identity, + Error **errp); +}; + + +/** + * qauthz_is_allowed: + * @authz: the authorization object + * @identity: the user identity to authorize + * @errp: pointer to a NULL initialized error object + * + * Check if a user @identity is authorized. If an error + * occurs this method will return false to indicate + * denial, as well as setting @errp to contain the details. + * Callers are recommended to treat the denial and error + * scenarios identically. Specifically the error info in + * @errp should never be fed back to the user being + * authorized, it is merely for benefit of administrator + * debugging. + * + * Returns: true if @identity is authorized, false if denied or if + * an error occurred. + */ +bool qauthz_is_allowed(QAuthZ *authz, + const char *identity, + Error **errp); + + +/** + * qauthz_is_allowed_by_id: + * @authzid: ID of the authorization object + * @identity: the user identity to authorize + * @errp: pointer to a NULL initialized error object + * + * Check if a user @identity is authorized. If an error + * occurs this method will return false to indicate + * denial, as well as setting @errp to contain the details. + * Callers are recommended to treat the denial and error + * scenarios identically. Specifically the error info in + * @errp should never be fed back to the user being + * authorized, it is merely for benefit of administrator + * debugging. + * + * Returns: true if @identity is authorized, false if denied or if + * an error occurred. + */ +bool qauthz_is_allowed_by_id(const char *authzid, + const char *identity, + Error **errp); + +#endif /* QAUTHZ_BASE_H__ */ + --=20 2.17.1