Re: [libvirt] [PATCH 01/19] Define basic internal API for access control

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; This patch introduces the virAccessManagerPtr class as the interface between virtualization drivers and the access control drivers. The viraccessperm.h file defines the various permissions that will be used for each type of object libvirt manages Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com&gt; --- include/libvirt/virterror.h | 4 + po/POTFILES.in | 1 + src/Makefile.am | 16 + src/access/viraccessdriver.h | 89 ++++++ src/access/viraccessdrivernop.c | 118 +++++++ src/access/viraccessdrivernop.h | 28 ++ src/access/viraccessdriverstack.c | 285 +++++++++++++++++ src/access/viraccessdriverstack.h | 32 ++ src/access/viraccessmanager.c | 339 ++++++++++++++++++++ src/access/viraccessmanager.h | 91 ++++++ src/access/viraccessperm.c | 84 +++++ src/access/viraccessperm.h | 647 ++++++++++++++++++++++++++++++++++++++ src/libvirt.c | 6 +- src/libvirt_private.syms | 37 +++ src/util/virerror.c | 8 + 15 files changed, 1783 insertions(+), 2 deletions(-) create mode 100644 src/access/viraccessdriver.h create mode 100644 src/access/viraccessdrivernop.c create mode 100644 src/access/viraccessdrivernop.h create mode 100644 src/access/viraccessdriverstack.c create mode 100644 src/access/viraccessdriverstack.h create mode 100644 src/access/viraccessmanager.c create mode 100644 src/access/viraccessmanager.h create mode 100644 src/access/viraccessperm.c create mode 100644 src/access/viraccessperm.h

diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c new file mode 100644 index 0000000..10c1c9b --- /dev/null +++ b/src/access/viraccessdriverstack.c @@ -0,0 +1,285 @@ +/* + * viraccessdriverstack.c: stacked access control driver + * + * Copyright (C) 2012-2013 Red Hat, Inc. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library. If not, see + * <http://www.gnu.org/licenses/>;. + */ + +#include <config.h> + +#include "viraccessdriverstack.h" +#include "viralloc.h" +#include "virerror.h" + +#define VIR_FROM_THIS VIR_FROM_ACCESS + +typedef struct _virAccessDriverStackPrivate virAccessDriverStackPrivate; +typedef virAccessDriverStackPrivate *virAccessDriverStackPrivatePtr; + +struct _virAccessDriverStackPrivate { + virAccessManagerPtr *managers; + size_t managersLen; +}; + + +int virAccessDriverStackAppend(virAccessManagerPtr manager, + virAccessManagerPtr child) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + + if (VIR_EXPAND_N(priv->managers, priv->managersLen, 1) < 0) { + virReportOOMError(); + return -1; + } + + priv->managers[priv->managersLen-1] = child; + + return 0; +} + + +static void virAccessDriverStackCleanup(virAccessManagerPtr manager) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + size_t i; + + for (i = 0; i < priv->managersLen; i++) { + virObjectUnref(priv->managers[i]); + } + VIR_FREE(priv->managers); +} + + +static int +virAccessDriverStackCheckConnect(virAccessManagerPtr manager, + const char *driverName, + virAccessPermConnect perm) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + int ret = 1; + size_t i; + + for (i = 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all drivers */ + rv = virAccessManagerCheckConnect(priv->managers[i], driverName, perm); + if (rv == 0 && ret != -1) + ret = 0; + else if (rv == -1)

+ ret = -1; + } + + return ret; +} +