11:57 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Ensure that all APIs which list node device objects filter
them against the access control system.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/node_device_conf.c | 12 +++++++-----
src/conf/node_device_conf.h | 12 ++++++++----
src/node_device/node_device_driver.c | 28 +++++++++++++++++-----------
3 files changed, 32 insertions(+), 20 deletions(-)
diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index 96742ef..edcfa1f 100644
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -1591,10 +1591,11 @@ virNodeDeviceMatch(virNodeDeviceObjPtr devobj,
#undef MATCH
int
-virNodeDeviceList(virConnectPtr conn,
- virNodeDeviceObjList devobjs,
- virNodeDevicePtr **devices,
- unsigned int flags)
+virNodeDeviceObjListExport(virConnectPtr conn,
+ virNodeDeviceObjList devobjs,
+ virNodeDevicePtr **devices,
+ virNodeDeviceObjListFilter filter,
+ unsigned int flags)
{
virNodeDevicePtr *tmp_devices = NULL;
virNodeDevicePtr device = NULL;
@@ -1612,7 +1613,8 @@ virNodeDeviceList(virConnectPtr conn,
for (i = 0; i < devobjs.count; i++) {
virNodeDeviceObjPtr devobj = devobjs.objs[i];
virNodeDeviceObjLock(devobj);
- if (virNodeDeviceMatch(devobj, flags)) {
+ if ((!filter || filter(conn, devobj->def)) &&
+ virNodeDeviceMatch(devobj, flags)) {
if (devices) {
if (!(device = virGetNodeDevice(conn,
devobj->def->name))) {
diff --git a/src/conf/node_device_conf.h b/src/conf/node_device_conf.h
index ec35da2..1fa61b5 100644
--- a/src/conf/node_device_conf.h
+++ b/src/conf/node_device_conf.h
@@ -280,9 +280,13 @@ void virNodeDeviceObjUnlock(virNodeDeviceObjPtr obj);
VIR_CONNECT_LIST_NODE_DEVICES_CAP_VPORTS | \
VIR_CONNECT_LIST_NODE_DEVICES_CAP_SCSI_GENERIC)
-int virNodeDeviceList(virConnectPtr conn,
- virNodeDeviceObjList devobjs,
- virNodeDevicePtr **devices,
- unsigned int flags);
+typedef bool (*virNodeDeviceObjListFilter)(virConnectPtr conn,
+ virNodeDeviceDefPtr def);
+
+int virNodeDeviceObjListExport(virConnectPtr conn,
+ virNodeDeviceObjList devobjs,
+ virNodeDevicePtr **devices,
+ virNodeDeviceObjListFilter filter,
+ unsigned int flags);
#endif /* __VIR_NODE_DEVICE_CONF_H__ */
diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index 67e90a1..1512d26 100644
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -135,11 +135,13 @@ nodeNumOfDevices(virConnectPtr conn,
nodeDeviceLock(driver);
for (i = 0; i < driver->devs.count; i++) {
- virNodeDeviceObjLock(driver->devs.objs[i]);
- if ((cap == NULL) ||
- virNodeDeviceHasCap(driver->devs.objs[i], cap))
+ virNodeDeviceObjPtr obj = driver->devs.objs[i];
+ virNodeDeviceObjLock(obj);
+ if (virNodeNumOfDevicesCheckACL(conn, obj->def) &&
+ ((cap == NULL) ||
+ virNodeDeviceHasCap(obj, cap)))
++ndevs;
- virNodeDeviceObjUnlock(driver->devs.objs[i]);
+ virNodeDeviceObjUnlock(obj);
}
nodeDeviceUnlock(driver);
@@ -163,15 +165,17 @@ nodeListDevices(virConnectPtr conn,
nodeDeviceLock(driver);
for (i = 0; i < driver->devs.count && ndevs < maxnames; i++) {
- virNodeDeviceObjLock(driver->devs.objs[i]);
- if (cap == NULL ||
- virNodeDeviceHasCap(driver->devs.objs[i], cap)) {
- if (VIR_STRDUP(names[ndevs++], driver->devs.objs[i]->def->name) <
0) {
- virNodeDeviceObjUnlock(driver->devs.objs[i]);
+ virNodeDeviceObjPtr obj = driver->devs.objs[i];
+ virNodeDeviceObjLock(obj);
+ if (virNodeListDevicesCheckACL(conn, obj->def) &&
+ (cap == NULL ||
+ virNodeDeviceHasCap(obj, cap))) {
+ if (VIR_STRDUP(names[ndevs++], obj->def->name) < 0) {
+ virNodeDeviceObjUnlock(obj);
goto failure;
}
}
- virNodeDeviceObjUnlock(driver->devs.objs[i]);
+ virNodeDeviceObjUnlock(obj);
}
nodeDeviceUnlock(driver);
@@ -199,7 +203,9 @@ nodeConnectListAllNodeDevices(virConnectPtr conn,
return -1;
nodeDeviceLock(driver);
- ret = virNodeDeviceList(conn, driver->devs, devices, flags);
+ ret = virNodeDeviceObjListExport(conn, driver->devs, devices,
+ virConnectListAllNodeDevicesCheckACL,
+ flags);
nodeDeviceUnlock(driver);
return ret;
}
--
1.8.1.4