2:32 a.m.
Signed-off-by: Nikolay Shirokovskiy <nshirokovskiy(a)virtuozzo.com>
Signed-off-by: Maxim Nestratov <mnestratov(a)virtuozzo.com>
---
src/access/viraccessdriver.h | 12 ++++
src/access/viraccessdrivernop.c | 19 ++++++
src/access/viraccessdriverpolkit.c | 47 ++++++++++++++
src/access/viraccessdriverstack.c | 49 +++++++++++++++
src/access/viraccessmanager.c | 31 ++++++++++
src/access/viraccessmanager.h | 11 ++++
src/access/viraccessperm.c | 15 ++++-
src/access/viraccessperm.h | 124 +++++++++++++++++++++++++++++++++++++
src/libvirt_private.syms | 6 ++
9 files changed, 313 insertions(+), 1 deletion(-)
diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index e3050b6..443a26e 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -61,6 +61,16 @@ typedef int (*virAccessDriverCheckStorageVolDrv)(virAccessManagerPtr
manager,
virStorageVolDefPtr vol,
virAccessPermStorageVol av);
+typedef int (*virAccessDriverCheckFSPoolDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virAccessPermFSPool av);
+typedef int (*virAccessDriverCheckFSItemDrv)(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virFSItemDefPtr item,
+ virAccessPermFSItem av);
+
typedef int (*virAccessDriverSetupDrv)(virAccessManagerPtr manager);
typedef void (*virAccessDriverCleanupDrv)(virAccessManagerPtr manager);
@@ -83,6 +93,8 @@ struct _virAccessDriver {
virAccessDriverCheckSecretDrv checkSecret;
virAccessDriverCheckStoragePoolDrv checkStoragePool;
virAccessDriverCheckStorageVolDrv checkStorageVol;
+ virAccessDriverCheckFSPoolDrv checkFSPool;
+ virAccessDriverCheckFSItemDrv checkFSItem;
};
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 86ceef3..2d53e83 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -103,7 +103,24 @@ virAccessDriverNopCheckStorageVol(virAccessManagerPtr manager
ATTRIBUTE_UNUSED,
return 1; /* Allow */
}
+static int
+virAccessDriverNopCheckFSPool(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virFSPoolDefPtr fspool ATTRIBUTE_UNUSED,
+ virAccessPermFSPool perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
+static int
+virAccessDriverNopCheckFSItem(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *driverName ATTRIBUTE_UNUSED,
+ virFSPoolDefPtr fspool ATTRIBUTE_UNUSED,
+ virFSItemDefPtr item ATTRIBUTE_UNUSED,
+ virAccessPermFSItem perm ATTRIBUTE_UNUSED)
+{
+ return 1; /* Allow */
+}
virAccessDriver accessDriverNop = {
.name = "none",
.checkConnect = virAccessDriverNopCheckConnect,
@@ -115,4 +132,6 @@ virAccessDriver accessDriverNop = {
.checkSecret = virAccessDriverNopCheckSecret,
.checkStoragePool = virAccessDriverNopCheckStoragePool,
.checkStorageVol = virAccessDriverNopCheckStorageVol,
+ .checkFSPool = virAccessDriverNopCheckFSPool,
+ .checkFSItem = virAccessDriverNopCheckFSItem,
};
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 0d9e0a1..d38680e 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -398,6 +398,50 @@ virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
virAccessPermStorageVolTypeToString(perm),
attrs);
}
+static int
+virAccessDriverPolkitCheckFSPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virAccessPermFSPool perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "fspool_name", fspool->name,
+ "fspool_uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(fspool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "fs-pool",
+ virAccessPermFSPoolTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckFSItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virFSItemDefPtr item,
+ virAccessPermFSItem perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect_driver", driverName,
+ "fspool_name", fspool->name,
+ "fspool_uuid", uuidstr,
+ "item_name", item->name,
+ "item_key", item->key,
+ NULL,
+ };
+ virUUIDFormat(fspool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "fs-item",
+ virAccessPermFSItemTypeToString(perm),
+ attrs);
+}
virAccessDriver accessDriverPolkit = {
.privateDataLen = sizeof(virAccessDriverPolkitPrivate),
@@ -412,4 +456,7 @@ virAccessDriver accessDriverPolkit = {
.checkSecret = virAccessDriverPolkitCheckSecret,
.checkStoragePool = virAccessDriverPolkitCheckStoragePool,
.checkStorageVol = virAccessDriverPolkitCheckStorageVol,
+ .checkFSPool = virAccessDriverPolkitCheckFSPool,
+ .checkFSItem = virAccessDriverPolkitCheckFSItem,
+
};
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index b43a743..eb94b8b 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -267,6 +267,53 @@ virAccessDriverStackCheckStorageVol(virAccessManagerPtr manager,
return ret;
}
+static int
+virAccessDriverStackCheckFSPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virAccessPermFSPool perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckFSPool(priv->managers[i], driverName, fspool,
perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
+static int
+virAccessDriverStackCheckFSItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virFSItemDefPtr item,
+ virAccessPermFSItem perm)
+{
+ virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+ int ret = 1;
+ size_t i;
+
+ for (i = 0; i < priv->managersLen; i++) {
+ int rv;
+ /* We do not short-circuit on first denial - always check all drivers */
+ rv = virAccessManagerCheckFSItem(priv->managers[i], driverName, fspool, item,
perm);
+ if (rv == 0 && ret != -1)
+ ret = 0;
+ else if (rv < 0)
+ ret = -1;
+ }
+
+ return ret;
+}
+
virAccessDriver accessDriverStack = {
.privateDataLen = sizeof(virAccessDriverStackPrivate),
.name = "stack",
@@ -280,4 +327,6 @@ virAccessDriver accessDriverStack = {
.checkSecret = virAccessDriverStackCheckSecret,
.checkStoragePool = virAccessDriverStackCheckStoragePool,
.checkStorageVol = virAccessDriverStackCheckStorageVol,
+ .checkFSPool = virAccessDriverStackCheckFSPool,
+ .checkFSItem = virAccessDriverStackCheckFSItem,
};
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index bcf552b..052779a 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -344,3 +344,34 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
return virAccessManagerSanitizeError(ret);
}
+
+int virAccessManagerCheckFSPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virAccessPermFSPool perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p perm=%d",
+ manager, manager->drv->name, driverName, fspool, perm);
+
+ if (manager->drv->checkFSPool)
+ ret = manager->drv->checkFSPool(manager, driverName, fspool, perm);
+
+ return virAccessManagerSanitizeError(ret);
+}
+
+int virAccessManagerCheckFSItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virFSItemDefPtr item,
+ virAccessPermFSItem perm)
+{
+ int ret = 0;
+ VIR_DEBUG("manager=%p(name=%s) driver=%s pool=%p vol=%p perm=%d",
+ manager, manager->drv->name, driverName, fspool, item, perm);
+
+ if (manager->drv->checkFSItem)
+ ret = manager->drv->checkFSItem(manager, driverName, fspool, item, perm);
+
+ return virAccessManagerSanitizeError(ret);
+}
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index e7eb15d..b9452b5 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -27,6 +27,7 @@
# include "conf/nwfilter_conf.h"
# include "conf/node_device_conf.h"
# include "conf/storage_conf.h"
+# include "conf/fs_conf.h"
# include "conf/secret_conf.h"
# include "conf/interface_conf.h"
# include "access/viraccessperm.h"
@@ -86,6 +87,16 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
virStoragePoolDefPtr pool,
virStorageVolDefPtr vol,
virAccessPermStorageVol perm);
+int virAccessManagerCheckFSPool(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virAccessPermFSPool perm);
+int virAccessManagerCheckFSItem(virAccessManagerPtr manager,
+ const char *driverName,
+ virFSPoolDefPtr fspool,
+ virFSItemDefPtr item,
+ virAccessPermFSItem perm);
+
#endif /* __VIR_ACCESS_MANAGER_H__ */
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 0f58290..00b8e7d 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
"search_domains", "search_networks",
"search_storage_pools", "search_node_devices",
"search_interfaces", "search_secrets",
- "search_nwfilters",
+ "search_nwfilters", "search_fspools",
"detect_storage_pools", "pm_control",
"interface_transaction");
@@ -83,3 +83,16 @@ VIR_ENUM_IMPL(virAccessPermStorageVol,
"getattr", "read", "create",
"delete",
"format", "resize", "data_read",
"data_write");
+
+VIR_ENUM_IMPL(virAccessPermFSPool,
+ VIR_ACCESS_PERM_FSPOOL_LAST,
+ "getattr", "read", "write",
+ "save", "delete", "start", "stop",
+ "refresh", "search_items",
+ "format");
+
+VIR_ENUM_IMPL(virAccessPermFSItem,
+ VIR_ACCESS_PERM_FSITEM_LAST,
+ "getattr", "read", "create",
"delete",
+ "format", "data_read",
+ "data_write");
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 1817da7..d0f69a0 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -67,6 +67,12 @@ typedef enum {
VIR_ACCESS_PERM_CONNECT_SEARCH_STORAGE_POOLS,
/**
+ * @desc: List fs pools
+ * @message: Listing fs pools requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_CONNECT_SEARCH_FSPOOLS,
+ /**
* @desc: List node devices
* @message: Listing node devices requires authorization
* @anonymous: 1
@@ -651,6 +657,122 @@ typedef enum {
VIR_ACCESS_PERM_STORAGE_VOL_LAST
} virAccessPermStorageVol;
+typedef enum {
+
+ /**
+ * @desc: Access fs pool
+ * @message: Accessing fs pool requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FSPOOL_GETATTR,
+
+ /**
+ * @desc: Read fs pool
+ * @message: Reading fs pool configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FSPOOL_READ,
+
+ /**
+ * @desc: Write fs pool
+ * @message: Writing fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_WRITE,
+
+ /**
+ * @desc: Save fs pool
+ * @message: Saving fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_SAVE,
+
+ /**
+ * @desc: Delete fs pool
+ * @message: Deleting fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_DELETE,
+
+ /**
+ * @desc: Start fs pool
+ * @message: Starting fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_START,
+
+ /**
+ * @desc: Stop fs pool
+ * @message: Stopping fs pool configuration requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_STOP,
+
+ /**
+ * @desc: Refresh fs pool
+ * @message: Refreshing fs pool items requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_REFRESH,
+
+ /**
+ * @desc: List fs pool items
+ * @message: Listing fs pool items requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_SEARCH_ITEMS,
+
+ /**
+ * @desc: Format fs pool
+ * @message: Formatting fs pool data requires authorization
+ */
+ VIR_ACCESS_PERM_FSPOOL_FORMAT,
+
+ VIR_ACCESS_PERM_FSPOOL_LAST
+} virAccessPermFSPool;
+
+typedef enum {
+
+ /**
+ * @desc: Access fs item
+ * @message: Acceessing fs item requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FSITEM_GETATTR,
+
+ /**
+ * @desc: Read fs item
+ * @message: Reading fs item configuration requires authorization
+ * @anonymous: 1
+ */
+ VIR_ACCESS_PERM_FSITEM_READ,
+
+ /**
+ * @desc: Create fs item
+ * @message: Creating fs item requires authorization
+ */
+ VIR_ACCESS_PERM_FSITEM_CREATE,
+
+ /**
+ * @desc: Delete fs item
+ * @message: Deleting fs item requires authorization
+ */
+ VIR_ACCESS_PERM_FSITEM_DELETE,
+
+ /**
+ * @desc: Format fs item
+ * @message: Formatting fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FSITEM_FORMAT,
+
+ /**
+ * @desc: Read fs item data
+ * @message: Reading fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FSITEM_DATA_READ,
+
+ /**
+ * @desc: Write fs item data
+ * @message: Writing fs item data requires authorization
+ */
+ VIR_ACCESS_PERM_FSITEM_DATA_WRITE,
+
+ VIR_ACCESS_PERM_FSITEM_LAST
+} virAccessPermFSItem;
+
VIR_ENUM_DECL(virAccessPermConnect);
VIR_ENUM_DECL(virAccessPermDomain);
VIR_ENUM_DECL(virAccessPermInterface);
@@ -660,5 +782,7 @@ VIR_ENUM_DECL(virAccessPermNWFilter);
VIR_ENUM_DECL(virAccessPermSecret);
VIR_ENUM_DECL(virAccessPermStoragePool);
VIR_ENUM_DECL(virAccessPermStorageVol);
+VIR_ENUM_DECL(virAccessPermFSPool);
+VIR_ENUM_DECL(virAccessPermFSItem);
#endif /* __VIR_ACCESS_PERM_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 900818d..308dcc2 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -8,6 +8,8 @@
# access/viraccessmanager.h
virAccessManagerCheckConnect;
virAccessManagerCheckDomain;
+virAccessManagerCheckFSItem;
+virAccessManagerCheckFSPool;
virAccessManagerCheckInterface;
virAccessManagerCheckNetwork;
virAccessManagerCheckNodeDevice;
@@ -26,6 +28,10 @@ virAccessPermConnectTypeFromString;
virAccessPermConnectTypeToString;
virAccessPermDomainTypeFromString;
virAccessPermDomainTypeToString;
+virAccessPermFSItemTypeFromString;
+virAccessPermFSItemTypeToString;
+virAccessPermFSPoolTypeFromString;
+virAccessPermFSPoolTypeToString;
virAccessPermInterfaceTypeFromString;
virAccessPermInterfaceTypeToString;
virAccessPermNetworkTypeFromString;
--
1.8.3.1