This should be applied to libvirt-0.4.0. It is a bit old one, sorry, but this patch is just hooking around. So I think I can merge it to latest libvirt with a little effort. Please note that uid is essential for access control and the uid is available only in a local machine. For this reason, our access control takes effect only in a local machine by virsh. This means that remotely connecting to libvirtd is currently out of scope. diff -r d5dbadfb6161 -r 62d2ebb8d23b configure --- a/configure Wed Apr 02 13:13:06 2008 +0900 +++ b/configure Tue Jan 27 03:13:46 2009 +0900 @@ -35181,7 +35181,12 @@ sysconfdir='/etc' fi - +# Check whether --with-rbac was given. +if test "${with_rbac+set}" = set; then + withval=$with_rbac; +else + with_rbac=no +fi # Check whether --with-xen was given. if test "${with_xen+set}" = set; then @@ -39753,6 +39758,9 @@ test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' DEFS=-DHAVE_CONFIG_H +if test "$with_rbac" = "yes" ; then + DEFS="$DEFS -DRBAC" +fi ac_libobjs= ac_ltlibobjs= @@ -41743,6 +41751,9 @@ { echo "$as_me:$LINENO: polkit: no" >&5 echo "$as_me: polkit: no" >&6;} fi +{ echo "$as_me:$LINENO: RBAC: $with_rbac" >&5 +echo "$as_me: RBAC: $with_rbac" >&6;} + { echo "$as_me:$LINENO: " >&5 echo "$as_me: " >&6;} { echo "$as_me:$LINENO: Miscellaneous" >&5 diff -r d5dbadfb6161 -r 62d2ebb8d23b include/libvirt/libvirt.h --- a/include/libvirt/libvirt.h Wed Apr 02 13:13:06 2008 +0900 +++ b/include/libvirt/libvirt.h Tue Jan 27 03:13:46 2009 +0900 @@ -514,6 +514,11 @@ char * virDomainGetXMLDesc (virDomainPtr domain, int flags); +#ifdef RBAC +char * virDomainGetXMLDesc_XRBAC (int op_id, + virDomainPtr domain, + int flags); +#endif int virDomainBlockStats (virDomainPtr dom, const char *path, virDomainBlockStatsPtr stats, @@ -697,6 +702,11 @@ char **const names, int maxnames); +#ifdef RBAC +int virConnectListNetworks_QEMUD (virConnectPtr conn, + char **const names, + int maxnames); +#endif /* * List inactive networks */ @@ -705,6 +715,11 @@ char **const names, int maxnames); +#ifdef RBAC +int virConnectListDefinedNetworks_QEMUD (virConnectPtr conn, + char **const names, + int maxnames); +#endif /* * Lookup network by name or uuid */ @@ -721,26 +736,43 @@ virNetworkPtr virNetworkCreateXML (virConnectPtr conn, const char *xmlDesc); +#ifdef RBAC +virNetworkPtr virNetworkCreateXML_QEMUD (virConnectPtr conn, + const char *xmlDesc); +#endif /* * Define inactive persistent network */ virNetworkPtr virNetworkDefineXML (virConnectPtr conn, const char *xmlDesc); +#ifdef RBAC +virNetworkPtr virNetworkDefineXML_QEMUD (virConnectPtr conn, + const char *xml); +#endif /* * Delete persistent network */ int virNetworkUndefine (virNetworkPtr network); +#ifdef RBAC +int virNetworkUndefine_QEMUD (virNetworkPtr network); +#endif /* * Activate persistent network */ int virNetworkCreate (virNetworkPtr network); +#ifdef RBAC +int virNetworkCreate_QEMUD (virNetworkPtr network); +#endif /* * Network destroy/free */ int virNetworkDestroy (virNetworkPtr network); +#ifdef RBAC +int virNetworkDestroy_QEMUD (virNetworkPtr network); +#endif int virNetworkFree (virNetworkPtr network); /* @@ -753,12 +785,20 @@ char *buf); char * virNetworkGetXMLDesc (virNetworkPtr network, int flags); +#ifdef RBAC +char * virNetworkGetXMLDesc_QEMUD (virNetworkPtr network, + int flags); +#endif char * virNetworkGetBridgeName (virNetworkPtr network); int virNetworkGetAutostart (virNetworkPtr network, int *autostart); int virNetworkSetAutostart (virNetworkPtr network, int autostart); +#ifdef RBAC +int virNetworkSetAutostart_QEMUD (virNetworkPtr network, + int autostart); +#endif #ifdef __cplusplus } diff -r d5dbadfb6161 -r 62d2ebb8d23b include/libvirt/libvirt.h.in --- a/include/libvirt/libvirt.h.in Wed Apr 02 13:13:06 2008 +0900 +++ b/include/libvirt/libvirt.h.in Tue Jan 27 03:13:46 2009 +0900 @@ -514,6 +514,11 @@ char * virDomainGetXMLDesc (virDomainPtr domain, int flags); +#ifdef RBAC +char * virDomainGetXMLDesc_XRBAC (int op_id, + virDomainPtr domain, + int flags); +#endif int virDomainBlockStats (virDomainPtr dom, const char *path, virDomainBlockStatsPtr stats, @@ -697,6 +702,11 @@ char **const names, int maxnames); +#ifdef RBAC +int virConnectListNetworks_QEMUD (virConnectPtr conn, + char **const names, + int maxnames); +#endif /* * List inactive networks */ @@ -705,6 +715,11 @@ char **const names, int maxnames); +#ifdef RBAC +int virConnectListDefinedNetworks_QEMUD (virConnectPtr conn, + char **const names, + int maxnames); +#endif /* * Lookup network by name or uuid */ @@ -721,26 +736,43 @@ virNetworkPtr virNetworkCreateXML (virConnectPtr conn, const char *xmlDesc); +#ifdef RBAC +virNetworkPtr virNetworkCreateXML_QEMUD (virConnectPtr conn, + const char *xmlDesc); +#endif /* * Define inactive persistent network */ virNetworkPtr virNetworkDefineXML (virConnectPtr conn, const char *xmlDesc); +#ifdef RBAC +virNetworkPtr virNetworkDefineXML_QEMUD (virConnectPtr conn, + const char *xml); +#endif /* * Delete persistent network */ int virNetworkUndefine (virNetworkPtr network); +#ifdef RBAC +int virNetworkUndefine_QEMUD (virNetworkPtr network); +#endif /* * Activate persistent network */ int virNetworkCreate (virNetworkPtr network); +#ifdef RBAC +int virNetworkCreate_QEMUD (virNetworkPtr network); +#endif /* * Network destroy/free */ int virNetworkDestroy (virNetworkPtr network); +#ifdef RBAC +int virNetworkDestroy_QEMUD (virNetworkPtr network); +#endif int virNetworkFree (virNetworkPtr network); /* @@ -753,12 +785,20 @@ char *buf); char * virNetworkGetXMLDesc (virNetworkPtr network, int flags); +#ifdef RBAC +char * virNetworkGetXMLDesc_QEMUD (virNetworkPtr network, + int flags); +#endif char * virNetworkGetBridgeName (virNetworkPtr network); int virNetworkGetAutostart (virNetworkPtr network, int *autostart); int virNetworkSetAutostart (virNetworkPtr network, int autostart); +#ifdef RBAC +int virNetworkSetAutostart_QEMUD (virNetworkPtr network, + int autostart); +#endif #ifdef __cplusplus } diff -r d5dbadfb6161 -r 62d2ebb8d23b include/libvirt/virterror.h --- a/include/libvirt/virterror.h Wed Apr 02 13:13:06 2008 +0900 +++ b/include/libvirt/virterror.h Tue Jan 27 03:13:46 2009 +0900 @@ -54,6 +54,9 @@ VIR_FROM_OPENVZ, /* Error from OpenVZ driver */ VIR_FROM_XENXM, /* Error at Xen XM layer */ VIR_FROM_STATS_LINUX, /* Error in the Linux Stats code */ +#ifdef RBAC + VIR_FROM_XENRBAC, /* Error form Xen RBAC */ +#endif } virErrorDomain; @@ -132,6 +135,9 @@ VIR_ERR_NO_NETWORK, /* network not found */ VIR_ERR_INVALID_MAC, /* invalid MAC adress */ VIR_ERR_AUTH_FAILED, /* authentication failed */ +#ifdef RBAC + VIR_ERR_PERMISSION, /* operation not permitted */ +#endif } virErrorNumber; /** diff -r d5dbadfb6161 -r 62d2ebb8d23b libvirt.pc --- a/libvirt.pc Wed Apr 02 13:13:06 2008 +0900 +++ b/libvirt.pc Tue Jan 27 03:13:46 2009 +0900 @@ -1,4 +1,4 @@ -prefix=/usr +prefix=/usr/local exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${prefix}/include diff -r d5dbadfb6161 -r 62d2ebb8d23b libvirt.spec --- a/libvirt.spec Wed Apr 02 13:13:06 2008 +0900 +++ b/libvirt.spec Tue Jan 27 03:13:46 2009 +0900 @@ -1,17 +1,14 @@ # -*- rpm-spec -*- -%if "%{fedora}" >= "8" -%define with_polkit 1 -%define with_proxy no -%else +# For Xen RBAC 20080910 %define with_polkit 0 %define with_proxy yes -%endif +%define with_rbac yes Summary: Library providing a simple API virtualization Name: libvirt Version: 0.4.0 -Release: 1 +Release: 1%{?dist} License: LGPL Group: Development/Libraries Source: libvirt-%{version}.tar.gz @@ -35,6 +32,7 @@ Requires: PolicyKit >= 0.6 %endif BuildRequires: xen-devel +BuildRequires: libxenrbac >= 2.0.0 BuildRequires: libxml2-devel BuildRequires: readline-devel BuildRequires: ncurses-devel @@ -85,7 +83,8 @@ %configure --with-init-script=redhat \ --with-qemud-pid-file=%{_localstatedir}/run/libvirt_qemud.pid \ --with-remote-file=%{_localstatedir}/run/libvirtd.pid \ - --with-xen-proxy=%{with_proxy} + --with-xen-proxy=%{with_proxy} \ + --with-rbac=%{with_rbac} make %install diff -r d5dbadfb6161 -r 62d2ebb8d23b libvirt.spec.in --- a/libvirt.spec.in Wed Apr 02 13:13:06 2008 +0900 +++ b/libvirt.spec.in Tue Jan 27 03:13:46 2009 +0900 @@ -1,17 +1,14 @@ # -*- rpm-spec -*- -%if "%{fedora}" >= "8" -%define with_polkit 1 -%define with_proxy no -%else +# For Xen RBAC 20080910 %define with_polkit 0 %define with_proxy yes -%endif +%define with_rbac yes Summary: Library providing a simple API virtualization Name: libvirt Version: @VERSION@ -Release: 1 +Release: 1%{?dist} License: LGPL Group: Development/Libraries Source: libvirt-%{version}.tar.gz @@ -35,6 +32,7 @@ Requires: PolicyKit >= 0.6 %endif BuildRequires: xen-devel +BuildRequires: libxenrbac >= 2.0.0 BuildRequires: libxml2-devel BuildRequires: readline-devel BuildRequires: ncurses-devel @@ -85,7 +83,8 @@ %configure --with-init-script=redhat \ --with-qemud-pid-file=%{_localstatedir}/run/libvirt_qemud.pid \ --with-remote-file=%{_localstatedir}/run/libvirtd.pid \ - --with-xen-proxy=%{with_proxy} + --with-xen-proxy=%{with_proxy} \ + --with-rbac=%{with_rbac} make %install diff -r d5dbadfb6161 -r 62d2ebb8d23b proxy/libvirt_proxy.c --- a/proxy/libvirt_proxy.c Wed Apr 02 13:13:06 2008 +0900 +++ b/proxy/libvirt_proxy.c Tue Jan 27 03:13:46 2009 +0900 @@ -363,6 +363,9 @@ virProxyPacketPtr req = (virProxyPacketPtr) &request; int ret; char *xml, *ostype; +#ifdef RBAC + char *sched_type; +#endif /* RBAC */ retry: ret = read(pollInfos[nr].fd, req, sizeof(virProxyPacket)); @@ -662,6 +665,28 @@ free(ostype); } break; +#ifdef RBAC + case VIR_PROXY_GET_SCHEDTYPE: + if (req->len != sizeof(virProxyPacket)) + goto comm_error; + sched_type = xenHypervisorGetSchedType(conn, &request.extra.arg[0]); + if (!sched_type) { + req->data.arg = -1; + req->len = sizeof (virProxyPacket); + } else { + int type_len = strlen(sched_type); + if (type_len > (int) sizeof (request.extra.str)) { + req->data.arg = -2; + req->len = sizeof (virProxyPacket); + } else { + req->data.arg = 0; + memmove (&request.extra.str[4], sched_type, type_len); + req->len = sizeof (virProxyPacket) + sizeof(int) + type_len; + } + free (sched_type); + } + break; +#endif /* RBAC */ default: goto comm_error; } diff -r d5dbadfb6161 -r 62d2ebb8d23b qemud/qemud.c --- a/qemud/qemud.c Wed Apr 02 13:13:06 2008 +0900 +++ b/qemud/qemud.c Tue Jan 27 03:13:46 2009 +0900 @@ -73,7 +73,11 @@ static char *tcp_port = (char *) LIBVIRTD_TCP_PORT; static gid_t unix_sock_gid = 0; /* Only root by default */ +#ifdef RBAC +static int unix_sock_rw_mask = 0777; /* Allow world */ +#else static int unix_sock_rw_mask = 0700; /* Allow user only */ +#endif static int unix_sock_ro_mask = 0777; /* Allow world */ #if HAVE_POLKIT diff -r d5dbadfb6161 -r 62d2ebb8d23b qemud/remote.c --- a/qemud/remote.c Wed Apr 02 13:13:06 2008 +0900 +++ b/qemud/remote.c Tue Jan 27 03:13:46 2009 +0900 @@ -1705,9 +1705,15 @@ /* Allocate return buffer. */ ret->names.names_val = calloc (args->maxnames, sizeof (*(ret->names.names_val))); +#ifdef RBAC + ret->names.names_len = + virConnectListDefinedNetworks_QEMUD (client->conn, + ret->names.names_val, args->maxnames); +#else ret->names.names_len = virConnectListDefinedNetworks (client->conn, ret->names.names_val, args->maxnames); +#endif if (ret->names.names_len == -1) return -1; return 0; @@ -1756,9 +1762,15 @@ /* Allocate return buffer. */ ret->names.names_val = calloc (args->maxnames, sizeof (*(ret->names.names_val))); +#ifdef RBAC + ret->names.names_len = + virConnectListNetworks_QEMUD (client->conn, + ret->names.names_val, args->maxnames); +#else ret->names.names_len = virConnectListNetworks (client->conn, ret->names.names_val, args->maxnames); +#endif if (ret->names.names_len == -1) return -1; return 0; @@ -1780,10 +1792,17 @@ return -2; } +#ifdef RBAC + if (virNetworkCreate_QEMUD (net) == -1) { + virNetworkFree(net); + return -1; + } +#else if (virNetworkCreate (net) == -1) { virNetworkFree(net); return -1; } +#endif virNetworkFree(net); return 0; } @@ -1798,7 +1817,11 @@ virNetworkPtr net; CHECK_CONN(client); +#ifdef RBAC + net = virNetworkCreateXML_QEMUD (client->conn, args->xml); +#else net = virNetworkCreateXML (client->conn, args->xml); +#endif if (net == NULL) return -1; make_nonnull_network (&ret->net, net); @@ -1816,7 +1839,11 @@ virNetworkPtr net; CHECK_CONN(client); +#ifdef RBAC + net = virNetworkDefineXML_QEMUD (client->conn, args->xml); +#else net = virNetworkDefineXML (client->conn, args->xml); +#endif if (net == NULL) return -1; make_nonnull_network (&ret->net, net); @@ -1840,10 +1867,17 @@ return -2; } +#ifdef RBAC + if (virNetworkDestroy_QEMUD (net) == -1) { + virNetworkFree(net); + return -1; + } +#else if (virNetworkDestroy (net) == -1) { virNetworkFree(net); return -1; } +#endif virNetworkFree(net); return 0; } @@ -1865,7 +1899,11 @@ } /* remoteDispatchClientRequest will free this. */ +#ifdef RBAC + ret->xml = virNetworkGetXMLDesc_QEMUD (net, args->flags); +#else ret->xml = virNetworkGetXMLDesc (net, args->flags); +#endif if (!ret->xml) { virNetworkFree(net); return -1; @@ -1976,10 +2014,17 @@ return -2; } +#ifdef RBAC + if (virNetworkSetAutostart_QEMUD (net, args->autostart) == -1) { + virNetworkFree(net); + return -1; + } +#else if (virNetworkSetAutostart (net, args->autostart) == -1) { virNetworkFree(net); return -1; } +#endif virNetworkFree(net); return 0; } @@ -2000,10 +2045,17 @@ return -2; } +#ifdef RBAC + if (virNetworkUndefine_QEMUD (net) == -1) { + virNetworkFree(net); + return -1; + } +#else if (virNetworkUndefine (net) == -1) { virNetworkFree(net); return -1; } +#endif virNetworkFree(net); return 0; } diff -r d5dbadfb6161 -r 62d2ebb8d23b src/Makefile.in --- a/src/Makefile.in Wed Apr 02 13:13:06 2008 +0900 +++ b/src/Makefile.in Tue Jan 27 03:13:46 2009 +0900 @@ -122,7 +122,8 @@ libvirt_la-iptables.lo libvirt_la-uuid.lo \ libvirt_la-qemu_driver.lo libvirt_la-qemu_conf.lo \ libvirt_la-openvz_conf.lo libvirt_la-openvz_driver.lo \ - libvirt_la-nodeinfo.lo libvirt_la-util.lo + libvirt_la-nodeinfo.lo libvirt_la-util.lo \ + libvirt_la-xenrbac_libvirt.lo am__objects_2 = libvirt_la-remote_protocol.lo am_libvirt_la_OBJECTS = $(am__objects_1) $(am__objects_2) libvirt_la_OBJECTS = $(am_libvirt_la_OBJECTS) @@ -359,6 +360,7 @@ LIBVIRT_VERSION_NUMBER = @LIBVIRT_VERSION_NUMBER@ LIBXML_CFLAGS = @LIBXML_CFLAGS@ LIBXML_LIBS = @LIBXML_LIBS@ +LIBXENRBAC = -lxenrbac LN_S = @LN_S@ LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ @@ -569,7 +571,8 @@ openvz_conf.c openvz_conf.h \ openvz_driver.c openvz_driver.h \ nodeinfo.h nodeinfo.c \ - util.c util.h + util.c util.h \ + xenrbac_libvirt.c xenrbac_libvirt.h SERVER_SOURCES = \ ../qemud/remote_protocol.c ../qemud/remote_protocol.h @@ -652,7 +655,7 @@ rm -f "$${dir}/so_locations"; \ done libvirt.la: $(libvirt_la_OBJECTS) $(libvirt_la_DEPENDENCIES) - $(libvirt_la_LINK) -rpath $(libdir) $(libvirt_la_OBJECTS) $(libvirt_la_LIBADD) $(LIBS) + $(libvirt_la_LINK) -rpath $(libdir) $(libvirt_la_OBJECTS) $(libvirt_la_LIBADD) $(LIBS) $(LIBXENRBAC) install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" @@ -683,7 +686,7 @@ done virsh$(EXEEXT): $(virsh_OBJECTS) $(virsh_DEPENDENCIES) @rm -f virsh$(EXEEXT) - $(virsh_LINK) $(virsh_OBJECTS) $(virsh_LDADD) $(LIBS) + $(virsh_LINK) $(virsh_OBJECTS) $(virsh_LDADD) $(LIBS) $(LIBXENRBAC) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -719,6 +722,8 @@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libvirt_la-xm_internal.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libvirt_la-xml.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libvirt_la-xs_internal.Plo(a)am__quote@ +#RBAC +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libvirt_la-xenrbac_libvirt.Plo(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virsh-console.Po(a)am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/virsh-virsh.Po(a)am__quote@ @@ -813,6 +818,13 @@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libvirt_la_CFLAGS) $(CFLAGS) -c -o libvirt_la-xs_internal.lo `test -f 'xs_internal.c' || echo '$(srcdir)/'`xs_internal.c +libvirt_la-xenrbac_libvirt.lo: xenrbac_libvirt.c +@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libvirt_la_CFLAGS) $(CFLAGS) -MT libvirt_la-xenrbac_libvirt.lo -MD -MP -MF $(DEPDIR)/libvirt_la-xenrbac_libvirt.Tpo -c -o libvirt_la-xenrbac_libvirt.lo `test -f 'xenrbac_libvirt.c' || echo '$(srcdir)/'`xenrbac_libvirt.c +@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/libvirt_la-xenrbac_libvirt.Tpo $(DEPDIR)/libvirt_la-xenrbac_libvirt.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='xenrbac_libvirt.c' object='libvirt_la-xenrbac_libvirt.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libvirt_la_CFLAGS) $(CFLAGS) -c -o libvirt_la-xenrbac_libvirt.lo `test -f 'xenrbac_libvirt.c' || echo '$(srcdir)/'`xenrbac_libvirt.c + libvirt_la-xend_internal.lo: xend_internal.c @am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libvirt_la_CFLAGS) $(CFLAGS) -MT libvirt_la-xend_internal.lo -MD -MP -MF $(DEPDIR)/libvirt_la-xend_internal.Tpo -c -o libvirt_la-xend_internal.lo `test -f 'xend_internal.c' || echo '$(srcdir)/'`xend_internal.c @am__fastdepCC_TRUE@ mv -f $(DEPDIR)/libvirt_la-xend_internal.Tpo $(DEPDIR)/libvirt_la-xend_internal.Plo @@ -1181,7 +1193,7 @@ # target to ease building test programs # tst: tst.c - $(CC) $(CFLAGS) $(INCLUDES) -I../include -o tst tst.c .libs/libvirt.a $(LIBXML_LIBS) $(VIRSH_LIBS) $(GNUTLS_LIBS) $(LIBS) + $(CC) $(CFLAGS) $(INCLUDES) -I../include -o tst tst.c .libs/libvirt.a $(LIBXML_LIBS) $(VIRSH_LIBS) $(GNUTLS_LIBS) $(LIBS) $(LIBXENRBAC) cov: clean-cov $(COVERAGE_FILES) diff -r d5dbadfb6161 -r 62d2ebb8d23b src/libvirt.c --- a/src/libvirt.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/libvirt.c Tue Jan 27 03:13:46 2009 +0900 @@ -40,6 +40,9 @@ #ifdef WITH_OPENVZ #include "openvz_driver.h" #endif +#ifdef RBAC +#include "xenrbac_libvirt.h" +#endif /* * TODO: @@ -481,6 +484,11 @@ if (libVer == NULL) return (-1); + +#ifdef RBAC + if(xenRBACdomain( XR_VERSION, NULL, NULL) == -1) + return (-1); +#endif *libVer = LIBVIR_VERSION_NUMBER; if (typeVer != NULL) { @@ -815,6 +823,10 @@ return NULL; } +#ifdef RBAC + if(xenRBACdomain( XR_HOSTNAME, NULL, conn) == -1) + return NULL; +#endif if (conn->driver->getHostname) return conn->driver->getHostname (conn); @@ -849,6 +861,10 @@ return NULL; } +#ifdef RBAC + if(xenRBACdomain( XR_HYPERVISER_URI, NULL, conn) == -1) + return NULL; +#endif /* Drivers may override getURI, but if they don't then * we provide a default implementation. */ @@ -917,6 +933,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_LIST_VM, NULL, conn) == -1) + return (-1); +#endif if (conn->driver->listDomains) return conn->driver->listDomains (conn, ids, maxids); @@ -1006,6 +1026,10 @@ return (NULL); } +#ifdef RBAC + if(xenRBACxml(XR_CREATE_VM, xmlDesc, conn) == -1) + return (NULL); +#endif if (conn->driver->domainCreateLinux) return conn->driver->domainCreateLinux (conn, xmlDesc, flags); @@ -1189,6 +1213,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_DESTROY_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainDestroy) return conn->driver->domainDestroy (domain); @@ -1248,6 +1276,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_PAUSE_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainSuspend) return conn->driver->domainSuspend (domain); @@ -1282,6 +1314,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_PAUSE_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainResume) return conn->driver->domainResume (domain); @@ -1322,6 +1358,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_SAVE_VM, NULL, conn) == -1) + return (-1); +#endif /* * We must absolutize the file path as the save is done out of process * TODO: check for URI when libxml2 is linked in. @@ -1377,6 +1417,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_SAVE_VM, NULL, conn) == -1) + return (-1); +#endif /* * We must absolutize the file path as the restore is done out of process * TODO: check for URI when libxml2 is linked in. @@ -1436,6 +1480,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_DUMP_VM, domain->name, conn) == -1) + return (-1); +#endif /* * We must absolutize the file path as the save is done out of process * TODO: check for URI when libxml2 is linked in. @@ -1493,6 +1541,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SHUTDOWN_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainShutdown) return conn->driver->domainShutdown (domain); @@ -1528,6 +1580,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_REBOOT_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainReboot) return conn->driver->domainReboot (domain, flags); @@ -1661,6 +1717,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_LIST_VM, domain->name, conn) == -1) + return (NULL); +#endif if (conn->driver->domainGetOSType) return conn->driver->domainGetOSType (domain); @@ -1734,6 +1794,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SET_MEM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainSetMaxMemory) return conn->driver->domainSetMaxMemory (domain, memory); @@ -1778,6 +1842,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SET_MEM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainSetMemory) return conn->driver->domainSetMemory (domain, memory); @@ -1926,6 +1994,11 @@ return NULL; } conn = domain->conn; /* Source connection. */ + +#ifdef RBAC + if(xenRBACdomain( XR_MIGRATE_VM, domain->name, conn) == -1) + return NULL; +#endif if (!VIR_IS_CONNECT (dconn)) { virLibConnError (conn, VIR_ERR_INVALID_CONN, __FUNCTION__); return NULL; @@ -2150,6 +2223,10 @@ return 0; } +#ifdef RBAC + if(xenRBACdomain( XR_AVAILABLE_MEM, NULL, conn) == -1) + return 0; +#endif if (conn->driver->getFreeMemory) return conn->driver->getFreeMemory (conn); @@ -2179,6 +2256,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_GET_SCHEDULER, domain->name, conn) == -1) + return NULL; +#endif if (conn->driver->domainGetSchedulerType){ schedtype = conn->driver->domainGetSchedulerType (domain, nparams); return schedtype; @@ -2216,6 +2297,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_GET_SCHEDULER, domain->name, conn) == -1) + return -1; +#endif if (conn->driver->domainGetSchedulerParameters) return conn->driver->domainGetSchedulerParameters (domain, params, nparams); @@ -2248,6 +2333,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SET_SCHEDULER, domain->name, conn) == -1) + return -1; +#endif if (conn->driver->domainSetSchedulerParameters) return conn->driver->domainSetSchedulerParameters (domain, params, nparams); @@ -2297,6 +2386,10 @@ } conn = dom->conn; +#ifdef RBAC + if(xenRBACdomain( XR_LOAD_VM, dom->name, conn) == -1) + return -1; +#endif if (conn->driver->domainBlockStats) { if (conn->driver->domainBlockStats (dom, path, &stats2) == -1) return -1; @@ -2349,6 +2442,10 @@ } conn = dom->conn; +#ifdef RBAC + if(xenRBACdomain( XR_LOAD_VM, dom->name, conn) == -1) + return -1; +#endif if (conn->driver->domainInterfaceStats) { if (conn->driver->domainInterfaceStats (dom, path, &stats2) == -1) return -1; @@ -2396,6 +2493,10 @@ return (NULL); } +#ifdef RBAC + if(xenRBACxml(XR_DEFINE_VM, xml, conn) == -1) + return (NULL); +#endif if (conn->driver->domainDefineXML) return conn->driver->domainDefineXML (conn, xml); @@ -2426,6 +2527,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_UNDEFINE_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainUndefine) return conn->driver->domainUndefine (domain); @@ -2483,6 +2588,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_LIST_VM, NULL, conn) == -1) + return (-1); +#endif if (conn->driver->listDefinedDomains) return conn->driver->listDefinedDomains (conn, names, maxnames); @@ -2518,6 +2627,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_START_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainCreate) return conn->driver->domainCreate (domain); @@ -2585,6 +2698,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_AUTOSTART_VM, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainSetAutostart) return conn->driver->domainSetAutostart (domain, autostart); @@ -2630,6 +2747,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SET_VCPU, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainSetVcpus) return conn->driver->domainSetVcpus (domain, nvcpus); @@ -2682,6 +2803,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_SET_VCPU, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainPinVcpu) return conn->driver->domainPinVcpu (domain, vcpu, cpumap, maplen); @@ -2736,6 +2861,10 @@ conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_GET_VCPU, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainGetVcpus) return conn->driver->domainGetVcpus (domain, info, maxinfo, cpumaps, maplen); @@ -2802,6 +2931,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_ATTACH_DEVICE, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainAttachDevice) return conn->driver->domainAttachDevice (domain, xml); @@ -2834,6 +2967,10 @@ } conn = domain->conn; +#ifdef RBAC + if(xenRBACdomain( XR_DETACH_DEVICE, domain->name, conn) == -1) + return (-1); +#endif if (conn->driver->domainDetachDevice) return conn->driver->domainDetachDevice (domain, xml); @@ -2876,6 +3013,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_AVAILABLE_MEM, NULL, conn) == -1) + return (-1); +#endif if (conn->driver->nodeGetCellsFreeMemory) return conn->driver->nodeGetCellsFreeMemory (conn, freeMems, startCell, maxCells); @@ -2959,6 +3100,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_LIST_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->listNetworks) return conn->networkDriver->listNetworks (conn, names, maxnames); @@ -3017,6 +3162,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_LIST_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->listDefinedNetworks) return conn->networkDriver->listDefinedNetworks (conn, names, maxnames); @@ -3166,6 +3315,10 @@ return (NULL); } +#ifdef RBAC + if(xenRBACdomain( XR_CREATE_VNET, NULL, conn) == -1) + return (NULL); +#endif if (conn->networkDriver && conn->networkDriver->networkCreateXML) return conn->networkDriver->networkCreateXML (conn, xmlDesc); @@ -3200,6 +3353,10 @@ return (NULL); } +#ifdef RBAC + if(xenRBACdomain( XR_DEFINE_VNET, NULL, conn) == -1) + return (NULL); +#endif if (conn->networkDriver && conn->networkDriver->networkDefineXML) return conn->networkDriver->networkDefineXML (conn, xml); @@ -3230,6 +3387,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_DEFINE_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->networkUndefine) return conn->networkDriver->networkUndefine (network); @@ -3266,6 +3427,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_CREATE_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->networkCreate) return conn->networkDriver->networkCreate (network); @@ -3302,6 +3467,10 @@ return (-1); } +#ifdef RBAC + if(xenRBACdomain( XR_DESTROY_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->networkDestroy) return conn->networkDriver->networkDestroy (network); @@ -3441,6 +3610,10 @@ conn = network->conn; +#ifdef RBAC + if(xenRBACdomain( XR_DETAIL_VNET, NULL, conn) == -1) + return (NULL); +#endif if (conn->networkDriver && conn->networkDriver->networkDumpXML) return conn->networkDriver->networkDumpXML (network, flags); @@ -3538,6 +3711,10 @@ conn = network->conn; +#ifdef RBAC + if(xenRBACdomain( XR_AUTOSTART_VNET, NULL, conn) == -1) + return (-1); +#endif if (conn->networkDriver && conn->networkDriver->networkSetAutostart) return conn->networkDriver->networkSetAutostart (network, autostart); @@ -3545,6 +3722,340 @@ return -1; } +#ifdef RBAC +/** + * virDomainGetXMLDesc_XRBAC: + * @op_id: a access ID + * @domain: a domain object + * @flags: an OR'ed set of virDomainXMLFlags + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of error. + * the caller must free() the returned value. + */ +char * +virDomainGetXMLDesc_XRBAC(int op_id, virDomainPtr domain, int flags) +{ + /* parameter Check */ + if( domain == NULL ) { + virLibConnError( domain->conn, VIR_ERR_INTERNAL_ERROR, "domain name"); + return NULL; + } + if( (domain->name == NULL) || (strlen(domain->name) == 0) ){ + virLibConnError( domain->conn, VIR_ERR_INTERNAL_ERROR, "domain name"); + return NULL; + } + + if(xenRBACdomain( op_id, domain->name, domain->conn) == -1) + return NULL; + + return virDomainGetXMLDesc(domain, flags); +} + +/** + * virConnectListNetworks_QEMUD: + * @conn: pointer to the hypervisor connection + * @names: array to collect the list of names of active networks + * @maxnames: size of @names + * + * Collect the list of active networks, and store their names in @names + * + * Returns the number of networks found or -1 in case of error + */ +int +virConnectListNetworks_QEMUD(virConnectPtr conn, char **const names, int maxnames) +{ + DEBUG("conn=%p, names=%p, maxnames=%d", conn, names, maxnames); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(NULL, VIR_ERR_INVALID_CONN, __FUNCTION__); + return (-1); + } + + if ((names == NULL) || (maxnames < 0)) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + return (-1); + } + + if (conn->networkDriver && conn->networkDriver->listNetworks) + return conn->networkDriver->listNetworks (conn, names, maxnames); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + +/** + * virConnectListDefinedNetworks_QEMUD: + * @conn: pointer to the hypervisor connection + * @names: pointer to an array to store the names + * @maxnames: size of the array + * + * list the inactive networks, stores the pointers to the names in @names + * + * Returns the number of names provided in the array or -1 in case of error + */ +int +virConnectListDefinedNetworks_QEMUD(virConnectPtr conn, char **const names, + int maxnames) +{ + DEBUG("conn=%p, names=%p, maxnames=%d", conn, names, maxnames); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(NULL, VIR_ERR_INVALID_CONN, __FUNCTION__); + return (-1); + } + + if ((names == NULL) || (maxnames < 0)) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + return (-1); + } + + if (conn->networkDriver && conn->networkDriver->listDefinedNetworks) + return conn->networkDriver->listDefinedNetworks (conn, + names, maxnames); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + +/** + * virNetworkCreateXML_QEMUD: + * @conn: pointer to the hypervisor connection + * @xmlDesc: an XML description of the network + * + * Create and start a new virtual network, based on an XML description + * similar to the one returned by virNetworkGetXMLDesc() + * + * Returns a new network object or NULL in case of failure + */ +virNetworkPtr +virNetworkCreateXML_QEMUD(virConnectPtr conn, const char *xmlDesc) +{ + DEBUG("conn=%p, xmlDesc=%s", conn, xmlDesc); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(NULL, VIR_ERR_INVALID_CONN, __FUNCTION__); + return (NULL); + } + if (xmlDesc == NULL) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + return (NULL); + } + if (conn->flags & VIR_CONNECT_RO) { + virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return (NULL); + } + + if (conn->networkDriver && conn->networkDriver->networkCreateXML) + return conn->networkDriver->networkCreateXML (conn, xmlDesc); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return NULL; +} + +/** + * virNetworkDefineXML_QEMUD: + * @conn: pointer to the hypervisor connection + * @xml: the XML description for the network, preferably in UTF-8 + * + * Define a network, but does not create it + * + * Returns NULL in case of error, a pointer to the network otherwise + */ +virNetworkPtr +virNetworkDefineXML_QEMUD(virConnectPtr conn, const char *xml) +{ + DEBUG("conn=%p, xml=%s", conn, xml); + + if (!VIR_IS_CONNECT(conn)) { + virLibConnError(NULL, VIR_ERR_INVALID_CONN, __FUNCTION__); + return (NULL); + } + if (conn->flags & VIR_CONNECT_RO) { + virLibConnError(conn, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return (NULL); + } + if (xml == NULL) { + virLibConnError(conn, VIR_ERR_INVALID_ARG, __FUNCTION__); + return (NULL); + } + + if (conn->networkDriver && conn->networkDriver->networkDefineXML) + return conn->networkDriver->networkDefineXML (conn, xml); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return NULL; +} + +/** + * virNetworkUndefine_QEMUD: + * @network: pointer to a defined network + * + * Undefine a network but does not stop it if it is running + * + * Returns 0 in case of success, -1 in case of error + */ +int +virNetworkUndefine_QEMUD(virNetworkPtr network) { + virConnectPtr conn; + DEBUG("network=%p", network); + + if (!VIR_IS_CONNECTED_NETWORK(network)) { + virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); + return (-1); + } + conn = network->conn; + if (conn->flags & VIR_CONNECT_RO) { + virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return (-1); + } + + if (conn->networkDriver && conn->networkDriver->networkUndefine) + return conn->networkDriver->networkUndefine (network); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + +/** + * virNetworkCreate_QEMUD: + * @network: pointer to a defined network + * + * Create and start a defined network. If the call succeed the network + * moves from the defined to the running networks pools. + * + * Returns 0 in case of success, -1 in case of error + */ +int +virNetworkCreate_QEMUD(virNetworkPtr network) +{ + virConnectPtr conn; + DEBUG("network=%p", network); + + if (network == NULL) { + TODO + return (-1); + } + if (!VIR_IS_CONNECTED_NETWORK(network)) { + virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); + return (-1); + } + conn = network->conn; + if (conn->flags & VIR_CONNECT_RO) { + virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return (-1); + } + + if (conn->networkDriver && conn->networkDriver->networkCreate) + return conn->networkDriver->networkCreate (network); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + +/** + * virNetworkDestroy_QEMUD: + * @network: a network object + * + * Destroy the network object. The running instance is shutdown if not down + * already and all resources used by it are given back to the hypervisor. + * The data structure is freed and should not be used thereafter if the + * call does not return an error. + * This function may requires priviledged access + * + * Returns 0 in case of success and -1 in case of failure. + */ +int +virNetworkDestroy_QEMUD(virNetworkPtr network) +{ + virConnectPtr conn; + DEBUG("network=%p", network); + + if (!VIR_IS_CONNECTED_NETWORK(network)) { + virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); + return (-1); + } + + conn = network->conn; + if (conn->flags & VIR_CONNECT_RO) { + virLibNetworkError(network, VIR_ERR_OPERATION_DENIED, __FUNCTION__); + return (-1); + } + + if (conn->networkDriver && conn->networkDriver->networkDestroy) + return conn->networkDriver->networkDestroy (network); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} + +/** + * virNetworkGetXMLDesc_QEMUD: + * @network: a network object + * @flags: and OR'ed set of extraction flags, not used yet + * + * Provide an XML description of the network. The description may be reused + * later to relaunch the network with virNetworkCreateXML(). + * + * Returns a 0 terminated UTF-8 encoded XML instance, or NULL in case of error. + * the caller must free() the returned value. + */ +char * +virNetworkGetXMLDesc_QEMUD(virNetworkPtr network, int flags) +{ + virConnectPtr conn; + DEBUG("network=%p, flags=%d", network, flags); + + if (!VIR_IS_NETWORK(network)) { + virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); + return (NULL); + } + if (flags != 0) { + virLibNetworkError(network, VIR_ERR_INVALID_ARG, __FUNCTION__); + return (NULL); + } + + conn = network->conn; + + if (conn->networkDriver && conn->networkDriver->networkDumpXML) + return conn->networkDriver->networkDumpXML (network, flags); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return NULL; +} + +/** + * virNetworkSetAutostart_QEMUD: + * @network: a network object + * @autostart: whether the network should be automatically started 0 or 1 + * + * Configure the network to be automatically started + * when the host machine boots. + * + * Returns -1 in case of error, 0 in case of success + */ +int +virNetworkSetAutostart_QEMUD(virNetworkPtr network, + int autostart) +{ + virConnectPtr conn; + DEBUG("network=%p, autostart=%d", network, autostart); + + if (!VIR_IS_NETWORK(network)) { + virLibNetworkError(NULL, VIR_ERR_INVALID_NETWORK, __FUNCTION__); + return (-1); + } + + conn = network->conn; + + if (conn->networkDriver && conn->networkDriver->networkSetAutostart) + return conn->networkDriver->networkSetAutostart (network, autostart); + + virLibConnError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); + return -1; +} +#endif + + /* * vim: set tabstop=4: * vim: set shiftwidth=4: diff -r d5dbadfb6161 -r 62d2ebb8d23b src/libvirt_sym.version --- a/src/libvirt_sym.version Wed Apr 02 13:13:06 2008 +0900 +++ b/src/libvirt_sym.version Tue Jan 27 03:13:46 2009 +0900 @@ -28,6 +28,7 @@ virDomainGetName; virDomainGetOSType; virDomainGetXMLDesc; + virDomainGetXMLDesc_XRBAC; virDomainLookupByID; virDomainLookupByName; virDomainLookupByUUID; @@ -99,6 +100,15 @@ virNetworkGetBridgeName; virNetworkGetAutostart; virNetworkSetAutostart; + virConnectListNetworks_QEMUD; + virConnectListDefinedNetworks_QEMUD; + virNetworkCreateXML_QEMUD; + virNetworkDefineXML_QEMUD; + virNetworkUndefine_QEMUD; + virNetworkCreate_QEMUD; + virNetworkDestroy_QEMUD; + virNetworkGetXMLDesc_QEMUD; + virNetworkSetAutostart_QEMUD; /* Symbols with __ are private only for use by the libvirtd daemon. diff -r d5dbadfb6161 -r 62d2ebb8d23b src/proxy_internal.c --- a/src/proxy_internal.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/proxy_internal.c Tue Jan 27 03:13:46 2009 +0900 @@ -42,6 +42,9 @@ static unsigned long xenProxyDomainGetMaxMemory(virDomainPtr domain); static int xenProxyDomainGetInfo(virDomainPtr domain, virDomainInfoPtr info); static char *xenProxyDomainGetOSType(virDomainPtr domain); +#ifdef RBAC +static char *xenProxyGetSchedulerType(virDomainPtr domain, int *nparams); +#endif struct xenUnifiedDriver xenProxyDriver = { xenProxyOpen, /* open */ @@ -80,7 +83,11 @@ NULL, /* domainDetachDevice */ NULL, /* domainGetAutostart */ NULL, /* domainSetAutostart */ +#ifdef RBAC + xenProxyGetSchedulerType, /* domainGetInfo */ +#else NULL, /* domainGetSchedulerType */ +#endif NULL, /* domainGetSchedulerParameters */ NULL, /* domainSetSchedulerParameters */ }; @@ -533,9 +540,11 @@ int ret; int fd; xenUnifiedPrivatePtr priv; - + +#ifndef RBAC if (!(flags & VIR_CONNECT_RO)) return(-1); +#endif priv = (xenUnifiedPrivatePtr) conn->privateData; priv->proxy = -1; @@ -1113,6 +1122,54 @@ return(ostype); } +#ifdef RBAC +static char * +xenProxyGetSchedulerType(virDomainPtr domain, int *nparams) +{ + virProxyPacket req; + virProxyFullPacket ans; + int ret, type_len; + char *sched_type; + + if (!VIR_IS_CONNECTED_DOMAIN(domain)) { + if (domain == NULL) + virProxyError(NULL, VIR_ERR_INVALID_DOMAIN, __FUNCTION__); + else + virProxyError(domain->conn, VIR_ERR_INVALID_DOMAIN, __FUNCTION__); + return NULL; + } + if (domain->id < 0) + return NULL; + + memset(&req, 0, sizeof(req)); + req.command = VIR_PROXY_GET_SCHEDTYPE; + req.len = sizeof(req); + ret = xenProxyCommand(domain->conn, &req, &ans, 0); + if (ret < 0) { + xenProxyClose(domain->conn); + return NULL; + } + if (ans.data.arg == -1) + return NULL; + if (ans.len <= sizeof(virProxyPacket)) { + virProxyError(domain->conn, VIR_ERR_OPERATION_FAILED, __FUNCTION__); + return NULL; + } + + type_len = ans.len - sizeof (virProxyPacket) - sizeof(int); + sched_type = malloc (type_len + 1); + if (!sched_type) { + virProxyError (domain->conn, VIR_ERR_NO_MEMORY, __FUNCTION__); + return NULL; + } + + *nparams = ans.extra.arg[0]; + memmove (sched_type, &ans.extra.str[4], type_len); + sched_type[type_len] = '\0'; + + return sched_type; +} +#endif #endif /* WITH_XEN */ /* diff -r d5dbadfb6161 -r 62d2ebb8d23b src/proxy_internal.h --- a/src/proxy_internal.h Wed Apr 02 13:13:06 2008 +0900 +++ b/src/proxy_internal.h Tue Jan 27 03:13:46 2009 +0900 @@ -37,7 +37,12 @@ VIR_PROXY_DOMAIN_INFO = 9, VIR_PROXY_DOMAIN_XML = 10, VIR_PROXY_DOMAIN_OSTYPE = 11, +#ifdef RBAC + VIR_PROXY_GET_CAPABILITIES = 12, + VIR_PROXY_GET_SCHEDTYPE = 13 +#else VIR_PROXY_GET_CAPABILITIES = 12 +#endif } virProxyCommand; /* diff -r d5dbadfb6161 -r 62d2ebb8d23b src/remote_internal.c --- a/src/remote_internal.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/remote_internal.c Tue Jan 27 03:13:46 2009 +0900 @@ -677,7 +677,7 @@ cmd_argv[j++] = strdup (sockname ? sockname : LIBVIRTD_PRIV_UNIX_SOCKET); cmd_argv[j++] = 0; assert (j == nr_args); - for (j = 0; j < nr_args; j++) + for (j = 0; j < (nr_args-1); j++) if (cmd_argv[j] == NULL) { error (conn, VIR_ERR_SYSTEM_ERROR, strerror (ENOMEM)); goto failed; diff -r d5dbadfb6161 -r 62d2ebb8d23b src/virsh.c --- a/src/virsh.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/virsh.c Tue Jan 27 03:13:46 2009 +0900 @@ -49,6 +49,10 @@ #include "internal.h" #include "console.h" +#ifdef RBAC +#include "xenrbac_libvirt.h" +#endif + static char *progname; #ifndef TRUE @@ -1066,12 +1070,13 @@ if (!(dom = vshCommandOptDomainBy(ctl, cmd, "name", NULL, VSH_BYNAME))) return FALSE; +#ifndef RBAC if (virDomainGetID(dom) != (unsigned int)-1) { vshError(ctl, FALSE, _("Domain is already active")); virDomainFree(dom); return FALSE; } - +#endif if (virDomainCreate(dom) == 0) { vshPrint(ctl, _("Domain %s started\n"), virDomainGetName(dom)); @@ -1549,6 +1554,25 @@ if (!(dom = vshCommandOptDomain(ctl, cmd, "domain", NULL))) return FALSE; +#ifdef RBAC + if ((str = virDomainGetOSType(dom))) { + id = virDomainGetID(dom); + if (id == ((unsigned int)-1)) + vshPrint(ctl, "%-15s %s\n", _("Id:"), "-"); + else + vshPrint(ctl, "%-15s %d\n", _("Id:"), id); + vshPrint(ctl, "%-15s %s\n", _("Name:"), virDomainGetName(dom)); + + if (virDomainGetUUIDString(dom, &uuid[0])==0) + vshPrint(ctl, "%-15s %s\n", _("UUID:"), uuid); + + vshPrint(ctl, "%-15s %s\n", _("OS Type:"), str); + free(str); + } else { + virDomainFree(dom); + return FALSE; + } +#else id = virDomainGetID(dom); if (id == ((unsigned int)-1)) vshPrint(ctl, "%-15s %s\n", _("Id:"), "-"); @@ -1563,6 +1587,7 @@ vshPrint(ctl, "%-15s %s\n", _("OS Type:"), str); free(str); } +#endif if (virDomainGetInfo(dom, &info) == 0) { vshPrint(ctl, "%-15s %s\n", _("State:"), @@ -2116,7 +2141,11 @@ if (!(dom = vshCommandOptDomain(ctl, cmd, "domain", NULL))) return FALSE; +#ifdef RBAC + dump = virDomainGetXMLDesc_XRBAC(XR_DETAIL_VM, dom, 0); +#else dump = virDomainGetXMLDesc(dom, 0); +#endif if (dump != NULL) { printf("%s", dump); free(dump); @@ -2555,7 +2584,6 @@ } if (maxactive) { activeNames = vshMalloc(ctl, sizeof(char *) * maxactive); - if ((maxactive = virConnectListNetworks(ctl->conn, activeNames, maxactive)) < 0) { vshError(ctl, FALSE, _("Failed to list active networks")); @@ -2576,7 +2604,6 @@ } if (maxinactive) { inactiveNames = vshMalloc(ctl, sizeof(char *) * maxinactive); - if ((maxinactive = virConnectListDefinedNetworks(ctl->conn, inactiveNames, maxinactive)) < 0) { vshError(ctl, FALSE, _("Failed to list inactive networks")); if (activeNames) @@ -2824,6 +2851,13 @@ return FALSE; } +#ifdef RBAC + ret = virGetVersion(&libVersion, hvType, &apiVersion); + if (ret < 0) { + vshError(ctl, FALSE, _("failed to get the library version")); + return FALSE; + } + includeVersion = LIBVIR_VERSION_NUMBER; major = includeVersion / 1000000; includeVersion %= 1000000; @@ -2831,12 +2865,22 @@ rel = includeVersion % 1000; vshPrint(ctl, _("Compiled against library: libvir %d.%d.%d\n"), major, minor, rel); +#else + includeVersion = LIBVIR_VERSION_NUMBER; + major = includeVersion / 1000000; + includeVersion %= 1000000; + minor = includeVersion / 1000; + rel = includeVersion % 1000; + vshPrint(ctl, _("Compiled against library: libvir %d.%d.%d\n"), + major, minor, rel); ret = virGetVersion(&libVersion, hvType, &apiVersion); if (ret < 0) { vshError(ctl, FALSE, _("failed to get the library version")); return FALSE; } +#endif + major = libVersion / 1000000; libVersion %= 1000000; minor = libVersion / 1000; @@ -2961,7 +3005,11 @@ if (!(dom = vshCommandOptDomain(ctl, cmd, "domain", NULL))) return FALSE; +#ifdef RBAC + doc = virDomainGetXMLDesc_XRBAC(XR_DETAIL_VM, dom, 0); +#else doc = virDomainGetXMLDesc(dom, 0); +#endif if (!doc) goto cleanup; @@ -3038,7 +3086,11 @@ if (!(dom = vshCommandOptDomain(ctl, cmd, "domain", NULL))) return FALSE; +#ifdef RBAC + doc = virDomainGetXMLDesc_XRBAC(XR_DETAIL_VM, dom, 0); +#else doc = virDomainGetXMLDesc(dom, 0); +#endif if (!doc) goto cleanup; @@ -4532,12 +4584,15 @@ /* set up the library error handler */ virSetErrorFunc(NULL, virshErrorHandler); +#ifdef RBAC +#else #ifndef __MINGW32__ /* Force a non-root, Xen connection to readonly */ if ((ctl->name == NULL || !strcasecmp(ctl->name, "xen")) && ctl->uid != 0) ctl->readonly = 1; #endif +#endif /* RBAC */ ctl->conn = virConnectOpenAuth(ctl->name, virConnectAuthPtrDefault, diff -r d5dbadfb6161 -r 62d2ebb8d23b src/virterror.c --- a/src/virterror.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/virterror.c Tue Jan 27 03:13:46 2009 +0900 @@ -300,6 +300,11 @@ case VIR_FROM_STATS_LINUX: dom = "Linux Stats "; break; +#ifdef RBAC + case VIR_FROM_XENRBAC: + dom = "Xen RBAC "; + break; +#endif } if ((err->dom != NULL) && (err->code != VIR_ERR_INVALID_DOMAIN)) { @@ -679,6 +684,14 @@ else errmsg = _("authentication failed: %s"); break; +#ifdef RBAC + case VIR_ERR_PERMISSION: + if (info == NULL) + errmsg = _("operation not permitted"); + else + errmsg = _("operation not permitted: %s"); + break; +#endif } return (errmsg); } diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xen_internal.c --- a/src/xen_internal.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/xen_internal.c Tue Jan 27 03:13:46 2009 +0900 @@ -741,7 +741,6 @@ errmsg, info, NULL, value, 0, errmsg, info, value); } -#ifndef PROXY /** * virXenErrorFunc: @@ -779,7 +778,6 @@ } } -#endif /* PROXY */ /** * virXenPerror: @@ -1069,7 +1067,6 @@ } -#ifndef PROXY /** * xenHypervisorGetSchedulerType: * @domain: pointer to the Xen Hypervisor block @@ -1082,19 +1079,35 @@ char * xenHypervisorGetSchedulerType(virDomainPtr domain, int *nparams) { + if ((domain == NULL) || (domain->conn == NULL)) { + virXenErrorFunc(NULL, VIR_ERR_INTERNAL_ERROR, __FUNCTION__, + "domain is NULL", 0); + return NULL; + } + if (domain->id < 0) { + virXenErrorFunc(domain->conn, VIR_ERR_INTERNAL_ERROR, __FUNCTION__, + "domain->id invalid", 0); + return NULL; + } + return(xenHypervisorGetSchedType(domain->conn, nparams)); +} + +char * +xenHypervisorGetSchedType(virConnectPtr conn, int *nparams) +{ char *schedulertype = NULL; xenUnifiedPrivatePtr priv; - if ((domain == NULL) || (domain->conn == NULL)) { + if (conn == NULL) { virXenErrorFunc(NULL, VIR_ERR_INTERNAL_ERROR, __FUNCTION__, - "domain or conn is NULL", 0); + "conn is NULL", 0); return NULL; } - priv = (xenUnifiedPrivatePtr) domain->conn->privateData; - if (priv->handle < 0 || domain->id < 0) { - virXenErrorFunc(domain->conn, VIR_ERR_INTERNAL_ERROR, __FUNCTION__, - "priv->handle or domain->id invalid", 0); + priv = (xenUnifiedPrivatePtr) conn->privateData; + if (priv->handle < 0) { + virXenErrorFunc(conn, VIR_ERR_INTERNAL_ERROR, __FUNCTION__, + "priv->handle invalid", 0); return NULL; } @@ -1104,8 +1117,8 @@ * TODO: check on Xen 3.0.3 */ if (dom_interface_version < 5) { - virXenErrorFunc(domain->conn, VIR_ERR_NO_XEN, __FUNCTION__, - "unsupported in dom interface < 5", 0); + virXenErrorFunc(conn, VIR_ERR_NO_XEN, __FUNCTION__, + "unsupported in dom interface < 5", 0); return NULL; } @@ -1138,6 +1151,7 @@ return schedulertype; } +#ifndef PROXY static const char *str_weight = "weight"; static const char *str_cap = "cap"; diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xen_internal.h --- a/src/xen_internal.h Wed Apr 02 13:13:06 2008 +0900 +++ b/src/xen_internal.h Tue Jan 27 03:13:46 2009 +0900 @@ -76,8 +76,10 @@ int maplen); int xenHypervisorGetVcpuMax (virDomainPtr domain); -char * xenHypervisorGetSchedulerType (virDomainPtr domain, - int *nparams); +char * xenHypervisorGetSchedulerType (virDomainPtr domain, + int *nparams); +char * xenHypervisorGetSchedType (virConnectPtr conn, + int *nparams); int xenHypervisorGetSchedulerParameters (virDomainPtr domain, virSchedParameterPtr params, diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xen_unified.c --- a/src/xen_unified.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/xen_unified.c Tue Jan 27 03:13:46 2009 +0900 @@ -40,6 +40,9 @@ #include "xm_internal.h" #include "xml.h" +#ifdef RBAC +#include <xen/xen.h> +#endif static int xenUnifiedNodeGetInfo (virConnectPtr conn, virNodeInfoPtr info); static int @@ -266,6 +269,11 @@ priv->xendConfigVersion > 2) continue; +#ifdef RBAC + /* Ignore proxy for non-root */ + if (i == XEN_UNIFIED_HYPERVISOR_OFFSET && getuid() != 0) + continue; +#endif /* Ignore proxy for root */ if (i == XEN_UNIFIED_PROXY_OFFSET && getuid() == 0) continue; @@ -282,10 +290,15 @@ #endif } +#ifdef RBAC + if (!priv->opened[i] && + (!(conn->flags & VIR_CONNECT_RO) || getuid() == 0 || i == XEN_UNIFIED_PROXY_OFFSET)) { +#else /* If as root, then all drivers must succeed. If non-root, then only proxy must succeed */ if (!priv->opened[i] && (getuid() == 0 || i == XEN_UNIFIED_PROXY_OFFSET)) { +#endif for (j = 0; j < i; ++j) if (priv->opened[j]) drivers[j]->close (conn); free (priv); @@ -381,6 +394,9 @@ static int xenUnifiedGetMaxVcpus (virConnectPtr conn, const char *type) { +#ifdef RBAC + return MAX_VIRT_CPUS; +#else GET_PRIVATE(conn); if (type && STRCASENEQ (type, "Xen")) { @@ -394,6 +410,7 @@ xenUnifiedError (conn, VIR_ERR_NO_SUPPORT, __FUNCTION__); return -1; } +#endif } static int @@ -889,6 +906,9 @@ static int xenUnifiedDomainGetMaxVcpus (virDomainPtr dom) { +#ifdef RBAC + return MAX_VIRT_CPUS; +#else GET_PRIVATE(dom->conn); int i, ret; @@ -899,6 +919,7 @@ } return -1; +#endif } static char * diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xend_internal.c --- a/src/xend_internal.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/xend_internal.c Tue Jan 27 03:13:46 2009 +0900 @@ -62,6 +62,12 @@ static int xenDaemonDomainCoreDump(virDomainPtr domain, const char *filename, int flags); #endif /* PROXY */ +#ifdef RBAC +static int xenDaemonGetSchedulerParameters(virDomainPtr domain, + virSchedParameterPtr params, int *nparams); +static int xenDaemonSetSchedulerParameters(virDomainPtr domain, + virSchedParameterPtr params, int nparams); +#endif /* RBAC */ #ifndef PROXY struct xenUnifiedDriver xenDaemonDriver = { @@ -102,8 +108,13 @@ NULL, /* domainGetAutostart */ NULL, /* domainSetAutostart */ NULL, /* domainGetSchedulerType */ +#ifdef RBAC + xenDaemonGetSchedulerParameters, /* domainGetSchedulerParameters */ + xenDaemonSetSchedulerParameters, /* domainSetSchedulerParameters */ +#else NULL, /* domainGetSchedulerParameters */ NULL, /* domainSetSchedulerParameters */ +#endif }; /** @@ -235,7 +246,11 @@ * is rather normal, this should fallback to the proxy (or * remote) mechanism. */ +#ifdef RBAC + if (getuid() == 0) { +#else if ((getuid() == 0) || (xend->flags & VIR_CONNECT_RO)) { +#endif virXendError(xend, VIR_ERR_INTERNAL_ERROR, "failed to connect to xend"); } @@ -3591,6 +3606,109 @@ return(ret); } + +#ifdef RBAC +static const char *str_weight = "weight"; +static const char *str_cap = "cap"; + +static int +xenDaemonGetSchedulerParameters(virDomainPtr domain, + virSchedParameterPtr params, int *nparams) +{ + xenUnifiedPrivatePtr priv; + struct sexpr *root; + int weight, cap; + + if ((domain == NULL) || (domain->conn == NULL) || (domain->name == NULL)) { + virXendError((domain ? domain->conn : NULL), VIR_ERR_INVALID_ARG, + __FUNCTION__); + return (-1); + } + + priv = (xenUnifiedPrivatePtr) domain->conn->privateData; + if (domain->id < 0 && priv->xendConfigVersion < 3) + return (-1); + + root = sexpr_get(domain->conn, "/xend/domain/%d?detail=1", domain->id); + if (root == NULL) + return (-1); + + weight = sexpr_int(root, "domain/cpu_weight"); + cap = sexpr_int(root, "domain/cpu_cap"); + + strncpy (params[0].field, str_weight, VIR_DOMAIN_SCHED_FIELD_LENGTH); + params[0].type = VIR_DOMAIN_SCHED_FIELD_INT; + params[0].value.i = weight; + + strncpy (params[1].field, str_cap, VIR_DOMAIN_SCHED_FIELD_LENGTH); + params[1].type = VIR_DOMAIN_SCHED_FIELD_INT; + params[1].value.i = cap; + + return (0); +} + +static int +xenDaemonSetSchedulerParameters(virDomainPtr domain, + virSchedParameterPtr params, int nparams) +{ + int i; + int weight_set = 0; + int cap_set = 0; + char buf_weight[VIR_UUID_BUFLEN]; + char buf_cap[VIR_UUID_BUFLEN]; + xenUnifiedPrivatePtr priv; + int weight, cap; + struct sexpr *root; + + if ((domain == NULL) || (domain->conn == NULL) || (domain->name == NULL) + || (nparams == 0) || (params == NULL)) { + virXendError((domain ? domain->conn : NULL), VIR_ERR_INVALID_ARG, + __FUNCTION__); + return (-1); + } + + priv = (xenUnifiedPrivatePtr) domain->conn->privateData; + + if (domain->id < 0 && priv->xendConfigVersion < 3) + return(-1); + + /* search specified parameter */ + memset(&buf_weight, 0, VIR_UUID_BUFLEN); + memset(&buf_cap, 0, VIR_UUID_BUFLEN); + for (i = 0; i < nparams; i++) { + if (STREQ (params[i].field, str_weight) && + params[i].type == VIR_DOMAIN_SCHED_FIELD_UINT) { + snprintf(buf_weight, sizeof(buf_weight), "%d", params[i].value.ui); + weight_set = 1; + } else if (STREQ (params[i].field, str_cap) && + params[i].type == VIR_DOMAIN_SCHED_FIELD_UINT) { + snprintf(buf_cap, sizeof(buf_cap), "%d", params[i].value.ui); + cap_set = 1; + } else { + virXendError((domain ? domain->conn : NULL), + VIR_ERR_INVALID_ARG, __FUNCTION__); + return(-1); + } + } + + /* get the current setting from xend */ + root = sexpr_get(domain->conn, "/xend/domain/%d?detail=1", domain->id); + weight = sexpr_int(root, "domain/cpu_weight"); + cap = sexpr_int(root, "domain/cpu_cap"); + + + /* if not specified parameter, set the current value */ + if (weight_set != 1) + snprintf(buf_weight, sizeof(buf_weight), "%d", weight); + if (cap_set != 1) + snprintf(buf_cap, sizeof(buf_weight), "%d", cap); + + /* xend operation */ + return(xend_op(domain->conn, domain->name, "op", "domain_sched_credit_set", + "weight", buf_weight, "cap", buf_cap, NULL)); +} +#endif /* RBAC */ + #endif /* ! PROXY */ #endif /* WITH_XEN */ diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xenrbac.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/xenrbac.h Tue Jan 27 03:13:46 2009 +0900 @@ -0,0 +1,39 @@ +/* + Copyright (C) 2008 Fujitsu Limited. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + MA 02110-1301 USA. +*/ + +#ifndef __XENRBAC_H__ +#define __XENRBAC_H__ + +#include <errno.h> + +int xr_judge(char *username, int opeid, char *domainname, int flag_all); + +#define XR_ANY 0 +#define XR_ALL 1 + +#define XR_ACCEPT 0 +#define XR_DENY EPERM + +#endif /*__XENRBAC_H__*/ +/* + * Local variables: + * c-indent-level: 8 + * c-basic-offset: 8 + * End: + */ diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xenrbac_libvirt.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/xenrbac_libvirt.c Tue Jan 27 03:13:46 2009 +0900 @@ -0,0 +1,162 @@ +/* + * xr_internal.c: access to Xen RBAC + * + * Copyright (C) 2008 FUJITSU Limited. + * + * See COPYING.LIB for the License of this software + * + */ + +#include "libvirt/libvirt.h" +#include "libvirt/virterror.h" +#include "internal.h" + +#include <stdio.h> +#include <errno.h> +#include <sys/types.h> +#include <pwd.h> +#include <unistd.h> + +#include <libxml/parser.h> +#include <libxml/xpath.h> +#include <libxml/uri.h> + +#include "xenrbac_libvirt.h" +#include "xenrbac.h" + + +/** + * xenRBACError: + * @error: the error number + * @info: extra information string + * + * Handle an error at the connection level + */ +static void +xenRBACError(virConnectPtr conn, virErrorNumber error, const char *info) +{ + const char *errmsg; + + if (error == VIR_ERR_OK) + return; + + errmsg = __virErrorMsg(error, info); + __virRaiseError(conn, NULL, NULL, VIR_FROM_XENRBAC, error, VIR_ERR_ERROR, + errmsg, info, NULL, 0, 0, errmsg, info); +} + +int +xenRBACdomain(int op_id, char *domname, virConnectPtr conn) +{ + struct passwd *pw = NULL; + int ret=0; + char msg_buff[256]; + + memset((char *)msg_buff, (char)NULL, 256); + + /* parameter Check */ + if( op_id <= 0 ) { + snprintf(msg_buff, 256, "unknown access ID ID = %d", op_id); + xenRBACError( conn, VIR_ERR_INTERNAL_ERROR, msg_buff); + return -1; + } + + if( (domname != NULL) && (strlen(domname) == 0) ){ + xenRBACError( conn, VIR_ERR_INTERNAL_ERROR, "domain name"); + return -1; + } + /* Get username */ + if( !(pw = getpwuid( getuid())) ){ + if(errno == 0) + xenRBACError( conn, VIR_ERR_SYSTEM_ERROR, NULL); + else + xenRBACError( conn, VIR_ERR_SYSTEM_ERROR, strerror(errno)); + return -1; + } + + ret = xr_judge( pw->pw_name, op_id, domname, XR_ANY); + if ( ret != 0 ){ + switch(ret) { + case EPERM: + xenRBACError( conn, VIR_ERR_PERMISSION, NULL); + return -1; + + case EINVAL: + xenRBACError( conn, VIR_ERR_INTERNAL_ERROR, NULL); + return -1; + + case ENOMEM: + xenRBACError( conn, VIR_ERR_NO_MEMORY, NULL); + return -1; + + case ENOENT: + case EACCES: + xenRBACError( conn, VIR_ERR_OPEN_FAILED, NULL); + return -1; + + default: + xenRBACError( conn, VIR_ERR_INTERNAL_ERROR, NULL); + return -1; + + } //switch_end + } + + return 0; +} + +int +xenRBACxml( int op_id, const char *xmlDesc, virConnectPtr conn) +{ + + xmlDocPtr xml = NULL; + xmlXPathObjectPtr obj = NULL; + xmlXPathContextPtr ctxt = NULL; + int ret = 0; + + /* parameter Check */ + if( xmlDesc == NULL ){ + xenRBACError( conn, VIR_ERR_INTERNAL_ERROR, "xmlDesc"); + return -1; + } + + xml = xmlReadDoc((const xmlChar *) xmlDesc, "domain.xml", NULL, + XML_PARSE_NOENT | XML_PARSE_NONET | + XML_PARSE_NOWARNING); + if (!xml) { + xenRBACError( conn, VIR_ERR_XML_ERROR, NULL); + ret = -1; + goto cleanup; + } + + ctxt = xmlXPathNewContext(xml); + if (!ctxt) { + xenRBACError( conn, VIR_ERR_XML_ERROR, NULL); + ret = -1; + goto cleanup; + } + + obj = xmlXPathEval(BAD_CAST "string(/domain/name)" , ctxt); + if (!obj) { + xenRBACError( conn, VIR_ERR_XML_ERROR, NULL); + ret = -1; + goto cleanup; + } + if ( (obj->type == XPATH_STRING) && (obj->stringval != NULL) && (obj->stringval[0] != 0) ) { + ret = xenRBACdomain( op_id, (char *)obj->stringval, conn); + } else { + xenRBACError( conn, VIR_ERR_XML_ERROR, NULL); + ret = -1; + goto cleanup; + } + + cleanup: + if (obj) + xmlXPathFreeObject(obj); + if (ctxt) + xmlXPathFreeContext(ctxt); + if (xml) + xmlFreeDoc(xml); + + return ret; +} + diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xenrbac_libvirt.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/src/xenrbac_libvirt.h Tue Jan 27 03:13:46 2009 +0900 @@ -0,0 +1,68 @@ +/* + * xenrbac_libvirt.h: internal API for access to Xen RBAC + * + * Copyright (C) 2008 FUJITSU Limited. + * + * See COPYING.LIB for the License of this software + * + */ + + +#ifndef __VIR_XR_JUDGE_H__ +#define __VIR_XR_JUDGE_H__ + +int xenRBACdomain(int op_id, char *domainname, virConnectPtr conn); +int xenRBACxml(int op_id, const char *xmlDesc, virConnectPtr conn); + +#ifdef RBAC +/* ACCESS LIST */ +#define XR_CREATE_VM 1 +#define XR_START_VM 2 +#define XR_DESTROY_VM 3 +#define XR_SHUTDOWN_VM 4 +#define XR_PAUSE_VM 5 +#define XR_SUSPEND_VM 6 +#define XR_SAVE_VM 7 +#define XR_DEFINE_VM 8 +#define XR_MIGRATE_VM 9 +#define XR_REBOOT_VM 10 +#define XR_DUMP_VM 11 +#define XR_RENAME_VM 12 +#define XR_SYSREQ_VM 13 +#define XR_AUTOSTART_VM 14 +#define XR_UNDEFINE_VM 15 /* Step2 2008.8.13 */ +#define XR_LIST_VM 16 +#define XR_DETAIL_VM 17 +#define XR_LOAD_VM 18 +#define XR_UPTIME_VM 19 +#define XR_XEND_LOG 20 +#define XR_XEND_MSG 21 +#define XR_HOSTNAME 22 +#define XR_AVAILABLE_MEM 23 + +#define XR_SET_VCPU 30 +#define XR_GET_VCPU 31 +#define XR_SET_SCHEDULER 32 +#define XR_GET_SCHEDULER 33 +#define XR_SET_MEM 34 +#define XR_ATTACH_DEVICE 35 /* Step2 2008.8.13 */ +#define XR_LIST_VBD 36 +#define XR_LIST_VNIF 37 +#define XR_LIST_VTPM 38 +#define XR_CREATE_VNET 40 +#define XR_LIST_VNET 41 +#define XR_DETAIL_VNET 42 +#define XR_AUTOSTART_VNET 43 +#define XR_DEFINE_VNET 44 +#define XR_DETACH_DEVICE 45 /* Step2 2008.8.13 */ +#define XR_CHANGE_DEVICE 46 /* Step2 2008.8.13 */ +#define XR_DESTROY_VNET 47 /* Step2 2008.8.13 */ + +#define XR_HYPERVISER_URI 61 +#define XR_VERSION 62 +#define XR_SEND_TRIGGER 63 +#define XR_SEND_DEBUG_KEY 64 +#endif + +#endif /* __VIR_XR_JUDGE_H__ */ + diff -r d5dbadfb6161 -r 62d2ebb8d23b src/xs_internal.c --- a/src/xs_internal.c Wed Apr 02 13:13:06 2008 +0900 +++ b/src/xs_internal.c Tue Jan 27 03:13:46 2009 +0900 @@ -336,7 +336,11 @@ #ifdef PROXY priv->xshandle = xs_daemon_open_readonly(); #else +#ifdef RBAC + if ((getuid != 0) || (flags & VIR_CONNECT_RO)) +#else if (flags & VIR_CONNECT_RO) +#endif priv->xshandle = xs_daemon_open_readonly(); else priv->xshandle = xs_daemon_open(); @@ -348,7 +352,11 @@ * is rather normal, this should fallback to the proxy (or * remote) mechanism. */ +#ifdef RBAC + if (!(flags & VIR_CONNECT_RO)) { +#else if (getuid() == 0) { +#endif virXenStoreError(NULL, VIR_ERR_NO_XEN, _("failed to connect to Xen Store")); } diff -r d5dbadfb6161 -r 62d2ebb8d23b tests/Makefile.in --- a/tests/Makefile.in Wed Apr 02 13:13:06 2008 +0900 +++ b/tests/Makefile.in Tue Jan 27 03:13:46 2009 +0900 @@ -387,6 +387,7 @@ LIBXML_CFLAGS = @LIBXML_CFLAGS@ LIBXML_LIBS = @LIBXML_LIBS@ LN_S = @LN_S@ +LIBXENRBAC = -lxenrbac LTLIBICONV = @LTLIBICONV@ LTLIBINTL = @LTLIBINTL@ LTLIBOBJS = @LTLIBOBJS@ @@ -693,37 +694,37 @@ done conftest$(EXEEXT): $(conftest_OBJECTS) $(conftest_DEPENDENCIES) @rm -f conftest$(EXEEXT) - $(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS) + $(LINK) $(conftest_OBJECTS) $(conftest_LDADD) $(LIBS) $(LIBXENRBAC) nodeinfotest$(EXEEXT): $(nodeinfotest_OBJECTS) $(nodeinfotest_DEPENDENCIES) @rm -f nodeinfotest$(EXEEXT) - $(LINK) $(nodeinfotest_OBJECTS) $(nodeinfotest_LDADD) $(LIBS) + $(LINK) $(nodeinfotest_OBJECTS) $(nodeinfotest_LDADD) $(LIBS) $(LIBXENRBAC) qemuxml2argvtest$(EXEEXT): $(qemuxml2argvtest_OBJECTS) $(qemuxml2argvtest_DEPENDENCIES) @rm -f qemuxml2argvtest$(EXEEXT) - $(LINK) $(qemuxml2argvtest_OBJECTS) $(qemuxml2argvtest_LDADD) $(LIBS) + $(LINK) $(qemuxml2argvtest_OBJECTS) $(qemuxml2argvtest_LDADD) $(LIBS) $(LIBXENRBAC) qemuxml2xmltest$(EXEEXT): $(qemuxml2xmltest_OBJECTS) $(qemuxml2xmltest_DEPENDENCIES) @rm -f qemuxml2xmltest$(EXEEXT) - $(LINK) $(qemuxml2xmltest_OBJECTS) $(qemuxml2xmltest_LDADD) $(LIBS) + $(LINK) $(qemuxml2xmltest_OBJECTS) $(qemuxml2xmltest_LDADD) $(LIBS) $(LIBXENRBAC) reconnect$(EXEEXT): $(reconnect_OBJECTS) $(reconnect_DEPENDENCIES) @rm -f reconnect$(EXEEXT) - $(LINK) $(reconnect_OBJECTS) $(reconnect_LDADD) $(LIBS) + $(LINK) $(reconnect_OBJECTS) $(reconnect_LDADD) $(LIBS) $(LIBXENRBAC) sexpr2xmltest$(EXEEXT): $(sexpr2xmltest_OBJECTS) $(sexpr2xmltest_DEPENDENCIES) @rm -f sexpr2xmltest$(EXEEXT) - $(LINK) $(sexpr2xmltest_OBJECTS) $(sexpr2xmltest_LDADD) $(LIBS) + $(LINK) $(sexpr2xmltest_OBJECTS) $(sexpr2xmltest_LDADD) $(LIBS) $(LIBXENRBAC) virshtest$(EXEEXT): $(virshtest_OBJECTS) $(virshtest_DEPENDENCIES) @rm -f virshtest$(EXEEXT) - $(LINK) $(virshtest_OBJECTS) $(virshtest_LDADD) $(LIBS) + $(LINK) $(virshtest_OBJECTS) $(virshtest_LDADD) $(LIBS) $(LIBXENRBAC) xencapstest$(EXEEXT): $(xencapstest_OBJECTS) $(xencapstest_DEPENDENCIES) @rm -f xencapstest$(EXEEXT) - $(LINK) $(xencapstest_OBJECTS) $(xencapstest_LDADD) $(LIBS) + $(LINK) $(xencapstest_OBJECTS) $(xencapstest_LDADD) $(LIBS) $(LIBXENRBAC) xmconfigtest$(EXEEXT): $(xmconfigtest_OBJECTS) $(xmconfigtest_DEPENDENCIES) @rm -f xmconfigtest$(EXEEXT) - $(LINK) $(xmconfigtest_OBJECTS) $(xmconfigtest_LDADD) $(LIBS) + $(LINK) $(xmconfigtest_OBJECTS) $(xmconfigtest_LDADD) $(LIBS) $(LIBXENRBAC) xml2sexprtest$(EXEEXT): $(xml2sexprtest_OBJECTS) $(xml2sexprtest_DEPENDENCIES) @rm -f xml2sexprtest$(EXEEXT) - $(LINK) $(xml2sexprtest_OBJECTS) $(xml2sexprtest_LDADD) $(LIBS) + $(LINK) $(xml2sexprtest_OBJECTS) $(xml2sexprtest_LDADD) $(LIBS) $(LIBXENRBAC) xmlrpctest$(EXEEXT): $(xmlrpctest_OBJECTS) $(xmlrpctest_DEPENDENCIES) @rm -f xmlrpctest$(EXEEXT) - $(LINK) $(xmlrpctest_OBJECTS) $(xmlrpctest_LDADD) $(LIBS) + $(LINK) $(xmlrpctest_OBJECTS) $(xmlrpctest_LDADD) $(LIBS) $(LIBXENRBAC) mostlyclean-compile: -rm -f *.$(OBJEXT)