Re: [libvirt] [PATCH 00/19] Support for access control

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt; This series (which depends on the Xen refactoring patches) adds support for access control checks on all APIs that run inside libvirtd. The first patch defines the basic objects which can be checked and the permissions associated with each object. In addition it provides the basic internal (pluggable) API for access control checks Later there are policykit and selinux drivers for the access control framework. Neither of these is currently optimal but they have basic functionality working To ensure that we don't forget access control checks when adding new APIs, we maintain metadata in the remote_protocol.x file against each method declaring what access control check must be done. There are actually two checks possible. The first check is against the object being used. The optional second check is against the objects being returned (if any). The latter is used to filter what can be seen when asking for a list of objects (eg 'virsh list' gets filtered) Again to ensure accurate checks, we automate the generation of methods for applying access control checks to each API. These helper methods are named to match the public API names. The last patch ensures that every method listed in the virXXXXDriverPtr tables has a call to an access control helper with the same name as the public API. And of course there are the patches which actually add the access control checks. Still todo - Not all Xen methods have access control checks yet. This causes the test case in the last patch to report failures - Have not wired up the checks for filtering the returned objects in any driver yet - The polkit driver is inefficient since it spawns pkcheck for each check. We need to talk to DBus directly since ACL checks will be very frequent and need to be lightweight - The SELinux driver is validating against the label of libvirtd. We need to validate against the label of the virDomainDefPtr security model or some equivalent for other objects. - Need to write a generic RBAC access control impl. It was hoped that new polkit would make this obsolete. Polkit is still unable to do access control checks for non-local users though eg it can't validate against SASL usernames or x509 certs. Daniel P. Berrange (19): Define basic internal API for access control Set conn->driver before running driver connectOpen method Setup default access control manager in libvirtd Add a policy kit access control driver Add an SELinux access control driver Add ACL annotations to all RPC messages Auto-generate helpers for checking access control rules Add ACL checks into the QEMU driver Add ACL checks into the LXC driver Add ACL checks into the UML driver Add ACL checks into the Xen driver Add ACL checks into the libxl driver Add ACL checks into the storage driver Add ACL checks into the network driver Add ACL checks into the interface driver Add ACL checks into the node device driver Add ACL checks into the nwfilter driver Add ACL checks into the secrets driver Add validation that all APIs contain ACL checks .gitignore | 10 + daemon/Makefile.am | 1 + daemon/libvirtd-config.c | 4 + daemon/libvirtd-config.h | 2 + daemon/libvirtd.aug | 1 + daemon/libvirtd.c | 27 ++ daemon/libvirtd.conf | 9 + daemon/test_libvirtd.aug.in | 4 + include/libvirt/virterror.h | 4 + m4/virt-compile-warnings.m4 | 1 + m4/virt-selinux.m4 | 2 + po/POTFILES.in | 3 + src/Makefile.am | 128 +++++- src/access/genpolkit.pl | 119 ++++++ src/access/viraccessdriver.h | 89 ++++ src/access/viraccessdrivernop.c | 118 ++++++ src/access/viraccessdrivernop.h | 28 ++ src/access/viraccessdriverpolkit.c | 399 ++++++++++++++++++ src/access/viraccessdriverpolkit.h | 28 ++ src/access/viraccessdriverselinux.c | 565 +++++++++++++++++++++++++ src/access/viraccessdriverselinux.h | 28 ++ src/access/viraccessdriverstack.c | 285 +++++++++++++ src/access/viraccessdriverstack.h | 32 ++ src/access/viraccessmanager.c | 352 ++++++++++++++++ src/access/viraccessmanager.h | 91 ++++ src/access/viraccessperm.c | 84 ++++ src/access/viraccessperm.h | 647 +++++++++++++++++++++++++++++ src/check-aclrules.pl | 144 +++++++ src/interface/interface_backend_netcf.c | 114 +++++ src/interface/interface_backend_udev.c | 85 +++- src/internal.h | 4 + src/libvirt.c | 11 +- src/libvirt_private.syms | 37 ++ src/libxl/libxl_driver.c | 187 ++++++++- src/locking/lock_protocol.x | 8 + src/lxc/lxc_driver.c | 219 +++++++++- src/network/bridge_driver.c | 61 +++ src/node_device/node_device_driver.c | 36 ++ src/nwfilter/nwfilter_driver.c | 26 ++ src/qemu/qemu_driver.c | 716 ++++++++++++++++++++++++++++---- src/remote/lxc_protocol.x | 1 + src/remote/qemu_protocol.x | 4 + src/remote/remote_protocol.x | 406 ++++++++++++++++++ src/rpc/gendispatch.pl | 212 +++++++++- src/secret/secret_driver.c | 31 ++ src/storage/storage_driver.c | 155 ++++++- src/uml/uml_driver.c | 174 +++++++- src/util/virerror.c | 8 + src/util/virlog.c | 3 +- src/util/virlog.h | 1 + src/xen/xen_driver.c | 217 +++++++++- 51 files changed, 5785 insertions(+), 136 deletions(-) create mode 100755 src/access/genpolkit.pl create mode 100644 src/access/viraccessdriver.h create mode 100644 src/access/viraccessdrivernop.c create mode 100644 src/access/viraccessdrivernop.h create mode 100644 src/access/viraccessdriverpolkit.c create mode 100644 src/access/viraccessdriverpolkit.h create mode 100644 src/access/viraccessdriverselinux.c create mode 100644 src/access/viraccessdriverselinux.h create mode 100644 src/access/viraccessdriverstack.c create mode 100644 src/access/viraccessdriverstack.h create mode 100644 src/access/viraccessmanager.c create mode 100644 src/access/viraccessmanager.h create mode 100644 src/access/viraccessperm.c create mode 100644 src/access/viraccessperm.h create mode 100644 src/check-aclrules.pl