11:57 a.m.
From: "Daniel P. Berrange" <berrange(a)redhat.com>
Ensure that all APIs which list network objects filter
them against the access control system.
Signed-off-by: Daniel P. Berrange <berrange(a)redhat.com>
---
src/conf/network_conf.c | 12 ++++++-----
src/conf/network_conf.h | 13 ++++++++----
src/libvirt_private.syms | 2 +-
src/network/bridge_driver.c | 44 ++++++++++++++++++++++++---------------
src/parallels/parallels_network.c | 2 +-
src/test/test_driver.c | 2 +-
6 files changed, 46 insertions(+), 29 deletions(-)
diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c
index 2b4845c..64fd581 100644
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -4289,10 +4289,11 @@ virNetworkMatch(virNetworkObjPtr netobj,
#undef MATCH
int
-virNetworkList(virConnectPtr conn,
- virNetworkObjList netobjs,
- virNetworkPtr **nets,
- unsigned int flags)
+virNetworkObjListExport(virConnectPtr conn,
+ virNetworkObjList netobjs,
+ virNetworkPtr **nets,
+ virNetworkObjListFilter filter,
+ unsigned int flags)
{
virNetworkPtr *tmp_nets = NULL;
virNetworkPtr net = NULL;
@@ -4310,7 +4311,8 @@ virNetworkList(virConnectPtr conn,
for (i = 0; i < netobjs.count; i++) {
virNetworkObjPtr netobj = netobjs.objs[i];
virNetworkObjLock(netobj);
- if (virNetworkMatch(netobj, flags)) {
+ if ((!filter || filter(conn, netobj->def)) &&
+ virNetworkMatch(netobj, flags)) {
if (nets) {
if (!(net = virGetNetwork(conn,
netobj->def->name,
diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h
index 43f80d4..a1d3282 100644
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -296,6 +296,10 @@ void virNetworkDefFree(virNetworkDefPtr def);
void virNetworkObjFree(virNetworkObjPtr net);
void virNetworkObjListFree(virNetworkObjListPtr vms);
+
+typedef bool (*virNetworkObjListFilter)(virConnectPtr conn,
+ virNetworkDefPtr def);
+
virNetworkObjPtr virNetworkAssignDef(virNetworkObjListPtr nets,
const virNetworkDefPtr def,
bool live);
@@ -417,9 +421,10 @@ VIR_ENUM_DECL(virNetworkForward)
VIR_CONNECT_LIST_NETWORKS_FILTERS_PERSISTENT | \
VIR_CONNECT_LIST_NETWORKS_FILTERS_AUTOSTART)
-int virNetworkList(virConnectPtr conn,
- virNetworkObjList netobjs,
- virNetworkPtr **nets,
- unsigned int flags);
+int virNetworkObjListExport(virConnectPtr conn,
+ virNetworkObjList netobjs,
+ virNetworkPtr **nets,
+ virNetworkObjListFilter filter,
+ unsigned int flags);
#endif /* __NETWORK_CONF_H__ */
diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index f08ac64..bd52b3d 100644
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -495,13 +495,13 @@ virNetworkFindByUUID;
virNetworkForwardTypeToString;
virNetworkIpDefNetmask;
virNetworkIpDefPrefix;
-virNetworkList;
virNetworkLoadAllConfigs;
virNetworkLoadAllState;
virNetworkObjAssignDef;
virNetworkObjFree;
virNetworkObjGetPersistentDef;
virNetworkObjIsDuplicate;
+virNetworkObjListExport;
virNetworkObjListFree;
virNetworkObjLock;
virNetworkObjReplacePersistentDef;
diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index fb1741f..742b492 100644
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2899,10 +2899,12 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {
networkDriverLock(driver);
for (i = 0; i < driver->networks.count; i++) {
- virNetworkObjLock(driver->networks.objs[i]);
- if (virNetworkObjIsActive(driver->networks.objs[i]))
+ virNetworkObjPtr obj = driver->networks.objs[i];
+ virNetworkObjLock(obj);
+ if (virConnectNumOfNetworksCheckACL(conn, obj->def) &&
+ virNetworkObjIsActive(obj))
nactive++;
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjUnlock(obj);
}
networkDriverUnlock(driver);
@@ -2918,15 +2920,17 @@ static int networkConnectListNetworks(virConnectPtr conn, char
**const names, in
networkDriverLock(driver);
for (i = 0; i < driver->networks.count && got < nnames; i++) {
- virNetworkObjLock(driver->networks.objs[i]);
- if (virNetworkObjIsActive(driver->networks.objs[i])) {
- if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) <
0) {
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjPtr obj = driver->networks.objs[i];
+ virNetworkObjLock(obj);
+ if (virConnectListNetworksCheckACL(conn, obj->def) &&
+ virNetworkObjIsActive(obj)) {
+ if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+ virNetworkObjUnlock(obj);
goto cleanup;
}
got++;
}
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjUnlock(obj);
}
networkDriverUnlock(driver);
@@ -2948,10 +2952,12 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn)
{
networkDriverLock(driver);
for (i = 0; i < driver->networks.count; i++) {
- virNetworkObjLock(driver->networks.objs[i]);
- if (!virNetworkObjIsActive(driver->networks.objs[i]))
+ virNetworkObjPtr obj = driver->networks.objs[i];
+ virNetworkObjLock(obj);
+ if (virConnectNumOfDefinedNetworksCheckACL(conn, obj->def) &&
+ !virNetworkObjIsActive(obj))
ninactive++;
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjUnlock(obj);
}
networkDriverUnlock(driver);
@@ -2967,15 +2973,17 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn,
char **const na
networkDriverLock(driver);
for (i = 0; i < driver->networks.count && got < nnames; i++) {
- virNetworkObjLock(driver->networks.objs[i]);
- if (!virNetworkObjIsActive(driver->networks.objs[i])) {
- if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) <
0) {
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjPtr obj = driver->networks.objs[i];
+ virNetworkObjLock(obj);
+ if (virConnectListDefinedNetworksCheckACL(conn, obj->def) &&
+ !virNetworkObjIsActive(obj)) {
+ if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+ virNetworkObjUnlock(obj);
goto cleanup;
}
got++;
}
- virNetworkObjUnlock(driver->networks.objs[i]);
+ virNetworkObjUnlock(obj);
}
networkDriverUnlock(driver);
return got;
@@ -3001,7 +3009,9 @@ networkConnectListAllNetworks(virConnectPtr conn,
goto cleanup;
networkDriverLock(driver);
- ret = virNetworkList(conn, driver->networks, nets, flags);
+ ret = virNetworkObjListExport(conn, driver->networks, nets,
+ virConnectListAllNetworksCheckACL,
+ flags);
networkDriverUnlock(driver);
cleanup:
diff --git a/src/parallels/parallels_network.c b/src/parallels/parallels_network.c
index c126e31..26a3f13 100644
--- a/src/parallels/parallels_network.c
+++ b/src/parallels/parallels_network.c
@@ -463,7 +463,7 @@ static int parallelsConnectListAllNetworks(virConnectPtr conn,
virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
parallelsDriverLock(privconn);
- ret = virNetworkList(conn, privconn->networks, nets, flags);
+ ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
parallelsDriverUnlock(privconn);
return ret;
diff --git a/src/test/test_driver.c b/src/test/test_driver.c
index 88e23a3..d4c339e 100644
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -3092,7 +3092,7 @@ testConnectListAllNetworks(virConnectPtr conn,
virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
testDriverLock(privconn);
- ret = virNetworkList(conn, privconn->networks, nets, flags);
+ ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
testDriverUnlock(privconn);
return ret;
--
1.8.1.4