[libvirt] [PATCH 0/8] Filtering of object lists via ACLs

Thursday, 27 June 2013

From: "Daniel P. Berrange" <berrange(a)redhat.com&gt;

The current ACL checks validate access to the object being
passed in to the API calls.

There are a few APIs (all the virConnectList* / virConnectNum*
ones) which are used to get lists of objects in the first
place. Currently you could find out that there is a VM called
"foo", but you can't then do virDomainLookupByName since the
ACL check may block it.

This series introduces filtering in the object list APIs,
so you can't even see the existance of an object called
"foo", if you don't have permission over it.

This is not yet filtering the legacy Xen driver.

Daniel P. Berrange (8):
  Add access control filtering of domain objects
  Add access control filtering of network objects
  Add access control filtering of node device objects
  Add access control filtering of storage objects
  Add access control filtering of secret objects
  Add access control filtering of nwfilter objects
  Add access control filtering of interface objects
  Extend the ACL test case to validate filter rule checks

 src/Makefile.am                         |   1 +
 src/check-aclrules.pl                   |  97 ++++++++++++
 src/conf/domain_conf.c                  |  91 +++++++----
 src/conf/domain_conf.h                  |  17 ++-
 src/conf/interface_conf.h               |   3 +
 src/conf/network_conf.c                 |  12 +-
 src/conf/network_conf.h                 |  13 +-
 src/conf/node_device_conf.c             |  12 +-
 src/conf/node_device_conf.h             |  12 +-
 src/conf/storage_conf.c                 |  12 +-
 src/conf/storage_conf.h                 |  11 +-
 src/interface/interface_backend_netcf.c | 262 +++++++++++++++++++++++++++-----
 src/interface/interface_backend_udev.c  |  56 +++++--
 src/libvirt_private.syms                |   6 +-
 src/libxl/libxl_driver.c                |  15 +-
 src/lxc/lxc_driver.c                    |  15 +-
 src/network/bridge_driver.c             |  44 +++---
 src/node_device/node_device_driver.c    |  28 ++--
 src/nwfilter/nwfilter_driver.c          |  39 +++--
 src/openvz/openvz_driver.c              |   7 +-
 src/parallels/parallels_driver.c        |  14 +-
 src/parallels/parallels_network.c       |   2 +-
 src/qemu/qemu_driver.c                  |  24 +--
 src/rpc/gendispatch.pl                  |  42 +++--
 src/secret/secret_driver.c              |  14 +-
 src/storage/storage_driver.c            |  62 +++++---
 src/test/test_driver.c                  |  18 ++-
 src/uml/uml_driver.c                    |  15 +-
 src/vmware/vmware_driver.c              |  12 +-
 29 files changed, 716 insertions(+), 240 deletions(-)

-- 
1.8.1.4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH 0/8] Filtering of object lists via ACLs