[libvirt] [PATCH v3 07/20] access: add nwfilter binding object permissions

Thursday, 14 June 2018

Reviewed-by: John Ferlan <jferlan(a)redhat.com&gt;
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com&gt;
---
 src/access/viraccessdriver.h       |  5 ++++
 src/access/viraccessdrivernop.c    | 10 ++++++++
 src/access/viraccessdriverpolkit.c | 21 +++++++++++++++++
 src/access/viraccessdriverstack.c  | 24 +++++++++++++++++++
 src/access/viraccessmanager.c      | 15 ++++++++++++
 src/access/viraccessmanager.h      |  5 ++++
 src/access/viraccessperm.c         |  7 +++++-
 src/access/viraccessperm.h         | 38 ++++++++++++++++++++++++++++++
 src/rpc/gendispatch.pl             |  3 ++-
 9 files changed, 126 insertions(+), 2 deletions(-)

diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h
index e3050b6439..3b25f36cab 100644
--- a/src/access/viraccessdriver.h
+++ b/src/access/viraccessdriver.h
@@ -47,6 +47,10 @@ typedef int (*virAccessDriverCheckNWFilterDrv)(virAccessManagerPtr
manager,
                                                const char *driverName,
                                                virNWFilterDefPtr nwfilter,
                                                virAccessPermNWFilter av);
+typedef int (*virAccessDriverCheckNWFilterBindingDrv)(virAccessManagerPtr manager,
+                                                      const char *driverName,
+                                                      virNWFilterBindingDefPtr binding,
+                                                      virAccessPermNWFilterBinding av);
 typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager,
                                              const char *driverName,
                                              virSecretDefPtr secret,
@@ -80,6 +84,7 @@ struct _virAccessDriver {
     virAccessDriverCheckNetworkDrv checkNetwork;
     virAccessDriverCheckNodeDeviceDrv checkNodeDevice;
     virAccessDriverCheckNWFilterDrv checkNWFilter;
+    virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding;
     virAccessDriverCheckSecretDrv checkSecret;
     virAccessDriverCheckStoragePoolDrv checkStoragePool;
     virAccessDriverCheckStorageVolDrv checkStorageVol;
diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c
index 86ceef37c2..98ef9206c5 100644
--- a/src/access/viraccessdrivernop.c
+++ b/src/access/viraccessdrivernop.c
@@ -75,6 +75,15 @@ virAccessDriverNopCheckNWFilter(virAccessManagerPtr manager
ATTRIBUTE_UNUSED,
     return 1; /* Allow */
 }
 
+static int
+virAccessDriverNopCheckNWFilterBinding(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                                       const char *driverName ATTRIBUTE_UNUSED,
+                                       virNWFilterBindingDefPtr binding
ATTRIBUTE_UNUSED,
+                                       virAccessPermNWFilterBinding perm
ATTRIBUTE_UNUSED)
+{
+    return 1; /* Allow */
+}
+
 static int
 virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
                               const char *driverName ATTRIBUTE_UNUSED,
@@ -112,6 +121,7 @@ virAccessDriver accessDriverNop = {
     .checkNetwork = virAccessDriverNopCheckNetwork,
     .checkNodeDevice = virAccessDriverNopCheckNodeDevice,
     .checkNWFilter = virAccessDriverNopCheckNWFilter,
+    .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding,
     .checkSecret = virAccessDriverNopCheckSecret,
     .checkStoragePool = virAccessDriverNopCheckStoragePool,
     .checkStorageVol = virAccessDriverNopCheckStorageVol,
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 48a83f66d7..6954d74a15 100644
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -276,6 +276,26 @@ virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
                                       attrs);
 }
 
+static int
+virAccessDriverPolkitCheckNWFilterBinding(virAccessManagerPtr manager,
+                                          const char *driverName,
+                                          virNWFilterBindingDefPtr binding,
+                                          virAccessPermNWFilterBinding perm)
+{
+    const char *attrs[] = {
+        "connect_driver", driverName,
+        "nwfilter_binding_portdev", binding->portdevname,
+        "nwfilter_binding_linkdev", binding->linkdevname,
+        "nwfilter_binding_filter", binding->filter,
+        NULL,
+    };
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "nwfilter_binding",
+                                      virAccessPermNWFilterBindingTypeToString(perm),
+                                      attrs);
+}
+
 static int
 virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
                                  const char *driverName,
@@ -409,6 +429,7 @@ virAccessDriver accessDriverPolkit = {
     .checkNetwork = virAccessDriverPolkitCheckNetwork,
     .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
     .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
+    .checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding,
     .checkSecret = virAccessDriverPolkitCheckSecret,
     .checkStoragePool = virAccessDriverPolkitCheckStoragePool,
     .checkStorageVol = virAccessDriverPolkitCheckStorageVol,
diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c
index b43a743027..0ffc6abaf3 100644
--- a/src/access/viraccessdriverstack.c
+++ b/src/access/viraccessdriverstack.c
@@ -197,6 +197,29 @@ virAccessDriverStackCheckNWFilter(virAccessManagerPtr manager,
     return ret;
 }
 
+static int
+virAccessDriverStackCheckNWFilterBinding(virAccessManagerPtr manager,
+                                         const char *driverName,
+                                         virNWFilterBindingDefPtr binding,
+                                         virAccessPermNWFilterBinding perm)
+{
+    virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager);
+    int ret = 1;
+    size_t i;
+
+    for (i = 0; i < priv->managersLen; i++) {
+        int rv;
+        /* We do not short-circuit on first denial - always check all drivers */
+        rv = virAccessManagerCheckNWFilterBinding(priv->managers[i], driverName,
binding, perm);
+        if (rv == 0 && ret != -1)
+            ret = 0;
+        else if (rv < 0)
+            ret = -1;
+    }
+
+    return ret;
+}
+
 static int
 virAccessDriverStackCheckSecret(virAccessManagerPtr manager,
                                 const char *driverName,
@@ -277,6 +300,7 @@ virAccessDriver accessDriverStack = {
     .checkNetwork = virAccessDriverStackCheckNetwork,
     .checkNodeDevice = virAccessDriverStackCheckNodeDevice,
     .checkNWFilter = virAccessDriverStackCheckNWFilter,
+    .checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding,
     .checkSecret = virAccessDriverStackCheckSecret,
     .checkStoragePool = virAccessDriverStackCheckStoragePool,
     .checkStorageVol = virAccessDriverStackCheckStorageVol,
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index b048a367e3..e7b5bf38da 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -296,6 +296,21 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
     return virAccessManagerSanitizeError(ret);
 }
 
+int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
+                                         const char *driverName,
+                                         virNWFilterBindingDefPtr binding,
+                                         virAccessPermNWFilterBinding perm)
+{
+    int ret = 0;
+    VIR_DEBUG("manager=%p(name=%s) driver=%s binding=%p perm=%d",
+              manager, manager->drv->name, driverName, binding, perm);
+
+    if (manager->drv->checkNWFilterBinding)
+        ret = manager->drv->checkNWFilterBinding(manager, driverName, binding,
perm);
+
+    return virAccessManagerSanitizeError(ret);
+}
+
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
                                 const char *driverName,
                                 virSecretDefPtr secret,
diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h
index e7eb15d30c..4fc86a1ff2 100644
--- a/src/access/viraccessmanager.h
+++ b/src/access/viraccessmanager.h
@@ -29,6 +29,7 @@
 # include "conf/storage_conf.h"
 # include "conf/secret_conf.h"
 # include "conf/interface_conf.h"
+# include "conf/virnwfilterbindingdef.h"
 # include "access/viraccessperm.h"
 
 typedef struct _virAccessManager virAccessManager;
@@ -73,6 +74,10 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
                                   const char *driverName,
                                   virNWFilterDefPtr nwfilter,
                                   virAccessPermNWFilter perm);
+int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
+                                         const char *driverName,
+                                         virNWFilterBindingDefPtr binding,
+                                         virAccessPermNWFilterBinding perm);
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
                                 const char *driverName,
                                 virSecretDefPtr secret,
diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 0f58290173..d7cbb70b7b 100644
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect,
               "search_domains", "search_networks",
               "search_storage_pools", "search_node_devices",
               "search_interfaces", "search_secrets",
-              "search_nwfilters",
+              "search_nwfilters", "search_nwfilter_bindings",
               "detect_storage_pools", "pm_control",
               "interface_transaction");
 
@@ -66,6 +66,11 @@ VIR_ENUM_IMPL(virAccessPermNWFilter,
               "getattr", "read", "write",
               "save", "delete");
 
+VIR_ENUM_IMPL(virAccessPermNWFilterBinding,
+              VIR_ACCESS_PERM_NWFILTER_BINDING_LAST,
+              "getattr", "read",
+              "create", "delete");
+
 VIR_ENUM_IMPL(virAccessPermSecret,
               VIR_ACCESS_PERM_SECRET_LAST,
               "getattr", "read", "write",
diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 1817da73bc..5ac5ff3377 100644
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -94,6 +94,12 @@ typedef enum {
      */
     VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS,
 
+    /**
+     * @desc: List network filter bindings
+     * @message: Listing network filter bindings requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS,
 
     /**
      * @desc: Detect storage pools
@@ -486,6 +492,37 @@ typedef enum {
     VIR_ACCESS_PERM_NWFILTER_LAST
 } virAccessPermNWFilter;
 
+typedef enum {
+
+    /**
+     * @desc: Access network filter
+     * @message: Accessing network filter requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR,
+
+    /**
+     * @desc: Read network filter binding
+     * @message: Reading network filter configuration requires authorization
+     * @anonymous: 1
+     */
+    VIR_ACCESS_PERM_NWFILTER_BINDING_READ,
+
+    /**
+     * @desc: Create network filter binding
+     * @message: Creating network filter binding requires authorization
+     */
+    VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE,
+
+    /**
+     * @desc: Delete network filter binding
+     * @message: Deleting network filter binding requires authorization
+     */
+    VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE,
+
+    VIR_ACCESS_PERM_NWFILTER_BINDING_LAST
+} virAccessPermNWFilterBinding;
+
 typedef enum {
 
     /**
@@ -657,6 +694,7 @@ VIR_ENUM_DECL(virAccessPermInterface);
 VIR_ENUM_DECL(virAccessPermNetwork);
 VIR_ENUM_DECL(virAccessPermNodeDevice);
 VIR_ENUM_DECL(virAccessPermNWFilter);
+VIR_ENUM_DECL(virAccessPermNWFilterBinding);
 VIR_ENUM_DECL(virAccessPermSecret);
 VIR_ENUM_DECL(virAccessPermStoragePool);
 VIR_ENUM_DECL(virAccessPermStorageVol);
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
index b8b83b6b40..480ebe7b00 100755
--- a/src/rpc/gendispatch.pl
+++ b/src/rpc/gendispatch.pl
@@ -2033,7 +2033,8 @@ elsif ($mode eq "client") {
             "storage_conf.h",
             "nwfilter_conf.h",
             "node_device_conf.h",
-            "interface_conf.h"
+            "interface_conf.h",
+            "virnwfilterbindingdef.h",
             );
         foreach my $hdr (@headers) {
             print "#include \"$hdr\"\n";
-- 
2.17.0


    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

[libvirt] [PATCH v3 07/20] access: add nwfilter binding object permissions