diff --git a/src/access/viraccessdriver.h b/src/access/viraccessdriver.h index e3050b6439fc68fa98f181481aa7277382b68eeb..3b25f36cabd81d6a9a9546e279894566e0b26b89 100644 --- a/src/access/viraccessdriver.h +++ b/src/access/viraccessdriver.h @@ -47,6 +47,10 @@ typedef int (*virAccessDriverCheckNWFilterDrv)(virAccessManagerPtr manager, const char *driverName, virNWFilterDefPtr nwfilter, virAccessPermNWFilter av); +typedef int (*virAccessDriverCheckNWFilterBindingDrv)(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding av); typedef int (*virAccessDriverCheckSecretDrv)(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, @@ -80,6 +84,7 @@ struct _virAccessDriver { virAccessDriverCheckNetworkDrv checkNetwork; virAccessDriverCheckNodeDeviceDrv checkNodeDevice; virAccessDriverCheckNWFilterDrv checkNWFilter; + virAccessDriverCheckNWFilterBindingDrv checkNWFilterBinding; virAccessDriverCheckSecretDrv checkSecret; virAccessDriverCheckStoragePoolDrv checkStoragePool; virAccessDriverCheckStorageVolDrv checkStorageVol; diff --git a/src/access/viraccessdrivernop.c b/src/access/viraccessdrivernop.c index 86ceef37c28113143357448a6067d1fd4e7e67ad..98ef9206c587e721a9b355577a98e33ded1780b8 100644 --- a/src/access/viraccessdrivernop.c +++ b/src/access/viraccessdrivernop.c @@ -75,6 +75,15 @@ virAccessDriverNopCheckNWFilter(virAccessManagerPtr manager ATTRIBUTE_UNUSED, return 1; /* Allow */ } +static int +virAccessDriverNopCheckNWFilterBinding(virAccessManagerPtr manager ATTRIBUTE_UNUSED, + const char *driverName ATTRIBUTE_UNUSED, + virNWFilterBindingDefPtr binding ATTRIBUTE_UNUSED, + virAccessPermNWFilterBinding perm ATTRIBUTE_UNUSED) +{ + return 1; /* Allow */ +} + static int virAccessDriverNopCheckSecret(virAccessManagerPtr manager ATTRIBUTE_UNUSED, const char *driverName ATTRIBUTE_UNUSED, @@ -112,6 +121,7 @@ virAccessDriver accessDriverNop = { .checkNetwork = virAccessDriverNopCheckNetwork, .checkNodeDevice = virAccessDriverNopCheckNodeDevice, .checkNWFilter = virAccessDriverNopCheckNWFilter, + .checkNWFilterBinding = virAccessDriverNopCheckNWFilterBinding, .checkSecret = virAccessDriverNopCheckSecret, .checkStoragePool = virAccessDriverNopCheckStoragePool, .checkStorageVol = virAccessDriverNopCheckStorageVol, diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c index 48a83f66d7f8d8414ebfbae5438279a5f32ccb53..6954d74a150d18edc4b4f2b46cc1f7f8a67d18d9 100644 --- a/src/access/viraccessdriverpolkit.c +++ b/src/access/viraccessdriverpolkit.c @@ -276,6 +276,26 @@ virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager, attrs); } +static int +virAccessDriverPolkitCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm) +{ + const char *attrs[] = { + "connect_driver", driverName, + "nwfilter_binding_portdev", binding->portdevname, + "nwfilter_binding_linkdev", binding->linkdevname, + "nwfilter_binding_filter", binding->filter, + NULL, + }; + + return virAccessDriverPolkitCheck(manager, + "nwfilter_binding", + virAccessPermNWFilterBindingTypeToString(perm), + attrs); +} + static int virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager, const char *driverName, @@ -409,6 +429,7 @@ virAccessDriver accessDriverPolkit = { .checkNetwork = virAccessDriverPolkitCheckNetwork, .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice, .checkNWFilter = virAccessDriverPolkitCheckNWFilter, + .checkNWFilterBinding = virAccessDriverPolkitCheckNWFilterBinding, .checkSecret = virAccessDriverPolkitCheckSecret, .checkStoragePool = virAccessDriverPolkitCheckStoragePool, .checkStorageVol = virAccessDriverPolkitCheckStorageVol, diff --git a/src/access/viraccessdriverstack.c b/src/access/viraccessdriverstack.c index b43a7430277404b8b191eaba506e25cd74c792ae..0ffc6abaf303d346dda7780deaf63c3f384afb9f 100644 --- a/src/access/viraccessdriverstack.c +++ b/src/access/viraccessdriverstack.c @@ -197,6 +197,29 @@ virAccessDriverStackCheckNWFilter(virAccessManagerPtr manager, return ret; } +static int +virAccessDriverStackCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm) +{ + virAccessDriverStackPrivatePtr priv = virAccessManagerGetPrivateData(manager); + int ret = 1; + size_t i; + + for (i = 0; i < priv->managersLen; i++) { + int rv; + /* We do not short-circuit on first denial - always check all drivers */ + rv = virAccessManagerCheckNWFilterBinding(priv->managers[i], driverName, binding, perm); + if (rv == 0 && ret != -1) + ret = 0; + else if (rv < 0) + ret = -1; + } + + return ret; +} + static int virAccessDriverStackCheckSecret(virAccessManagerPtr manager, const char *driverName, @@ -277,6 +300,7 @@ virAccessDriver accessDriverStack = { .checkNetwork = virAccessDriverStackCheckNetwork, .checkNodeDevice = virAccessDriverStackCheckNodeDevice, .checkNWFilter = virAccessDriverStackCheckNWFilter, + .checkNWFilterBinding = virAccessDriverStackCheckNWFilterBinding, .checkSecret = virAccessDriverStackCheckSecret, .checkStoragePool = virAccessDriverStackCheckStoragePool, .checkStorageVol = virAccessDriverStackCheckStorageVol, diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c index b048a367e31c088a001240d619e67696234f0dba..e7b5bf38da84f7ab50b4786535943fab56fea2c9 100644 --- a/src/access/viraccessmanager.c +++ b/src/access/viraccessmanager.c @@ -296,6 +296,21 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, return virAccessManagerSanitizeError(ret); } +int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm) +{ + int ret = 0; + VIR_DEBUG("manager=%p(name=%s) driver=%s binding=%p perm=%d", + manager, manager->drv->name, driverName, binding, perm); + + if (manager->drv->checkNWFilterBinding) + ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm); + + return virAccessManagerSanitizeError(ret); +} + int virAccessManagerCheckSecret(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, diff --git a/src/access/viraccessmanager.h b/src/access/viraccessmanager.h index e7eb15d30c13cc74e89d4420e74c874e879b77c2..4fc86a1ff2c99b7ecba197f609cfb02fc6fedb9b 100644 --- a/src/access/viraccessmanager.h +++ b/src/access/viraccessmanager.h @@ -29,6 +29,7 @@ # include "conf/storage_conf.h" # include "conf/secret_conf.h" # include "conf/interface_conf.h" +# include "conf/virnwfilterbindingdef.h" # include "access/viraccessperm.h" typedef struct _virAccessManager virAccessManager; @@ -73,6 +74,10 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager, const char *driverName, virNWFilterDefPtr nwfilter, virAccessPermNWFilter perm); +int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager, + const char *driverName, + virNWFilterBindingDefPtr binding, + virAccessPermNWFilterBinding perm); int virAccessManagerCheckSecret(virAccessManagerPtr manager, const char *driverName, virSecretDefPtr secret, diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c index 0f5829017305556dc1730ce14e269b3f54da7a71..d7cbb70b7bb0849fd6ad42b0048c1d87bac0b0d4 100644 --- a/src/access/viraccessperm.c +++ b/src/access/viraccessperm.c @@ -29,7 +29,7 @@ VIR_ENUM_IMPL(virAccessPermConnect, "search_domains", "search_networks", "search_storage_pools", "search_node_devices", "search_interfaces", "search_secrets", - "search_nwfilters", + "search_nwfilters", "search_nwfilter_bindings", "detect_storage_pools", "pm_control", "interface_transaction"); @@ -66,6 +66,11 @@ VIR_ENUM_IMPL(virAccessPermNWFilter, "getattr", "read", "write", "save", "delete"); +VIR_ENUM_IMPL(virAccessPermNWFilterBinding, + VIR_ACCESS_PERM_NWFILTER_BINDING_LAST, + "getattr", "read", + "create", "delete"); + VIR_ENUM_IMPL(virAccessPermSecret, VIR_ACCESS_PERM_SECRET_LAST, "getattr", "read", "write", diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h index 1817da73bc383971ce98931876a7cb423fb44242..5ac5ff3377c95b657f08b7f379acfa28bdf1ecc4 100644 --- a/src/access/viraccessperm.h +++ b/src/access/viraccessperm.h @@ -94,6 +94,12 @@ typedef enum { */ VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTERS, + /** + * @desc: List network filter bindings + * @message: Listing network filter bindings requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_CONNECT_SEARCH_NWFILTER_BINDINGS, /** * @desc: Detect storage pools @@ -486,6 +492,37 @@ typedef enum { VIR_ACCESS_PERM_NWFILTER_LAST } virAccessPermNWFilter; +typedef enum { + + /** + * @desc: Access network filter + * @message: Accessing network filter requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_GETATTR, + + /** + * @desc: Read network filter binding + * @message: Reading network filter configuration requires authorization + * @anonymous: 1 + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_READ, + + /** + * @desc: Create network filter binding + * @message: Creating network filter binding requires authorization + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_CREATE, + + /** + * @desc: Delete network filter binding + * @message: Deleting network filter binding requires authorization + */ + VIR_ACCESS_PERM_NWFILTER_BINDING_DELETE, + + VIR_ACCESS_PERM_NWFILTER_BINDING_LAST +} virAccessPermNWFilterBinding; + typedef enum { /** @@ -657,6 +694,7 @@ VIR_ENUM_DECL(virAccessPermInterface); VIR_ENUM_DECL(virAccessPermNetwork); VIR_ENUM_DECL(virAccessPermNodeDevice); VIR_ENUM_DECL(virAccessPermNWFilter); +VIR_ENUM_DECL(virAccessPermNWFilterBinding); VIR_ENUM_DECL(virAccessPermSecret); VIR_ENUM_DECL(virAccessPermStoragePool); VIR_ENUM_DECL(virAccessPermStorageVol); diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl index b8b83b6b40d30cb9c03cbb50b0089020006e377f..480ebe7b00fc5866e0b8a967a547e4bd9712baa6 100755 --- a/src/rpc/gendispatch.pl +++ b/src/rpc/gendispatch.pl @@ -2033,7 +2033,8 @@ elsif ($mode eq "client") { "storage_conf.h", "nwfilter_conf.h", "node_device_conf.h", - "interface_conf.h" + "interface_conf.h", + "virnwfilterbindingdef.h", ); foreach my $hdr (@headers) { print "#include \"$hdr\"\n";