Add access control filtering of storage objects

Ensure that all APIs which list storage objects filter
them against the access control system.
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

src/conf/storage_conf.c

@@ -2203,9 +2203,10 @@ virStoragePoolMatch(virStoragePoolObjPtr poolobj,
 #undef MATCH
 
 int
-virStoragePoolList(virConnectPtr conn,
+virStoragePoolObjListExport(virConnectPtr conn,
                             virStoragePoolObjList poolobjs,
                             virStoragePoolPtr **pools,
+                            virStoragePoolObjListFilter filter,
                             unsigned int flags)
 {
     virStoragePoolPtr *tmp_pools = NULL;
@@ -2224,7 +2225,8 @@ virStoragePoolList(virConnectPtr conn,
     for (i = 0; i < poolobjs.count; i++) {
         virStoragePoolObjPtr poolobj = poolobjs.objs[i];
         virStoragePoolObjLock(poolobj);
-        if (virStoragePoolMatch(poolobj, flags)) {
+        if ((!filter || filter(conn, poolobj->def)) &&
+            virStoragePoolMatch(poolobj, flags)) {
             if (pools) {
                 if (!(pool = virGetStoragePool(conn,
                                                poolobj->def->name,

src/conf/storage_conf.h

@@ -357,6 +357,8 @@ struct _virStoragePoolSourceList {
     virStoragePoolSourcePtr sources;
 };
 
+typedef bool (*virStoragePoolObjListFilter)(virConnectPtr conn,
+                                            virStoragePoolDefPtr def);
 
 static inline int
 virStoragePoolObjIsActive(virStoragePoolObjPtr pool)
@@ -570,9 +572,10 @@ VIR_ENUM_DECL(virStoragePartedFsType)
                  VIR_CONNECT_LIST_STORAGE_POOLS_FILTERS_AUTOSTART  | \
                  VIR_CONNECT_LIST_STORAGE_POOLS_FILTERS_POOL_TYPE)
 
-int virStoragePoolList(virConnectPtr conn,
+int virStoragePoolObjListExport(virConnectPtr conn,
                                 virStoragePoolObjList poolobjs,
                                 virStoragePoolPtr **pools,
+                                virStoragePoolObjListFilter filter,
                                 unsigned int flags);
 
 #endif /* __VIR_STORAGE_CONF_H__ */

src/libvirt_private.syms

@@ -650,7 +650,6 @@ virStoragePoolDefParseString;
 virStoragePoolFormatDiskTypeToString;
 virStoragePoolFormatFileSystemNetTypeToString;
 virStoragePoolFormatFileSystemTypeToString;
-virStoragePoolList;
 virStoragePoolLoadAllConfigs;
 virStoragePoolObjAssignDef;
 virStoragePoolObjClearVols;
@@ -658,6 +657,7 @@ virStoragePoolObjDeleteDef;
 virStoragePoolObjFindByName;
 virStoragePoolObjFindByUUID;
 virStoragePoolObjIsDuplicate;
+virStoragePoolObjListExport;
 virStoragePoolObjListFree;
 virStoragePoolObjLock;
 virStoragePoolObjRemove;

src/storage/storage_driver.c

@@ -348,10 +348,12 @@ storageConnectNumOfStoragePools(virConnectPtr conn) {
 
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count; i++) {
-        virStoragePoolObjLock(driver->pools.objs[i]);
-        if (virStoragePoolObjIsActive(driver->pools.objs[i]))
+        virStoragePoolObjPtr obj = driver->pools.objs[i];
+        virStoragePoolObjLock(obj);
+        if (virConnectNumOfStoragePoolsCheckACL(conn, obj->def) &&
+            virStoragePoolObjIsActive(obj))
             nactive++;
-        virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjUnlock(obj);
     }
     storageDriverUnlock(driver);
 
@@ -370,15 +372,17 @@ storageConnectListStoragePools(virConnectPtr conn,
 
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count && got < nnames; i++) {
-        virStoragePoolObjLock(driver->pools.objs[i]);
-        if (virStoragePoolObjIsActive(driver->pools.objs[i])) {
-            if (VIR_STRDUP(names[got], driver->pools.objs[i]->def->name) < 0) {
-                virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjPtr obj = driver->pools.objs[i];
+        virStoragePoolObjLock(obj);
+        if (virConnectListStoragePoolsCheckACL(conn, obj->def) &&
+            virStoragePoolObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virStoragePoolObjUnlock(obj);
                 goto cleanup;
             }
             got++;
         }
-        virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjUnlock(obj);
     }
     storageDriverUnlock(driver);
     return got;
@@ -401,10 +405,12 @@ storageConnectNumOfDefinedStoragePools(virConnectPtr conn) {
 
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count; i++) {
-        virStoragePoolObjLock(driver->pools.objs[i]);
-        if (!virStoragePoolObjIsActive(driver->pools.objs[i]))
+        virStoragePoolObjPtr obj = driver->pools.objs[i];
+        virStoragePoolObjLock(obj);
+        if (virConnectNumOfDefinedStoragePoolsCheckACL(conn, obj->def) &&
+            !virStoragePoolObjIsActive(obj))
             nactive++;
-        virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjUnlock(obj);
     }
     storageDriverUnlock(driver);
 
@@ -423,15 +429,17 @@ storageConnectListDefinedStoragePools(virConnectPtr conn,
 
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count && got < nnames; i++) {
-        virStoragePoolObjLock(driver->pools.objs[i]);
-        if (!virStoragePoolObjIsActive(driver->pools.objs[i])) {
-            if (VIR_STRDUP(names[got], driver->pools.objs[i]->def->name) < 0) {
-                virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjPtr obj = driver->pools.objs[i];
+        virStoragePoolObjLock(obj);
+        if (virConnectListDefinedStoragePoolsCheckACL(conn, obj->def) &&
+            !virStoragePoolObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virStoragePoolObjUnlock(obj);
                 goto cleanup;
             }
             got++;
         }
-        virStoragePoolObjUnlock(driver->pools.objs[i]);
+        virStoragePoolObjUnlock(obj);
     }
     storageDriverUnlock(driver);
     return got;
@@ -1152,7 +1160,7 @@ static int
 storagePoolNumOfVolumes(virStoragePoolPtr obj) {
     virStorageDriverStatePtr driver = obj->conn->storagePrivateData;
     virStoragePoolObjPtr pool;
-    int ret = -1;
+    int ret = -1, i;
 
     storageDriverLock(driver);
     pool = virStoragePoolObjFindByUUID(&driver->pools, obj->uuid);
@@ -1172,7 +1180,12 @@ storagePoolNumOfVolumes(virStoragePoolPtr obj) {
                        _("storage pool '%s' is not active"), pool->def->name);
         goto cleanup;
     }
-    ret = pool->volumes.count;
+    ret = 0;
+    for (i = 0; i < pool->volumes.count; i++) {
+        if (virStoragePoolNumOfVolumesCheckACL(obj->conn, pool->def,
+                                               pool->volumes.objs[i]))
+            ret++;
+    }
 
 cleanup:
     if (pool)
@@ -1210,6 +1223,9 @@ storagePoolListVolumes(virStoragePoolPtr obj,
     }
 
     for (i = 0; i < pool->volumes.count && n < maxnames; i++) {
+        if (!virStoragePoolListVolumesCheckACL(obj->conn, pool->def,
+                                               pool->volumes.objs[i]))
+            continue;
         if (VIR_STRDUP(names[n++], pool->volumes.objs[i]->name) < 0)
             goto cleanup;
     }
@@ -1273,6 +1289,9 @@ storagePoolListAllVolumes(virStoragePoolPtr pool,
     }
 
     for (i = 0; i < obj->volumes.count; i++) {
+        if (!virStoragePoolListAllVolumesCheckACL(pool->conn, obj->def,
+                                                  obj->volumes.objs[i]))
+            continue;
         if (!(vol = virGetStorageVol(pool->conn, obj->def->name,
                                      obj->volumes.objs[i]->name,
                                      obj->volumes.objs[i]->key,
@@ -2511,7 +2530,8 @@ storageConnectListAllStoragePools(virConnectPtr conn,
         goto cleanup;
 
     storageDriverLock(driver);
-    ret = virStoragePoolList(conn, driver->pools, pools, flags);
+    ret = virStoragePoolObjListExport(conn, driver->pools, pools,
+                                      virConnectListAllStoragePoolsCheckACL, flags);
     storageDriverUnlock(driver);
 
 cleanup:

src/test/test_driver.c

@@ -4052,7 +4052,8 @@ testConnectListAllStoragePools(virConnectPtr conn,
     virCheckFlags(VIR_CONNECT_LIST_STORAGE_POOLS_FILTERS_ALL, -1);
 
     testDriverLock(privconn);
-    ret = virStoragePoolList(conn, privconn->pools, pools, flags);
+    ret = virStoragePoolObjListExport(conn, privconn->pools, pools,
+                                      NULL, flags);
     testDriverUnlock(privconn);
 
     return ret;