From bbaa4e1cba8190ef62c00ac8ff3e1a9d980b8dc2 Mon Sep 17 00:00:00 2001 From: "Daniel P. Berrange" Date: Wed, 26 Jun 2013 16:42:27 +0100 Subject: [PATCH] Add access control filtering of network objects Ensure that all APIs which list network objects filter them against the access control system. Signed-off-by: Daniel P. Berrange --- src/conf/network_conf.c | 12 +++++---- src/conf/network_conf.h | 13 ++++++--- src/libvirt_private.syms | 2 +- src/network/bridge_driver.c | 44 +++++++++++++++++++------------ src/parallels/parallels_network.c | 2 +- src/test/test_driver.c | 2 +- 6 files changed, 46 insertions(+), 29 deletions(-) diff --git a/src/conf/network_conf.c b/src/conf/network_conf.c index 2b4845ca99..64fd581f03 100644 --- a/src/conf/network_conf.c +++ b/src/conf/network_conf.c @@ -4289,10 +4289,11 @@ virNetworkMatch(virNetworkObjPtr netobj, #undef MATCH int -virNetworkList(virConnectPtr conn, - virNetworkObjList netobjs, - virNetworkPtr **nets, - unsigned int flags) +virNetworkObjListExport(virConnectPtr conn, + virNetworkObjList netobjs, + virNetworkPtr **nets, + virNetworkObjListFilter filter, + unsigned int flags) { virNetworkPtr *tmp_nets = NULL; virNetworkPtr net = NULL; @@ -4310,7 +4311,8 @@ virNetworkList(virConnectPtr conn, for (i = 0; i < netobjs.count; i++) { virNetworkObjPtr netobj = netobjs.objs[i]; virNetworkObjLock(netobj); - if (virNetworkMatch(netobj, flags)) { + if ((!filter || filter(conn, netobj->def)) && + virNetworkMatch(netobj, flags)) { if (nets) { if (!(net = virGetNetwork(conn, netobj->def->name, diff --git a/src/conf/network_conf.h b/src/conf/network_conf.h index 43f80d4ebd..a1d3282db4 100644 --- a/src/conf/network_conf.h +++ b/src/conf/network_conf.h @@ -296,6 +296,10 @@ void virNetworkDefFree(virNetworkDefPtr def); void virNetworkObjFree(virNetworkObjPtr net); void virNetworkObjListFree(virNetworkObjListPtr vms); + +typedef bool (*virNetworkObjListFilter)(virConnectPtr conn, + virNetworkDefPtr def); + virNetworkObjPtr virNetworkAssignDef(virNetworkObjListPtr nets, const virNetworkDefPtr def, bool live); @@ -417,9 +421,10 @@ VIR_ENUM_DECL(virNetworkForward) VIR_CONNECT_LIST_NETWORKS_FILTERS_PERSISTENT | \ VIR_CONNECT_LIST_NETWORKS_FILTERS_AUTOSTART) -int virNetworkList(virConnectPtr conn, - virNetworkObjList netobjs, - virNetworkPtr **nets, - unsigned int flags); +int virNetworkObjListExport(virConnectPtr conn, + virNetworkObjList netobjs, + virNetworkPtr **nets, + virNetworkObjListFilter filter, + unsigned int flags); #endif /* __NETWORK_CONF_H__ */ diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms index 281478fe60..18437328d3 100644 --- a/src/libvirt_private.syms +++ b/src/libvirt_private.syms @@ -495,13 +495,13 @@ virNetworkFindByUUID; virNetworkForwardTypeToString; virNetworkIpDefNetmask; virNetworkIpDefPrefix; -virNetworkList; virNetworkLoadAllConfigs; virNetworkLoadAllState; virNetworkObjAssignDef; virNetworkObjFree; virNetworkObjGetPersistentDef; virNetworkObjIsDuplicate; +virNetworkObjListExport; virNetworkObjListFree; virNetworkObjLock; virNetworkObjReplacePersistentDef; diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c index 2d7790b317..d7e90ac89c 100644 --- a/src/network/bridge_driver.c +++ b/src/network/bridge_driver.c @@ -2844,10 +2844,12 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) { networkDriverLock(driver); for (i = 0; i < driver->networks.count; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (virNetworkObjIsActive(driver->networks.objs[i])) + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectNumOfNetworksCheckACL(conn, obj->def) && + virNetworkObjIsActive(obj)) nactive++; - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2863,15 +2865,17 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in networkDriverLock(driver); for (i = 0; i < driver->networks.count && got < nnames; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (virNetworkObjIsActive(driver->networks.objs[i])) { - if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) { - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectListNetworksCheckACL(conn, obj->def) && + virNetworkObjIsActive(obj)) { + if (VIR_STRDUP(names[got], obj->def->name) < 0) { + virNetworkObjUnlock(obj); goto cleanup; } got++; } - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2893,10 +2897,12 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) { networkDriverLock(driver); for (i = 0; i < driver->networks.count; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (!virNetworkObjIsActive(driver->networks.objs[i])) + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectNumOfDefinedNetworksCheckACL(conn, obj->def) && + !virNetworkObjIsActive(obj)) ninactive++; - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); @@ -2912,15 +2918,17 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na networkDriverLock(driver); for (i = 0; i < driver->networks.count && got < nnames; i++) { - virNetworkObjLock(driver->networks.objs[i]); - if (!virNetworkObjIsActive(driver->networks.objs[i])) { - if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) { - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjPtr obj = driver->networks.objs[i]; + virNetworkObjLock(obj); + if (virConnectListDefinedNetworksCheckACL(conn, obj->def) && + !virNetworkObjIsActive(obj)) { + if (VIR_STRDUP(names[got], obj->def->name) < 0) { + virNetworkObjUnlock(obj); goto cleanup; } got++; } - virNetworkObjUnlock(driver->networks.objs[i]); + virNetworkObjUnlock(obj); } networkDriverUnlock(driver); return got; @@ -2946,7 +2954,9 @@ networkConnectListAllNetworks(virConnectPtr conn, goto cleanup; networkDriverLock(driver); - ret = virNetworkList(conn, driver->networks, nets, flags); + ret = virNetworkObjListExport(conn, driver->networks, nets, + virConnectListAllNetworksCheckACL, + flags); networkDriverUnlock(driver); cleanup: diff --git a/src/parallels/parallels_network.c b/src/parallels/parallels_network.c index c126e31504..26a3f13927 100644 --- a/src/parallels/parallels_network.c +++ b/src/parallels/parallels_network.c @@ -463,7 +463,7 @@ static int parallelsConnectListAllNetworks(virConnectPtr conn, virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1); parallelsDriverLock(privconn); - ret = virNetworkList(conn, privconn->networks, nets, flags); + ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags); parallelsDriverUnlock(privconn); return ret; diff --git a/src/test/test_driver.c b/src/test/test_driver.c index 88e23a37f8..d4c339e3cb 100644 --- a/src/test/test_driver.c +++ b/src/test/test_driver.c @@ -3092,7 +3092,7 @@ testConnectListAllNetworks(virConnectPtr conn, virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1); testDriverLock(privconn); - ret = virNetworkList(conn, privconn->networks, nets, flags); + ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags); testDriverUnlock(privconn); return ret; -- GitLab