Add access control filtering of network objects

Ensure that all APIs which list network objects filter them against the access control system. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>

Add access control filtering of network objects
Ensure that all APIs which list network objects filter them against the access control system. Signed-off-by: N Daniel P. Berrange <berrange@redhat.com>
bbaa4e1c · Daniel P. Berrange · 4d39952e · bbaa4e1c · bbaa4e1c · bbaa4e1c
6 changed file
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@@ -4289,10 +4289,11 @@ virNetworkMatch(virNetworkObjPtr netobj,
 #undef MATCH
 int
-virNetworkList(virConnectPtr conn,
+virNetworkObjListExport(virConnectPtr conn,
-               virNetworkObjList netobjs,
+                        virNetworkObjList netobjs,
-               virNetworkPtr **nets,
+                        virNetworkPtr **nets,
-               unsigned int flags)
+                        virNetworkObjListFilter filter,
+                        unsigned int flags)
 {
    virNetworkPtr *tmp_nets = NULL;
    virNetworkPtr net = NULL;
@@ -4310,7 +4311,8 @@ virNetworkList(virConnectPtr conn,
    for (i = 0; i < netobjs.count; i++) {
        virNetworkObjPtr netobj = netobjs.objs[i];
        virNetworkObjLock(netobj);
-        if (virNetworkMatch(netobj, flags)) {
+        if ((!filter || filter(conn, netobj->def)) &&
+            virNetworkMatch(netobj, flags)) {
            if (nets) {
                if (!(net = virGetNetwork(conn,
                                          netobj->def->name,

--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@@ -296,6 +296,10 @@ void virNetworkDefFree(virNetworkDefPtr def);
 void virNetworkObjFree(virNetworkObjPtr net);
 void virNetworkObjListFree(virNetworkObjListPtr vms);
+typedef bool (*virNetworkObjListFilter)(virConnectPtr conn,
+                                        virNetworkDefPtr def);
 virNetworkObjPtr virNetworkAssignDef(virNetworkObjListPtr nets,
                                     const virNetworkDefPtr def,
                                     bool live);
@@ -417,9 +421,10 @@ VIR_ENUM_DECL(virNetworkForward)
                 VIR_CONNECT_LIST_NETWORKS_FILTERS_PERSISTENT | \
                 VIR_CONNECT_LIST_NETWORKS_FILTERS_AUTOSTART)
-int virNetworkList(virConnectPtr conn,
+int virNetworkObjListExport(virConnectPtr conn,
-                   virNetworkObjList netobjs,
+                            virNetworkObjList netobjs,
-                   virNetworkPtr **nets,
+                            virNetworkPtr **nets,
-                   unsigned int flags);
+                            virNetworkObjListFilter filter,
+                            unsigned int flags);
 #endif /* __NETWORK_CONF_H__ */
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -495,13 +495,13 @@ virNetworkFindByUUID;
 virNetworkForwardTypeToString;
 virNetworkIpDefNetmask;
 virNetworkIpDefPrefix;
-virNetworkList;
 virNetworkLoadAllConfigs;
 virNetworkLoadAllState;
 virNetworkObjAssignDef;
 virNetworkObjFree;
 virNetworkObjGetPersistentDef;
 virNetworkObjIsDuplicate;
+virNetworkObjListExport;
 virNetworkObjListFree;
 virNetworkObjLock;
 virNetworkObjReplacePersistentDef;

--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -2844,10 +2844,12 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
-        if (virNetworkObjIsActive(driver->networks.objs[i]))
+        virNetworkObjLock(obj);
+        if (virConnectNumOfNetworksCheckACL(conn, obj->def) &&
+            virNetworkObjIsActive(obj))
            nactive++;
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);
@@ -2863,15 +2865,17 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
-        if (virNetworkObjIsActive(driver->networks.objs[i])) {
+        virNetworkObjLock(obj);
-            if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) {
+        if (virConnectListNetworksCheckACL(conn, obj->def) &&
-                virNetworkObjUnlock(driver->networks.objs[i]);
+            virNetworkObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virNetworkObjUnlock(obj);
                goto cleanup;
            }
            got++;
        }
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);
@@ -2893,10 +2897,12 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) {
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
-        if (!virNetworkObjIsActive(driver->networks.objs[i]))
+        virNetworkObjLock(obj);
+        if (virConnectNumOfDefinedNetworksCheckACL(conn, obj->def) &&
+            !virNetworkObjIsActive(obj))
            ninactive++;
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);
@@ -2912,15 +2918,17 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na
    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
-        if (!virNetworkObjIsActive(driver->networks.objs[i])) {
+        virNetworkObjLock(obj);
-            if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) {
+        if (virConnectListDefinedNetworksCheckACL(conn, obj->def) &&
-                virNetworkObjUnlock(driver->networks.objs[i]);
+            !virNetworkObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virNetworkObjUnlock(obj);
                goto cleanup;
            }
            got++;
        }
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);
    return got;
@@ -2946,7 +2954,9 @@ networkConnectListAllNetworks(virConnectPtr conn,
        goto cleanup;
    networkDriverLock(driver);
-    ret = virNetworkList(conn, driver->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, driver->networks, nets,
+                                  virConnectListAllNetworksCheckACL,
+                                  flags);
    networkDriverUnlock(driver);
 cleanup:

--- a/src/parallels/parallels_network.c
+++ b/src/parallels/parallels_network.c
@@ -463,7 +463,7 @@ static int parallelsConnectListAllNetworks(virConnectPtr conn,
    virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
    parallelsDriverLock(privconn);
-    ret = virNetworkList(conn, privconn->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
    parallelsDriverUnlock(privconn);
    return ret;

--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@@ -3092,7 +3092,7 @@ testConnectListAllNetworks(virConnectPtr conn,
    virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
    testDriverLock(privconn);
-    ret = virNetworkList(conn, privconn->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
    testDriverUnlock(privconn);
    return ret;