Add ACL annotations to all RPC messages

Introduce annotations to all RPC messages to declare what
access control checks are required. There are two new
annotations defined:

 @acl: <object>:<permission>
 @acl: <object>:<permission>:<flagname>

  Declare the access control requirements for the API. May be repeated
  multiple times, if multiple rules are required.

    <object> is one of 'connect', 'domain', 'network', 'storagepool',
             'interface', 'nodedev', 'secret'.
    <permission> is one of the permissions in access/viraccessperm.h
    <flagname> indicates the rule only applies if the named flag
    is set in the API call

 @aclfilter: <object>:<permission>

  Declare an access control filter that will be applied to a list
  of objects being returned by an API. This allows the returned
  list to be filtered to only show those the user has permissions
  against
Signed-off-by: NDaniel P. Berrange <berrange@redhat.com>

src/locking/lock_protocol.x

@@ -105,41 +105,49 @@ enum virLockSpaceProtocolProcedure {
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_REGISTER = 1,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_RESTRICT = 2,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_NEW = 3,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_CREATE_RESOURCE = 4,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_DELETE_RESOURCE = 5,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_ACQUIRE_RESOURCE = 6,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_RELEASE_RESOURCE = 7,
 
     /**
      * @generate: none
+     * @acl: none
      */
     VIR_LOCK_SPACE_PROTOCOL_PROC_CREATE_LOCKSPACE = 8
 };

src/remote/lxc_protocol.x

@@ -65,6 +65,7 @@ enum lxc_procedure {
     /**
      * @generate: none
      * @priority: low
+     * @acl: domain:open_namespace
      */
     LXC_PROC_DOMAIN_OPEN_NAMESPACE = 1
 };

src/remote/qemu_protocol.x

@@ -91,18 +91,22 @@ enum qemu_procedure {
     /**
      * @generate: none
      * @priority: low
+     * @acl: domain:write
      */
     QEMU_PROC_DOMAIN_MONITOR_COMMAND = 1,
 
     /**
      * @generate: both
      * @priority: low
+     * @acl: domain:start
+     * @acl: domain:write
      */
     QEMU_PROC_DOMAIN_ATTACH = 2,
 
     /**
      * @generate: both
      * @priority: low
+     * @acl: domain:write
      */
     QEMU_PROC_DOMAIN_AGENT_COMMAND = 3
 };

src/rpc/gendispatch.pl

@@ -123,7 +123,7 @@ while (<PROTOCOL>) {
             push(@{$calls{$name}->{ret_members}}, $1);
         }
     } elsif ($collect_opts) {
-        if (m,^\s*\*\s*\@(\w+)\s*:\s*(\w+)\s*$,) {
+        if (m,^\s*\*\s*\@(\w+)\s*:\s*((?:\w|:|\!|\|)+)\s*$,) {
             $opts{$1} = $2;
         } elsif (m,^\s*\*/\s*$,) {
             $collect_opts = 0;