[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 13/19] Add ACL checks into the storage driver



From: "Daniel P. Berrange" <berrange redhat com>

Insert calls to the ACL checking APIs in all storage driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange redhat com>
---
 src/Makefile.am              |   4 +-
 src/storage/storage_driver.c | 155 +++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 154 insertions(+), 5 deletions(-)

diff --git a/src/Makefile.am b/src/Makefile.am
index fd99ee2..1d43e0d 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1284,7 +1284,9 @@ endif
 # Needed to keep automake quiet about conditionals
 libvirt_driver_storage_impl_la_SOURCES =
 libvirt_driver_storage_impl_la_CFLAGS = \
-		-I$(top_srcdir)/src/conf $(AM_CFLAGS)
+		-I$(top_srcdir)/src/access \
+		-I$(top_srcdir)/src/conf \
+		$(AM_CFLAGS)
 libvirt_driver_storage_impl_la_LDFLAGS = $(AM_LDFLAGS)
 libvirt_driver_storage_impl_la_LIBADD =
 libvirt_driver_storage_impl_la_LIBADD += $(SECDRIVER_LIBS)
diff --git a/src/storage/storage_driver.c b/src/storage/storage_driver.c
index 858aeca..cc8eaa9 100644
--- a/src/storage/storage_driver.c
+++ b/src/storage/storage_driver.c
@@ -48,6 +48,7 @@
 #include "fdstream.h"
 #include "configmake.h"
 #include "virstring.h"
+#include "viraccessapicheck.h"
 
 #define VIR_FROM_THIS VIR_FROM_STORAGE
 
@@ -248,6 +249,9 @@ storagePoolLookupByUUID(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virStoragePoolLookupByUUIDEnsureACL(conn, pool->def) < 0)
+        goto cleanup;
+
     ret = virGetStoragePool(conn, pool->def->name, pool->def->uuid,
                             NULL, NULL);
 
@@ -274,6 +278,9 @@ storagePoolLookupByName(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virStoragePoolLookupByNameEnsureACL(conn, pool->def) < 0)
+        goto cleanup;
+
     ret = virGetStoragePool(conn, pool->def->name, pool->def->uuid,
                             NULL, NULL);
 
@@ -285,7 +292,30 @@ cleanup:
 
 static virStoragePoolPtr
 storagePoolLookupByVolume(virStorageVolPtr vol) {
-    return storagePoolLookupByName(vol->conn, vol->pool);
+    virStorageDriverStatePtr driver = vol->conn->storagePrivateData;
+    virStoragePoolObjPtr pool;
+    virStoragePoolPtr ret = NULL;
+
+    storageDriverLock(driver);
+    pool = virStoragePoolObjFindByName(&driver->pools, vol->pool);
+    storageDriverUnlock(driver);
+
+    if (!pool) {
+        virReportError(VIR_ERR_NO_STORAGE_POOL,
+                       _("no storage pool with matching name '%s'"), vol->pool);
+        goto cleanup;
+    }
+
+    if (virStoragePoolLookupByVolumeEnsureACL(vol->conn, pool->def) < 0)
+        goto cleanup;
+
+    ret = virGetStoragePool(vol->conn, pool->def->name, pool->def->uuid,
+                            NULL, NULL);
+
+cleanup:
+    if (pool)
+        virStoragePoolObjUnlock(pool);
+    return ret;
 }
 
 static virDrvOpenStatus
@@ -313,6 +343,9 @@ storageConnectNumOfStoragePools(virConnectPtr conn) {
     virStorageDriverStatePtr driver = conn->storagePrivateData;
     unsigned int i, nactive = 0;
 
+    if (virConnectNumOfStoragePoolsEnsureACL(conn) < 0)
+        return -1;
+
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count; i++) {
         virStoragePoolObjLock(driver->pools.objs[i]);
@@ -332,6 +365,9 @@ storageConnectListStoragePools(virConnectPtr conn,
     virStorageDriverStatePtr driver = conn->storagePrivateData;
     int got = 0, i;
 
+    if (virConnectListStoragePoolsEnsureACL(conn) < 0)
+        return -1;
+
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count && got < nnames; i++) {
         virStoragePoolObjLock(driver->pools.objs[i]);
@@ -360,6 +396,9 @@ storageConnectNumOfDefinedStoragePools(virConnectPtr conn) {
     virStorageDriverStatePtr driver = conn->storagePrivateData;
     unsigned int i, nactive = 0;
 
+    if (virConnectNumOfDefinedStoragePoolsEnsureACL(conn) < 0)
+        return -1;
+
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count; i++) {
         virStoragePoolObjLock(driver->pools.objs[i]);
@@ -379,6 +418,9 @@ storageConnectListDefinedStoragePools(virConnectPtr conn,
     virStorageDriverStatePtr driver = conn->storagePrivateData;
     int got = 0, i;
 
+    if (virConnectListDefinedStoragePoolsEnsureACL(conn) < 0)
+        return -1;
+
     storageDriverLock(driver);
     for (i = 0; i < driver->pools.count && got < nnames; i++) {
         virStoragePoolObjLock(driver->pools.objs[i]);
@@ -415,6 +457,9 @@ storageConnectFindStoragePoolSources(virConnectPtr conn,
     virStorageBackendPtr backend;
     char *ret = NULL;
 
+    if (virConnectFindStoragePoolSourcesEnsureACL(conn) < 0)
+        return NULL;
+
     backend_type = virStoragePoolTypeFromString(type);
     if (backend_type < 0) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
@@ -453,6 +498,10 @@ static int storagePoolIsActive(virStoragePoolPtr pool)
         virReportError(VIR_ERR_NO_STORAGE_POOL, NULL);
         goto cleanup;
     }
+
+    if (virStoragePoolIsActiveEnsureACL(pool->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = virStoragePoolObjIsActive(obj);
 
 cleanup:
@@ -474,6 +523,10 @@ static int storagePoolIsPersistent(virStoragePoolPtr pool)
         virReportError(VIR_ERR_NO_STORAGE_POOL, NULL);
         goto cleanup;
     }
+
+    if (virStoragePoolIsPersistentEnsureACL(pool->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = obj->configFile ? 1 : 0;
 
 cleanup:
@@ -500,6 +553,9 @@ storagePoolCreateXML(virConnectPtr conn,
     if (!(def = virStoragePoolDefParseString(xml)))
         goto cleanup;
 
+    if (virStoragePoolCreateXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (virStoragePoolObjIsDuplicate(&driver->pools, def, 1) < 0)
         goto cleanup;
 
@@ -557,6 +613,9 @@ storagePoolDefineXML(virConnectPtr conn,
     if (!(def = virStoragePoolDefParseString(xml)))
         goto cleanup;
 
+    if (virStoragePoolDefineXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (virStoragePoolObjIsDuplicate(&driver->pools, def, 0) < 0)
         goto cleanup;
 
@@ -602,6 +661,9 @@ storagePoolUndefine(virStoragePoolPtr obj) {
         goto cleanup;
     }
 
+    if (virStoragePoolUndefineEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (virStoragePoolObjIsActive(pool)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("storage pool '%s' is still active"),
@@ -661,6 +723,9 @@ storagePoolCreate(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolCreateEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -708,6 +773,9 @@ storagePoolBuild(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolBuildEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -746,6 +814,9 @@ storagePoolDestroy(virStoragePoolPtr obj) {
         goto cleanup;
     }
 
+    if (virStoragePoolDestroyEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -806,6 +877,9 @@ storagePoolDelete(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolDeleteEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -860,6 +934,9 @@ storagePoolRefresh(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolRefreshEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -916,6 +993,9 @@ storagePoolGetInfo(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolGetInfoEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (virStorageBackendForType(pool->def->type) == NULL)
         goto cleanup;
 
@@ -956,6 +1036,9 @@ storagePoolGetXMLDesc(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolGetXMLDescEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if ((flags & VIR_STORAGE_XML_INACTIVE) && pool->newDef)
         def = pool->newDef;
     else
@@ -986,6 +1069,9 @@ storagePoolGetAutostart(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolGetAutostartEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (!pool->configFile) {
         *autostart = 0;
     } else {
@@ -1015,6 +1101,9 @@ storagePoolSetAutostart(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolSetAutostartEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (!pool->configFile) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        "%s", _("pool has no config file"));
@@ -1075,6 +1164,9 @@ storagePoolNumOfVolumes(virStoragePoolPtr obj) {
         goto cleanup;
     }
 
+    if (virStoragePoolNumOfVolumesEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (!virStoragePoolObjIsActive(pool)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("storage pool '%s' is not active"), pool->def->name);
@@ -1108,6 +1200,9 @@ storagePoolListVolumes(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStoragePoolListVolumesEnsureACL(obj->conn, pool->def) < 0)
+        goto cleanup;
+
     if (!virStoragePoolObjIsActive(pool)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("storage pool '%s' is not active"), pool->def->name);
@@ -1157,6 +1252,9 @@ storagePoolListAllVolumes(virStoragePoolPtr pool,
         goto cleanup;
     }
 
+    if (virStoragePoolListAllVolumesEnsureACL(pool->conn, obj->def) < 0)
+        goto cleanup;
+
     if (!virStoragePoolObjIsActive(obj)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("storage pool '%s' is not active"), obj->def->name);
@@ -1235,6 +1333,9 @@ storageVolLookupByName(virStoragePoolPtr obj,
         goto cleanup;
     }
 
+    if (virStorageVolLookupByNameEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto cleanup;
+
     ret = virGetStorageVol(obj->conn, pool->def->name, vol->name, vol->key,
                            NULL, NULL);
 
@@ -1259,21 +1360,27 @@ storageVolLookupByKey(virConnectPtr conn,
             virStorageVolDefPtr vol =
                 virStorageVolDefFindByKey(driver->pools.objs[i], key);
 
-            if (vol)
+            if (vol) {
+                if (virStorageVolLookupByKeyEnsureACL(conn, driver->pools.objs[i]->def, vol) < 0)
+                    goto cleanup;
+
                 ret = virGetStorageVol(conn,
                                        driver->pools.objs[i]->def->name,
                                        vol->name,
                                        vol->key,
                                        NULL, NULL);
+                goto cleanup;
+            }
         }
         virStoragePoolObjUnlock(driver->pools.objs[i]);
     }
-    storageDriverUnlock(driver);
 
     if (!ret)
         virReportError(VIR_ERR_NO_STORAGE_VOL,
                        _("no storage vol with matching key %s"), key);
 
+cleanup:
+    storageDriverUnlock(driver);
     return ret;
 }
 
@@ -1313,12 +1420,17 @@ storageVolLookupByPath(virConnectPtr conn,
                                              stable_path);
             VIR_FREE(stable_path);
 
-            if (vol)
+            if (vol) {
+                if (virStorageVolLookupByPathEnsureACL(conn, driver->pools.objs[i]->def, vol) < 0)
+                    goto cleanup;
+
                 ret = virGetStorageVol(conn,
                                        driver->pools.objs[i]->def->name,
                                        vol->name,
                                        vol->key,
                                        NULL, NULL);
+                goto cleanup;
+            }
         }
         virStoragePoolObjUnlock(driver->pools.objs[i]);
     }
@@ -1327,6 +1439,7 @@ storageVolLookupByPath(virConnectPtr conn,
         virReportError(VIR_ERR_NO_STORAGE_VOL,
                        _("no storage vol with matching path %s"), path);
 
+cleanup:
     VIR_FREE(cleanpath);
     storageDriverUnlock(driver);
     return ret;
@@ -1370,6 +1483,9 @@ storageVolCreateXML(virStoragePoolPtr obj,
     if (voldef == NULL)
         goto cleanup;
 
+    if (virStorageVolCreateXMLEnsureACL(obj->conn, pool->def, voldef) < 0)
+        goto cleanup;
+
     if (virStorageVolDefFindByName(pool, voldef->name)) {
         virReportError(VIR_ERR_NO_STORAGE_VOL,
                        _("storage vol '%s' already exists"), voldef->name);
@@ -1521,6 +1637,9 @@ storageVolCreateXMLFrom(virStoragePoolPtr obj,
     if (newvol == NULL)
         goto cleanup;
 
+    if (virStorageVolCreateXMLFromEnsureACL(obj->conn, pool->def, newvol) < 0)
+        goto cleanup;
+
     if (virStorageVolDefFindByName(pool, newvol->name)) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("storage volume name '%s' already in use."),
@@ -1662,6 +1781,9 @@ storageVolDownload(virStorageVolPtr obj,
         goto out;
     }
 
+    if (virStorageVolDownloadEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto out;
+
     if (vol->building) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("volume '%s' is still being allocated."),
@@ -1725,6 +1847,9 @@ storageVolUpload(virStorageVolPtr obj,
         goto out;
     }
 
+    if (virStorageVolUploadEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto out;
+
     if (vol->building) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("volume '%s' is still being allocated."),
@@ -1794,6 +1919,9 @@ storageVolResize(virStorageVolPtr obj,
         goto out;
     }
 
+    if (virStorageVolResizeEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto out;
+
     if (vol->building) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("volume '%s' is still being allocated."),
@@ -2094,6 +2222,9 @@ storageVolWipePattern(virStorageVolPtr obj,
         goto out;
     }
 
+    if (virStorageVolWipePatternEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto out;
+
     if (vol->building) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("volume '%s' is still being allocated."),
@@ -2162,6 +2293,9 @@ storageVolDelete(virStorageVolPtr obj,
         goto cleanup;
     }
 
+    if (virStorageVolDeleteEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto cleanup;
+
     if (vol->building) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        _("volume '%s' is still being allocated."),
@@ -2241,6 +2375,9 @@ storageVolGetInfo(virStorageVolPtr obj,
         goto cleanup;
     }
 
+    if (virStorageVolGetInfoEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -2298,6 +2435,9 @@ storageVolGetXMLDesc(virStorageVolPtr obj,
         goto cleanup;
     }
 
+    if (virStorageVolGetXMLDescEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto cleanup;
+
     if ((backend = virStorageBackendForType(pool->def->type)) == NULL)
         goto cleanup;
 
@@ -2346,6 +2486,9 @@ storageVolGetPath(virStorageVolPtr obj) {
         goto cleanup;
     }
 
+    if (virStorageVolGetPathEnsureACL(obj->conn, pool->def, vol) < 0)
+        goto cleanup;
+
     ignore_value(VIR_STRDUP(ret, vol->target.path));
 
 cleanup:
@@ -2364,10 +2507,14 @@ storageConnectListAllStoragePools(virConnectPtr conn,
 
     virCheckFlags(VIR_CONNECT_LIST_STORAGE_POOLS_FILTERS_ALL, -1);
 
+    if (virConnectListAllStoragePoolsEnsureACL(conn) < 0)
+        goto cleanup;
+
     storageDriverLock(driver);
     ret = virStoragePoolList(conn, driver->pools, pools, flags);
     storageDriverUnlock(driver);
 
+cleanup:
     return ret;
 }
 
-- 
1.8.1.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]