[libvirt] [PATCH 00/19] Support for access control

Michal Privoznik mprivozn at redhat.com
Thu Jun 20 09:00:36 UTC 2013 

On 09.05.2013 15:26, Daniel P. Berrange wrote:
> From: "Daniel P. Berrange" <berrange at redhat.com>
> 
> This series (which depends on the Xen refactoring patches) adds
> support for access control checks on all APIs that run inside
> libvirtd.
> 
> The first patch defines the basic objects which can be checked
> and the permissions associated with each object. In addition
> it provides the basic internal (pluggable) API for access
> control checks
> 
> Later there are policykit and selinux drivers for the access
> control framework. Neither of these is currently optimal
> but they have basic functionality working
> 
> To ensure that we don't forget access control checks when
> adding new APIs, we maintain metadata in the remote_protocol.x
> file against each method declaring what access control check
> must be done.
> 
> There are actually two checks possible. The first check is
> against the object being used. The optional second check
> is against the objects being returned (if any). The latter
> is used to filter what can be seen when asking for a list
> of objects (eg 'virsh list' gets filtered)
> 
> Again to ensure accurate checks, we automate the generation
> of methods for applying access control checks to each API.
> These helper methods are named to match the public API names.
> The last patch ensures that every method listed in the
> virXXXXDriverPtr tables has a call to an access control
> helper with the same name as the public API.
> 
> And of course there are the patches which actually add
> the access control checks.
> 
> Still todo
> 
>  - Not all Xen methods have access control checks yet.
>    This causes the test case in the last patch to report
>    failures
> 
>  - Have not wired up the checks for filtering the returned
>    objects in any driver yet
> 
>  - The polkit driver is inefficient since it spawns
>    pkcheck for each check. We need to talk to DBus
>    directly since ACL checks will be very frequent
>    and need to be lightweight
> 
>  - The SELinux driver is validating against the label
>    of libvirtd. We need to validate against the label of
>    the virDomainDefPtr security model or some equivalent
>    for other objects.
> 
>  - Need to write a generic RBAC access control impl. It
>    was hoped that new polkit would make this obsolete.
>    Polkit is still unable to do access control checks
>    for non-local users though eg it can't validate
>    against SASL usernames or x509 certs.
> 
> Daniel P. Berrange (19):
>   Define basic internal API for access control
>   Set conn->driver before running driver connectOpen method
>   Setup default access control manager in libvirtd
>   Add a policy kit access control driver
>   Add an SELinux access control driver
>   Add ACL annotations to all RPC messages
>   Auto-generate helpers for checking access control rules
>   Add ACL checks into the QEMU driver
>   Add ACL checks into the LXC driver
>   Add ACL checks into the UML driver
>   Add ACL checks into the Xen driver
>   Add ACL checks into the libxl driver
>   Add ACL checks into the storage driver
>   Add ACL checks into the network driver
>   Add ACL checks into the interface driver
>   Add ACL checks into the node device driver
>   Add ACL checks into the nwfilter driver
>   Add ACL checks into the secrets driver
>   Add validation that all APIs contain ACL checks
> 
>  .gitignore                              |  10 +
>  daemon/Makefile.am                      |   1 +
>  daemon/libvirtd-config.c                |   4 +
>  daemon/libvirtd-config.h                |   2 +
>  daemon/libvirtd.aug                     |   1 +
>  daemon/libvirtd.c                       |  27 ++
>  daemon/libvirtd.conf                    |   9 +
>  daemon/test_libvirtd.aug.in             |   4 +
>  include/libvirt/virterror.h             |   4 +
>  m4/virt-compile-warnings.m4             |   1 +
>  m4/virt-selinux.m4                      |   2 +
>  po/POTFILES.in                          |   3 +
>  src/Makefile.am                         | 128 +++++-
>  src/access/genpolkit.pl                 | 119 ++++++
>  src/access/viraccessdriver.h            |  89 ++++
>  src/access/viraccessdrivernop.c         | 118 ++++++
>  src/access/viraccessdrivernop.h         |  28 ++
>  src/access/viraccessdriverpolkit.c      | 399 ++++++++++++++++++
>  src/access/viraccessdriverpolkit.h      |  28 ++
>  src/access/viraccessdriverselinux.c     | 565 +++++++++++++++++++++++++
>  src/access/viraccessdriverselinux.h     |  28 ++
>  src/access/viraccessdriverstack.c       | 285 +++++++++++++
>  src/access/viraccessdriverstack.h       |  32 ++
>  src/access/viraccessmanager.c           | 352 ++++++++++++++++
>  src/access/viraccessmanager.h           |  91 ++++
>  src/access/viraccessperm.c              |  84 ++++
>  src/access/viraccessperm.h              | 647 +++++++++++++++++++++++++++++
>  src/check-aclrules.pl                   | 144 +++++++
>  src/interface/interface_backend_netcf.c | 114 +++++
>  src/interface/interface_backend_udev.c  |  85 +++-
>  src/internal.h                          |   4 +
>  src/libvirt.c                           |  11 +-
>  src/libvirt_private.syms                |  37 ++
>  src/libxl/libxl_driver.c                | 187 ++++++++-
>  src/locking/lock_protocol.x             |   8 +
>  src/lxc/lxc_driver.c                    | 219 +++++++++-
>  src/network/bridge_driver.c             |  61 +++
>  src/node_device/node_device_driver.c    |  36 ++
>  src/nwfilter/nwfilter_driver.c          |  26 ++
>  src/qemu/qemu_driver.c                  | 716 ++++++++++++++++++++++++++++----
>  src/remote/lxc_protocol.x               |   1 +
>  src/remote/qemu_protocol.x              |   4 +
>  src/remote/remote_protocol.x            | 406 ++++++++++++++++++
>  src/rpc/gendispatch.pl                  | 212 +++++++++-
>  src/secret/secret_driver.c              |  31 ++
>  src/storage/storage_driver.c            | 155 ++++++-
>  src/uml/uml_driver.c                    | 174 +++++++-
>  src/util/virerror.c                     |   8 +
>  src/util/virlog.c                       |   3 +-
>  src/util/virlog.h                       |   1 +
>  src/xen/xen_driver.c                    | 217 +++++++++-
>  51 files changed, 5785 insertions(+), 136 deletions(-)
>  create mode 100755 src/access/genpolkit.pl
>  create mode 100644 src/access/viraccessdriver.h
>  create mode 100644 src/access/viraccessdrivernop.c
>  create mode 100644 src/access/viraccessdrivernop.h
>  create mode 100644 src/access/viraccessdriverpolkit.c
>  create mode 100644 src/access/viraccessdriverpolkit.h
>  create mode 100644 src/access/viraccessdriverselinux.c
>  create mode 100644 src/access/viraccessdriverselinux.h
>  create mode 100644 src/access/viraccessdriverstack.c
>  create mode 100644 src/access/viraccessdriverstack.h
>  create mode 100644 src/access/viraccessmanager.c
>  create mode 100644 src/access/viraccessmanager.h
>  create mode 100644 src/access/viraccessperm.c
>  create mode 100644 src/access/viraccessperm.h
>  create mode 100644 src/check-aclrules.pl
> 

I wanted to review this. But seems like patches don't apply cleanly. Can
you rebase and repost?

Michal

More information about the libvir-list mailing list