[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 00/19] Support for access control



From: "Daniel P. Berrange" <berrange redhat com>

This series (which depends on the Xen refactoring patches) adds
support for access control checks on all APIs that run inside
libvirtd.

The first patch defines the basic objects which can be checked
and the permissions associated with each object. In addition
it provides the basic internal (pluggable) API for access
control checks

Later there are policykit and selinux drivers for the access
control framework. Neither of these is currently optimal
but they have basic functionality working

To ensure that we don't forget access control checks when
adding new APIs, we maintain metadata in the remote_protocol.x
file against each method declaring what access control check
must be done.

There are actually two checks possible. The first check is
against the object being used. The optional second check
is against the objects being returned (if any). The latter
is used to filter what can be seen when asking for a list
of objects (eg 'virsh list' gets filtered)

Again to ensure accurate checks, we automate the generation
of methods for applying access control checks to each API.
These helper methods are named to match the public API names.
The last patch ensures that every method listed in the
virXXXXDriverPtr tables has a call to an access control
helper with the same name as the public API.

And of course there are the patches which actually add
the access control checks.

Still todo

 - Not all Xen methods have access control checks yet.
   This causes the test case in the last patch to report
   failures

 - Have not wired up the checks for filtering the returned
   objects in any driver yet

 - The polkit driver is inefficient since it spawns
   pkcheck for each check. We need to talk to DBus
   directly since ACL checks will be very frequent
   and need to be lightweight

 - The SELinux driver is validating against the label
   of libvirtd. We need to validate against the label of
   the virDomainDefPtr security model or some equivalent
   for other objects.

 - Need to write a generic RBAC access control impl. It
   was hoped that new polkit would make this obsolete.
   Polkit is still unable to do access control checks
   for non-local users though eg it can't validate
   against SASL usernames or x509 certs.

Daniel P. Berrange (19):
  Define basic internal API for access control
  Set conn->driver before running driver connectOpen method
  Setup default access control manager in libvirtd
  Add a policy kit access control driver
  Add an SELinux access control driver
  Add ACL annotations to all RPC messages
  Auto-generate helpers for checking access control rules
  Add ACL checks into the QEMU driver
  Add ACL checks into the LXC driver
  Add ACL checks into the UML driver
  Add ACL checks into the Xen driver
  Add ACL checks into the libxl driver
  Add ACL checks into the storage driver
  Add ACL checks into the network driver
  Add ACL checks into the interface driver
  Add ACL checks into the node device driver
  Add ACL checks into the nwfilter driver
  Add ACL checks into the secrets driver
  Add validation that all APIs contain ACL checks

 .gitignore                              |  10 +
 daemon/Makefile.am                      |   1 +
 daemon/libvirtd-config.c                |   4 +
 daemon/libvirtd-config.h                |   2 +
 daemon/libvirtd.aug                     |   1 +
 daemon/libvirtd.c                       |  27 ++
 daemon/libvirtd.conf                    |   9 +
 daemon/test_libvirtd.aug.in             |   4 +
 include/libvirt/virterror.h             |   4 +
 m4/virt-compile-warnings.m4             |   1 +
 m4/virt-selinux.m4                      |   2 +
 po/POTFILES.in                          |   3 +
 src/Makefile.am                         | 128 +++++-
 src/access/genpolkit.pl                 | 119 ++++++
 src/access/viraccessdriver.h            |  89 ++++
 src/access/viraccessdrivernop.c         | 118 ++++++
 src/access/viraccessdrivernop.h         |  28 ++
 src/access/viraccessdriverpolkit.c      | 399 ++++++++++++++++++
 src/access/viraccessdriverpolkit.h      |  28 ++
 src/access/viraccessdriverselinux.c     | 565 +++++++++++++++++++++++++
 src/access/viraccessdriverselinux.h     |  28 ++
 src/access/viraccessdriverstack.c       | 285 +++++++++++++
 src/access/viraccessdriverstack.h       |  32 ++
 src/access/viraccessmanager.c           | 352 ++++++++++++++++
 src/access/viraccessmanager.h           |  91 ++++
 src/access/viraccessperm.c              |  84 ++++
 src/access/viraccessperm.h              | 647 +++++++++++++++++++++++++++++
 src/check-aclrules.pl                   | 144 +++++++
 src/interface/interface_backend_netcf.c | 114 +++++
 src/interface/interface_backend_udev.c  |  85 +++-
 src/internal.h                          |   4 +
 src/libvirt.c                           |  11 +-
 src/libvirt_private.syms                |  37 ++
 src/libxl/libxl_driver.c                | 187 ++++++++-
 src/locking/lock_protocol.x             |   8 +
 src/lxc/lxc_driver.c                    | 219 +++++++++-
 src/network/bridge_driver.c             |  61 +++
 src/node_device/node_device_driver.c    |  36 ++
 src/nwfilter/nwfilter_driver.c          |  26 ++
 src/qemu/qemu_driver.c                  | 716 ++++++++++++++++++++++++++++----
 src/remote/lxc_protocol.x               |   1 +
 src/remote/qemu_protocol.x              |   4 +
 src/remote/remote_protocol.x            | 406 ++++++++++++++++++
 src/rpc/gendispatch.pl                  | 212 +++++++++-
 src/secret/secret_driver.c              |  31 ++
 src/storage/storage_driver.c            | 155 ++++++-
 src/uml/uml_driver.c                    | 174 +++++++-
 src/util/virerror.c                     |   8 +
 src/util/virlog.c                       |   3 +-
 src/util/virlog.h                       |   1 +
 src/xen/xen_driver.c                    | 217 +++++++++-
 51 files changed, 5785 insertions(+), 136 deletions(-)
 create mode 100755 src/access/genpolkit.pl
 create mode 100644 src/access/viraccessdriver.h
 create mode 100644 src/access/viraccessdrivernop.c
 create mode 100644 src/access/viraccessdrivernop.h
 create mode 100644 src/access/viraccessdriverpolkit.c
 create mode 100644 src/access/viraccessdriverpolkit.h
 create mode 100644 src/access/viraccessdriverselinux.c
 create mode 100644 src/access/viraccessdriverselinux.h
 create mode 100644 src/access/viraccessdriverstack.c
 create mode 100644 src/access/viraccessdriverstack.h
 create mode 100644 src/access/viraccessmanager.c
 create mode 100644 src/access/viraccessmanager.h
 create mode 100644 src/access/viraccessperm.c
 create mode 100644 src/access/viraccessperm.h
 create mode 100644 src/check-aclrules.pl

-- 
1.8.1.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]