[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[libvirt] [PATCH 04/19] Add a policy kit access control driver



From: "Daniel P. Berrange" <berrange redhat com>

Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.

It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly

Signed-off-by: Daniel P. Berrange <berrange redhat com>
---
 .gitignore                         |   1 +
 po/POTFILES.in                     |   1 +
 src/Makefile.am                    |  28 ++-
 src/access/genpolkit.pl            | 119 +++++++++++
 src/access/viraccessdriverpolkit.c | 399 +++++++++++++++++++++++++++++++++++++
 src/access/viraccessdriverpolkit.h |  28 +++
 src/access/viraccessmanager.c      |   6 +
 7 files changed, 581 insertions(+), 1 deletion(-)
 create mode 100755 src/access/genpolkit.pl
 create mode 100644 src/access/viraccessdriverpolkit.c
 create mode 100644 src/access/viraccessdriverpolkit.h

diff --git a/.gitignore b/.gitignore
index 5e50b52..76ee420 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,6 +104,7 @@
 /run
 /sc_*
 /src/.*.stamp
+/src/access/org.libvirt.api.policy
 /src/esx/*.generated.*
 /src/hyperv/*.generated.*
 /src/libvirt*.def
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 37c6019..02713c1 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -6,6 +6,7 @@ daemon/remote_dispatch.h
 daemon/stream.c
 gnulib/lib/gai_strerror.c
 gnulib/lib/regcomp.c
+src/access/viraccessdriverpolkit.c
 src/access/viraccessmanager.c
 src/conf/cpu_conf.c
 src/conf/device_conf.c
diff --git a/src/Makefile.am b/src/Makefile.am
index babd019..3e6c3df 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -779,6 +779,13 @@ ACCESS_DRIVER_SOURCES = \
 		access/viraccessdrivernop.h access/viraccessdrivernop.c \
 		access/viraccessdriverstack.h access/viraccessdriverstack.c
 
+ACCESS_DRIVER_POLKIT_SOURCES = \
+		access/viraccessdriverpolkit.h access/viraccessdriverpolkit.c
+
+ACCESS_DRIVER_POLKIT_POLICY = \
+		access/org.libvirt.api.policy
+
+
 NODE_DEVICE_DRIVER_SOURCES =					\
 		node_device/node_device_driver.c		\
 		node_device/node_device_driver.h		\
@@ -1359,6 +1366,24 @@ libvirt_driver_access_la_CFLAGS = \
 libvirt_driver_access_la_LDFLAGS = $(AM_LDFLAGS)
 libvirt_driver_access_la_LIBADD =
 
+EXTRA_DIST += access/genpolkit.pl
+
+if WITH_POLKIT1
+libvirt_driver_access_la_SOURCES += $(ACCESS_DRIVER_POLKIT_SOURCES)
+
+polkitactiondir = $(datadir)/polkit-1/actions
+polkitaction_DATA = $(ACCESS_DRIVER_POLKIT_POLICY)
+
+$(ACCESS_DRIVER_POLKIT_POLICY): $(srcdir)/access/viraccessperm.h \
+    $(srcdir)/access/genpolkit.pl Makefile.am
+	$(AM_V_GEN)$(PERL) $(srcdir)/access/genpolkit.pl < $< > $@ || rm -f $@
+
+CLEANFILES += $(ACCESS_DRIVER_POLKIT_POLICY)
+BUILT_SOURCES += $(ACCESS_DRIVER_POLKIT_POLICY)
+else
+EXTRA_DIST += $(ACCESS_DRIVER_POLKIT_SOURCES)
+endif
+
 
 # Add all conditional sources just in case...
 EXTRA_DIST +=							\
@@ -1398,7 +1423,8 @@ EXTRA_DIST +=							\
 		$(SECRET_DRIVER_SOURCES)			\
 		$(VBOX_DRIVER_EXTRA_DIST)			\
 		$(VMWARE_DRIVER_SOURCES)			\
-		$(XENXS_SOURCES)
+		$(XENXS_SOURCES)				\
+		$(ACCESS_DRIVER_POLKIT_POLICY)
 
 check-local: check-augeas
 
diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
new file mode 100755
index 0000000..eb7069a
--- /dev/null
+++ b/src/access/genpolkit.pl
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2012-2013 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library.  If not, see
+# <http://www.gnu.org/licenses/>.
+#
+
+use strict;
+use warnings;
+
+my @objects = (
+    "CONNECT", "DOMAIN", "INTERFACE",
+    "NETWORK","NODE_DEVICE", "NWFILTER",
+     "SECRET", "STORAGE_POOL", "STORAGE_VOL",
+    );
+
+my $objects = join ("|", @objects);
+
+# Data we're going to be generating looks like this
+#
+# <policyconfig>
+#   <action id="org.libvirt.unix.monitor">
+#     <description>Monitor local virtualized systems</description>
+#     <message>System policy prevents monitoring of local virtualized systems</message>
+#     <defaults>
+#       <allow_any>yes</allow_any>
+#       <allow_inactive>yes</allow_inactive>
+#       <allow_active>yes</allow_active>
+#     </defaults>
+#   </action>
+#   ...more <action> rules...
+# </policyconfig>
+
+my %opts;
+my $in_opts = 0;
+
+my %perms;
+
+while (<>) {
+    if ($in_opts) {
+        if (m,\*/,) {
+            $in_opts = 0;
+        } elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) {
+            $opts{$1} = $2;
+        }
+    } elsif (m,/\*\*,) {
+        $in_opts = 1;
+    } elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) {
+        my $object = lc $1;
+        my $perm = lc $2;
+        next if $perm eq "last";
+
+        $object =~ s/_/-/g;
+        $perm =~ s/_/-/g;
+
+        $perms{$object} = {} unless exists $perms{$object};
+        $perms{$object}->{$perm} = {
+            desc => $opts{desc},
+            message => $opts{message},
+            anonymous => $opts{anonymous}
+        };
+        %opts = ();
+    }
+}
+
+print <<EOF;
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
+    "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd";>
+<policyconfig>
+  <vendor>Libvirt Project</vendor>
+  <vendor_url>http://libvirt.org</vendor_url>
+EOF
+
+foreach my $object (sort { $a cmp $b } keys %perms) {
+    foreach my $perm (sort { $a cmp $b } keys %{$perms{$object}}) {
+        my $description = $perms{$object}->{$perm}->{desc};
+        my $message = $perms{$object}->{$perm}->{message};
+        my $anonymous = $perms{$object}->{$perm}->{anonymous};
+
+        die "missing description for $object.$perm" unless
+            defined $description;
+        die "missing message for $object.$perm" unless
+            defined $message;
+
+        my $allow_any = $anonymous ? "yes" : "no";
+        my $allow_inactive = $allow_any;
+        my $allow_active = $allow_any;
+
+        print <<EOF;
+  <action id="org.libvirt.api.$object.$perm">
+    <description>$description</description>
+    <message>$message</message>
+    <defaults>
+      <allow_any>$allow_any</allow_any>
+      <allow_inactive>$allow_inactive</allow_inactive>
+      <allow_active>$allow_active</allow_active>
+    </defaults>
+  </action>
+EOF
+
+    }
+}
+
+print <<EOF;
+</policyconfig>
+EOF
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
new file mode 100644
index 0000000..0426fda
--- /dev/null
+++ b/src/access/viraccessdriverpolkit.c
@@ -0,0 +1,399 @@
+/*
+ * viraccessdriverpolkit.c: polkited access control driver
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include "viraccessdriverpolkit.h"
+#include "viralloc.h"
+#include "vircommand.h"
+#include "virlog.h"
+#include "virprocess.h"
+#include "virerror.h"
+#include "virstring.h"
+
+#define VIR_FROM_THIS VIR_FROM_ACCESS
+#define virAccessError(code, ...)                                       \
+    virReportErrorHelper(VIR_FROM_THIS, code, __FILE__,                 \
+                         __FUNCTION__, __LINE__, __VA_ARGS__)
+
+#define VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX "org.libvirt.api"
+
+typedef struct _virAccessDriverPolkitPrivate virAccessDriverPolkitPrivate;
+typedef virAccessDriverPolkitPrivate *virAccessDriverPolkitPrivatePtr;
+
+struct _virAccessDriverPolkitPrivate {
+    bool ignore;
+};
+
+
+static void virAccessDriverPolkitCleanup(virAccessManagerPtr manager ATTRIBUTE_UNUSED)
+{
+}
+
+
+static char *
+virAccessDriverPolkitFormatAction(const char *typename,
+                                  const char *permname)
+{
+    char *actionid = NULL;
+    size_t i;
+
+    if (virAsprintf(&actionid, "%s.%s.%s",
+                    VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX,
+                    typename, permname) < 0) {
+        virReportOOMError();
+        return NULL;
+    }
+
+    for (i = 0 ; actionid[i] ; i++)
+        if (actionid[i] == '_')
+            actionid[i] = '-';
+
+    return actionid;
+}
+
+
+static char *
+virAccessDriverPolkitFormatProcess(const char *actionid)
+{
+    virIdentityPtr identity = virIdentityGetCurrent();
+    const char *process = NULL;
+    char *ret = NULL;
+
+    if (!identity) {
+        virAccessError(VIR_ERR_ACCESS_DENIED,
+                       _("Policy kit denied action %s from <anonymous>"),
+                       actionid);
+        return NULL;
+    }
+    if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
+        goto cleanup;
+
+    if (!process) {
+        virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+                       _("No UNIX process ID available"));
+        goto cleanup;
+    }
+
+    if (VIR_STRDUP(ret, process) < 0)
+        goto cleanup;
+
+cleanup:
+    virObjectUnref(identity);
+    return ret;
+}
+
+
+static int
+virAccessDriverPolkitCheck(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+                           const char *typename,
+                           const char *permname,
+                           const char **attrs)
+{
+    char *actionid = NULL;
+    char *process = NULL;
+    virCommandPtr cmd = NULL;
+    int status;
+    int ret = -1;
+
+    if (!(actionid = virAccessDriverPolkitFormatAction(typename, permname)))
+        goto cleanup;
+
+    if (!(process = virAccessDriverPolkitFormatProcess(actionid)))
+        goto cleanup;
+
+    cmd = virCommandNewArgList(PKCHECK_PATH,
+                               "--action-id", actionid,
+                               "--process", process,
+                               NULL);
+
+    while (attrs && attrs[0] && attrs[1]) {
+        virCommandAddArgList(cmd, "--detail", attrs[0], attrs[1], NULL);
+        attrs += 2;
+    }
+
+    if (virCommandRun(cmd, &status) < 0)
+        goto cleanup;
+
+    if (status == 0) {
+        ret = 1; /* Allowed */
+    } else {
+        if (status == 1 ||
+            status == 2 ||
+            status == 3) {
+            ret = 0; /* Denied */
+        } else {
+            ret = -1; /* Error */
+            char *tmp = virProcessTranslateStatus(status);
+            virAccessError(VIR_ERR_ACCESS_DENIED,
+                           _("Policy kit denied action %s from %s: %s"),
+                           actionid, process, NULLSTR(tmp));
+            VIR_FREE(tmp);
+        }
+        goto cleanup;
+    }
+
+cleanup:
+    virCommandFree(cmd);
+    VIR_FREE(actionid);
+    VIR_FREE(process);
+    return ret;
+}
+
+
+static int
+virAccessDriverPolkitCheckConnect(virAccessManagerPtr manager,
+                                  const char *driverName,
+                                  virAccessPermConnect perm)
+{
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        NULL,
+    };
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "connect",
+                                      virAccessPermConnectTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckDomain(virAccessManagerPtr manager,
+                                 const char *driverName,
+                                 virDomainDefPtr domain,
+                                 virAccessPermDomain perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "domain-name", domain->name,
+        "domain-uuid", uuidstr,
+        NULL,
+    };
+    virUUIDFormat(domain->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "domain",
+                                      virAccessPermDomainTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckInterface(virAccessManagerPtr manager,
+                                    const char *driverName,
+                                    virInterfaceDefPtr iface,
+                                    virAccessPermInterface perm)
+{
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "interface-name", iface->name,
+        "interface-macaddr", iface->mac,
+        NULL,
+    };
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "interface",
+                                      virAccessPermInterfaceTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
+                                  const char *driverName,
+                                  virNetworkDefPtr network,
+                                  virAccessPermNetwork perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "network-name", network->name,
+        "network-uuid", uuidstr,
+        NULL,
+    };
+    virUUIDFormat(network->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "network",
+                                      virAccessPermNetworkTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
+                                     const char *driverName,
+                                     virNodeDeviceDefPtr nodedev,
+                                     virAccessPermNodeDevice perm)
+{
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "node-device-name", nodedev->name,
+        NULL,
+    };
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "nodedevice",
+                                      virAccessPermNodeDeviceTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
+                                   const char *driverName,
+                                   virNWFilterDefPtr nwfilter,
+                                   virAccessPermNWFilter perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "nwfilter-name", nwfilter->name,
+        "nwfilter-uuid", uuidstr,
+        NULL,
+    };
+    virUUIDFormat(nwfilter->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "nwfilter",
+                                      virAccessPermNWFilterTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
+                                 const char *driverName,
+                                 virSecretDefPtr secret,
+                                 virAccessPermSecret perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    virUUIDFormat(secret->uuid, uuidstr);
+
+    switch (secret->usage_type) {
+    default:
+    case VIR_SECRET_USAGE_TYPE_NONE: {
+        const char *attrs[] = {
+            "connect-driver", driverName,
+            "secret-uuid", uuidstr,
+            NULL,
+        };
+
+        return virAccessDriverPolkitCheck(manager,
+                                          "secret",
+                                          virAccessPermSecretTypeToString(perm),
+                                          attrs);
+    }   break;
+    case VIR_SECRET_USAGE_TYPE_VOLUME: {
+        const char *attrs[] = {
+            "connect-driver", driverName,
+            "secret-uuid", uuidstr,
+            "secret-usage-volume", secret->usage.volume,
+            NULL,
+        };
+
+        return virAccessDriverPolkitCheck(manager,
+                                          "secret",
+                                          virAccessPermSecretTypeToString(perm),
+                                          attrs);
+    }   break;
+    case VIR_SECRET_USAGE_TYPE_CEPH: {
+        const char *attrs[] = {
+            "connect-driver", driverName,
+            "secret-uuid", uuidstr,
+            "secret-usage-ceph", secret->usage.ceph,
+            NULL,
+        };
+
+        return virAccessDriverPolkitCheck(manager,
+                                          "secret",
+                                          virAccessPermSecretTypeToString(perm),
+                                          attrs);
+    }   break;
+    case VIR_SECRET_USAGE_TYPE_ISCSI: {
+        const char *attrs[] = {
+            "connect-driver", driverName,
+            "secret-uuid", uuidstr,
+            "secret-usage-target", secret->usage.target,
+            NULL,
+        };
+
+        return virAccessDriverPolkitCheck(manager,
+                                          "secret",
+                                          virAccessPermSecretTypeToString(perm),
+                                          attrs);
+    }   break;
+    }
+}
+
+static int
+virAccessDriverPolkitCheckStoragePool(virAccessManagerPtr manager,
+                                      const char *driverName,
+                                      virStoragePoolDefPtr pool,
+                                      virAccessPermStoragePool perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "pool-name", pool->name,
+        "pool-uuid", uuidstr,
+        NULL,
+    };
+    virUUIDFormat(pool->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "pool",
+                                      virAccessPermStoragePoolTypeToString(perm),
+                                      attrs);
+}
+
+static int
+virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
+                                     const char *driverName,
+                                     virStoragePoolDefPtr pool,
+                                     virStorageVolDefPtr vol,
+                                     virAccessPermStorageVol perm)
+{
+    char uuidstr[VIR_UUID_STRING_BUFLEN];
+    const char *attrs[] = {
+        "connect-driver", driverName,
+        "pool-name", pool->name,
+        "pool-uuid", uuidstr,
+        "vol-name", vol->name,
+        "vol-key", vol->key,
+        NULL,
+    };
+    virUUIDFormat(pool->uuid, uuidstr);
+
+    return virAccessDriverPolkitCheck(manager,
+                                      "vol",
+                                      virAccessPermStorageVolTypeToString(perm),
+                                      attrs);
+}
+
+virAccessDriver accessDriverPolkit = {
+    .name = "polkit",
+    .cleanup = virAccessDriverPolkitCleanup,
+    .checkConnect = virAccessDriverPolkitCheckConnect,
+    .checkDomain = virAccessDriverPolkitCheckDomain,
+    .checkInterface = virAccessDriverPolkitCheckInterface,
+    .checkNetwork = virAccessDriverPolkitCheckNetwork,
+    .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
+    .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
+    .checkSecret = virAccessDriverPolkitCheckSecret,
+    .checkStoragePool = virAccessDriverPolkitCheckStoragePool,
+    .checkStorageVol = virAccessDriverPolkitCheckStorageVol,
+};
diff --git a/src/access/viraccessdriverpolkit.h b/src/access/viraccessdriverpolkit.h
new file mode 100644
index 0000000..00b044f
--- /dev/null
+++ b/src/access/viraccessdriverpolkit.h
@@ -0,0 +1,28 @@
+/*
+ * viraccessdriverpolkit.h: polkited access control driver
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library.  If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __VIR_ACCESS_DRIVER_POLKIT_H__
+# define __VIR_ACCESS_DRIVER_POLKIT_H__
+
+# include "viraccessdriver.h"
+
+extern virAccessDriver accessDriverPolkit;
+
+#endif /* __VIR_ACCESS_DRIVER_POLKIT_H__ */
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index ff1a538..f8c0cae 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -23,6 +23,9 @@
 #include "viraccessmanager.h"
 #include "viraccessdrivernop.h"
 #include "viraccessdriverstack.h"
+#if WITH_POLKIT1
+# include "viraccessdriverpolkit.h"
+#endif
 #include "viralloc.h"
 #include "virerror.h"
 #include "virobject.h"
@@ -108,6 +111,9 @@ static virAccessManagerPtr virAccessManagerNewDriver(virAccessDriverPtr drv)
 
 static virAccessDriverPtr accessDrivers[] = {
     &accessDriverNop,
+#if WITH_POLKIT1
+    &accessDriverPolkit,
+#endif
 };
 
 
-- 
1.8.1.4


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]