[libvirt] [PATCH 04/19] Add a policy kit access control driver
Daniel P. Berrange
berrange at redhat.com
Thu May 9 13:26:07 UTC 2013
From: "Daniel P. Berrange" <berrange at redhat.com>
Add an access control driver that uses the pkcheck command
to check authorization requests. This is fairly inefficient,
particularly for cases where an API returns a list of objects
and needs to check permission for each object.
It would be desirable to use the polkit API but this links
to glib with abort-on-OOM behaviour, so can't be used. The
other alternative is to speak to dbus directly
Signed-off-by: Daniel P. Berrange <berrange at redhat.com>
---
.gitignore | 1 +
po/POTFILES.in | 1 +
src/Makefile.am | 28 ++-
src/access/genpolkit.pl | 119 +++++++++++
src/access/viraccessdriverpolkit.c | 399 +++++++++++++++++++++++++++++++++++++
src/access/viraccessdriverpolkit.h | 28 +++
src/access/viraccessmanager.c | 6 +
7 files changed, 581 insertions(+), 1 deletion(-)
create mode 100755 src/access/genpolkit.pl
create mode 100644 src/access/viraccessdriverpolkit.c
create mode 100644 src/access/viraccessdriverpolkit.h
diff --git a/.gitignore b/.gitignore
index 5e50b52..76ee420 100644
--- a/.gitignore
+++ b/.gitignore
@@ -104,6 +104,7 @@
/run
/sc_*
/src/.*.stamp
+/src/access/org.libvirt.api.policy
/src/esx/*.generated.*
/src/hyperv/*.generated.*
/src/libvirt*.def
diff --git a/po/POTFILES.in b/po/POTFILES.in
index 37c6019..02713c1 100644
--- a/po/POTFILES.in
+++ b/po/POTFILES.in
@@ -6,6 +6,7 @@ daemon/remote_dispatch.h
daemon/stream.c
gnulib/lib/gai_strerror.c
gnulib/lib/regcomp.c
+src/access/viraccessdriverpolkit.c
src/access/viraccessmanager.c
src/conf/cpu_conf.c
src/conf/device_conf.c
diff --git a/src/Makefile.am b/src/Makefile.am
index babd019..3e6c3df 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -779,6 +779,13 @@ ACCESS_DRIVER_SOURCES = \
access/viraccessdrivernop.h access/viraccessdrivernop.c \
access/viraccessdriverstack.h access/viraccessdriverstack.c
+ACCESS_DRIVER_POLKIT_SOURCES = \
+ access/viraccessdriverpolkit.h access/viraccessdriverpolkit.c
+
+ACCESS_DRIVER_POLKIT_POLICY = \
+ access/org.libvirt.api.policy
+
+
NODE_DEVICE_DRIVER_SOURCES = \
node_device/node_device_driver.c \
node_device/node_device_driver.h \
@@ -1359,6 +1366,24 @@ libvirt_driver_access_la_CFLAGS = \
libvirt_driver_access_la_LDFLAGS = $(AM_LDFLAGS)
libvirt_driver_access_la_LIBADD =
+EXTRA_DIST += access/genpolkit.pl
+
+if WITH_POLKIT1
+libvirt_driver_access_la_SOURCES += $(ACCESS_DRIVER_POLKIT_SOURCES)
+
+polkitactiondir = $(datadir)/polkit-1/actions
+polkitaction_DATA = $(ACCESS_DRIVER_POLKIT_POLICY)
+
+$(ACCESS_DRIVER_POLKIT_POLICY): $(srcdir)/access/viraccessperm.h \
+ $(srcdir)/access/genpolkit.pl Makefile.am
+ $(AM_V_GEN)$(PERL) $(srcdir)/access/genpolkit.pl < $< > $@ || rm -f $@
+
+CLEANFILES += $(ACCESS_DRIVER_POLKIT_POLICY)
+BUILT_SOURCES += $(ACCESS_DRIVER_POLKIT_POLICY)
+else
+EXTRA_DIST += $(ACCESS_DRIVER_POLKIT_SOURCES)
+endif
+
# Add all conditional sources just in case...
EXTRA_DIST += \
@@ -1398,7 +1423,8 @@ EXTRA_DIST += \
$(SECRET_DRIVER_SOURCES) \
$(VBOX_DRIVER_EXTRA_DIST) \
$(VMWARE_DRIVER_SOURCES) \
- $(XENXS_SOURCES)
+ $(XENXS_SOURCES) \
+ $(ACCESS_DRIVER_POLKIT_POLICY)
check-local: check-augeas
diff --git a/src/access/genpolkit.pl b/src/access/genpolkit.pl
new file mode 100755
index 0000000..eb7069a
--- /dev/null
+++ b/src/access/genpolkit.pl
@@ -0,0 +1,119 @@
+#!/usr/bin/perl
+#
+# Copyright (C) 2012-2013 Red Hat, Inc.
+#
+# This library is free software; you can redistribute it and/or
+# modify it under the terms of the GNU Lesser General Public
+# License as published by the Free Software Foundation; either
+# version 2.1 of the License, or (at your option) any later version.
+#
+# This library is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public
+# License along with this library. If not, see
+# <http://www.gnu.org/licenses/>.
+#
+
+use strict;
+use warnings;
+
+my @objects = (
+ "CONNECT", "DOMAIN", "INTERFACE",
+ "NETWORK","NODE_DEVICE", "NWFILTER",
+ "SECRET", "STORAGE_POOL", "STORAGE_VOL",
+ );
+
+my $objects = join ("|", @objects);
+
+# Data we're going to be generating looks like this
+#
+# <policyconfig>
+# <action id="org.libvirt.unix.monitor">
+# <description>Monitor local virtualized systems</description>
+# <message>System policy prevents monitoring of local virtualized systems</message>
+# <defaults>
+# <allow_any>yes</allow_any>
+# <allow_inactive>yes</allow_inactive>
+# <allow_active>yes</allow_active>
+# </defaults>
+# </action>
+# ...more <action> rules...
+# </policyconfig>
+
+my %opts;
+my $in_opts = 0;
+
+my %perms;
+
+while (<>) {
+ if ($in_opts) {
+ if (m,\*/,) {
+ $in_opts = 0;
+ } elsif (/\*\s*\@(\w+):\s*(.*?)\s*$/) {
+ $opts{$1} = $2;
+ }
+ } elsif (m,/\*\*,) {
+ $in_opts = 1;
+ } elsif (/VIR_ACCESS_PERM_($objects)_((?:\w|_)+),/) {
+ my $object = lc $1;
+ my $perm = lc $2;
+ next if $perm eq "last";
+
+ $object =~ s/_/-/g;
+ $perm =~ s/_/-/g;
+
+ $perms{$object} = {} unless exists $perms{$object};
+ $perms{$object}->{$perm} = {
+ desc => $opts{desc},
+ message => $opts{message},
+ anonymous => $opts{anonymous}
+ };
+ %opts = ();
+ }
+}
+
+print <<EOF;
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD polkit Policy Configuration 1.0//EN"
+ "http://www.freedesktop.org/software/polkit/policyconfig-1.dtd">
+<policyconfig>
+ <vendor>Libvirt Project</vendor>
+ <vendor_url>http://libvirt.org</vendor_url>
+EOF
+
+foreach my $object (sort { $a cmp $b } keys %perms) {
+ foreach my $perm (sort { $a cmp $b } keys %{$perms{$object}}) {
+ my $description = $perms{$object}->{$perm}->{desc};
+ my $message = $perms{$object}->{$perm}->{message};
+ my $anonymous = $perms{$object}->{$perm}->{anonymous};
+
+ die "missing description for $object.$perm" unless
+ defined $description;
+ die "missing message for $object.$perm" unless
+ defined $message;
+
+ my $allow_any = $anonymous ? "yes" : "no";
+ my $allow_inactive = $allow_any;
+ my $allow_active = $allow_any;
+
+ print <<EOF;
+ <action id="org.libvirt.api.$object.$perm">
+ <description>$description</description>
+ <message>$message</message>
+ <defaults>
+ <allow_any>$allow_any</allow_any>
+ <allow_inactive>$allow_inactive</allow_inactive>
+ <allow_active>$allow_active</allow_active>
+ </defaults>
+ </action>
+EOF
+
+ }
+}
+
+print <<EOF;
+</policyconfig>
+EOF
diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
new file mode 100644
index 0000000..0426fda
--- /dev/null
+++ b/src/access/viraccessdriverpolkit.c
@@ -0,0 +1,399 @@
+/*
+ * viraccessdriverpolkit.c: polkited access control driver
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#include <config.h>
+
+#include "viraccessdriverpolkit.h"
+#include "viralloc.h"
+#include "vircommand.h"
+#include "virlog.h"
+#include "virprocess.h"
+#include "virerror.h"
+#include "virstring.h"
+
+#define VIR_FROM_THIS VIR_FROM_ACCESS
+#define virAccessError(code, ...) \
+ virReportErrorHelper(VIR_FROM_THIS, code, __FILE__, \
+ __FUNCTION__, __LINE__, __VA_ARGS__)
+
+#define VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX "org.libvirt.api"
+
+typedef struct _virAccessDriverPolkitPrivate virAccessDriverPolkitPrivate;
+typedef virAccessDriverPolkitPrivate *virAccessDriverPolkitPrivatePtr;
+
+struct _virAccessDriverPolkitPrivate {
+ bool ignore;
+};
+
+
+static void virAccessDriverPolkitCleanup(virAccessManagerPtr manager ATTRIBUTE_UNUSED)
+{
+}
+
+
+static char *
+virAccessDriverPolkitFormatAction(const char *typename,
+ const char *permname)
+{
+ char *actionid = NULL;
+ size_t i;
+
+ if (virAsprintf(&actionid, "%s.%s.%s",
+ VIR_ACCESS_DRIVER_POLKIT_ACTION_PREFIX,
+ typename, permname) < 0) {
+ virReportOOMError();
+ return NULL;
+ }
+
+ for (i = 0 ; actionid[i] ; i++)
+ if (actionid[i] == '_')
+ actionid[i] = '-';
+
+ return actionid;
+}
+
+
+static char *
+virAccessDriverPolkitFormatProcess(const char *actionid)
+{
+ virIdentityPtr identity = virIdentityGetCurrent();
+ const char *process = NULL;
+ char *ret = NULL;
+
+ if (!identity) {
+ virAccessError(VIR_ERR_ACCESS_DENIED,
+ _("Policy kit denied action %s from <anonymous>"),
+ actionid);
+ return NULL;
+ }
+ if (virIdentityGetAttr(identity, VIR_IDENTITY_ATTR_UNIX_PROCESS_ID, &process) < 0)
+ goto cleanup;
+
+ if (!process) {
+ virAccessError(VIR_ERR_INTERNAL_ERROR, "%s",
+ _("No UNIX process ID available"));
+ goto cleanup;
+ }
+
+ if (VIR_STRDUP(ret, process) < 0)
+ goto cleanup;
+
+cleanup:
+ virObjectUnref(identity);
+ return ret;
+}
+
+
+static int
+virAccessDriverPolkitCheck(virAccessManagerPtr manager ATTRIBUTE_UNUSED,
+ const char *typename,
+ const char *permname,
+ const char **attrs)
+{
+ char *actionid = NULL;
+ char *process = NULL;
+ virCommandPtr cmd = NULL;
+ int status;
+ int ret = -1;
+
+ if (!(actionid = virAccessDriverPolkitFormatAction(typename, permname)))
+ goto cleanup;
+
+ if (!(process = virAccessDriverPolkitFormatProcess(actionid)))
+ goto cleanup;
+
+ cmd = virCommandNewArgList(PKCHECK_PATH,
+ "--action-id", actionid,
+ "--process", process,
+ NULL);
+
+ while (attrs && attrs[0] && attrs[1]) {
+ virCommandAddArgList(cmd, "--detail", attrs[0], attrs[1], NULL);
+ attrs += 2;
+ }
+
+ if (virCommandRun(cmd, &status) < 0)
+ goto cleanup;
+
+ if (status == 0) {
+ ret = 1; /* Allowed */
+ } else {
+ if (status == 1 ||
+ status == 2 ||
+ status == 3) {
+ ret = 0; /* Denied */
+ } else {
+ ret = -1; /* Error */
+ char *tmp = virProcessTranslateStatus(status);
+ virAccessError(VIR_ERR_ACCESS_DENIED,
+ _("Policy kit denied action %s from %s: %s"),
+ actionid, process, NULLSTR(tmp));
+ VIR_FREE(tmp);
+ }
+ goto cleanup;
+ }
+
+cleanup:
+ virCommandFree(cmd);
+ VIR_FREE(actionid);
+ VIR_FREE(process);
+ return ret;
+}
+
+
+static int
+virAccessDriverPolkitCheckConnect(virAccessManagerPtr manager,
+ const char *driverName,
+ virAccessPermConnect perm)
+{
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "connect",
+ virAccessPermConnectTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckDomain(virAccessManagerPtr manager,
+ const char *driverName,
+ virDomainDefPtr domain,
+ virAccessPermDomain perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "domain-name", domain->name,
+ "domain-uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(domain->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "domain",
+ virAccessPermDomainTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckInterface(virAccessManagerPtr manager,
+ const char *driverName,
+ virInterfaceDefPtr iface,
+ virAccessPermInterface perm)
+{
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "interface-name", iface->name,
+ "interface-macaddr", iface->mac,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "interface",
+ virAccessPermInterfaceTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNetwork(virAccessManagerPtr manager,
+ const char *driverName,
+ virNetworkDefPtr network,
+ virAccessPermNetwork perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "network-name", network->name,
+ "network-uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(network->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "network",
+ virAccessPermNetworkTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
+ const char *driverName,
+ virNodeDeviceDefPtr nodedev,
+ virAccessPermNodeDevice perm)
+{
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "node-device-name", nodedev->name,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "nodedevice",
+ virAccessPermNodeDeviceTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckNWFilter(virAccessManagerPtr manager,
+ const char *driverName,
+ virNWFilterDefPtr nwfilter,
+ virAccessPermNWFilter perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "nwfilter-name", nwfilter->name,
+ "nwfilter-uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(nwfilter->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "nwfilter",
+ virAccessPermNWFilterTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckSecret(virAccessManagerPtr manager,
+ const char *driverName,
+ virSecretDefPtr secret,
+ virAccessPermSecret perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ virUUIDFormat(secret->uuid, uuidstr);
+
+ switch (secret->usage_type) {
+ default:
+ case VIR_SECRET_USAGE_TYPE_NONE: {
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "secret-uuid", uuidstr,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
+ case VIR_SECRET_USAGE_TYPE_VOLUME: {
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "secret-uuid", uuidstr,
+ "secret-usage-volume", secret->usage.volume,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
+ case VIR_SECRET_USAGE_TYPE_CEPH: {
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "secret-uuid", uuidstr,
+ "secret-usage-ceph", secret->usage.ceph,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
+ case VIR_SECRET_USAGE_TYPE_ISCSI: {
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "secret-uuid", uuidstr,
+ "secret-usage-target", secret->usage.target,
+ NULL,
+ };
+
+ return virAccessDriverPolkitCheck(manager,
+ "secret",
+ virAccessPermSecretTypeToString(perm),
+ attrs);
+ } break;
+ }
+}
+
+static int
+virAccessDriverPolkitCheckStoragePool(virAccessManagerPtr manager,
+ const char *driverName,
+ virStoragePoolDefPtr pool,
+ virAccessPermStoragePool perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "pool-name", pool->name,
+ "pool-uuid", uuidstr,
+ NULL,
+ };
+ virUUIDFormat(pool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "pool",
+ virAccessPermStoragePoolTypeToString(perm),
+ attrs);
+}
+
+static int
+virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
+ const char *driverName,
+ virStoragePoolDefPtr pool,
+ virStorageVolDefPtr vol,
+ virAccessPermStorageVol perm)
+{
+ char uuidstr[VIR_UUID_STRING_BUFLEN];
+ const char *attrs[] = {
+ "connect-driver", driverName,
+ "pool-name", pool->name,
+ "pool-uuid", uuidstr,
+ "vol-name", vol->name,
+ "vol-key", vol->key,
+ NULL,
+ };
+ virUUIDFormat(pool->uuid, uuidstr);
+
+ return virAccessDriverPolkitCheck(manager,
+ "vol",
+ virAccessPermStorageVolTypeToString(perm),
+ attrs);
+}
+
+virAccessDriver accessDriverPolkit = {
+ .name = "polkit",
+ .cleanup = virAccessDriverPolkitCleanup,
+ .checkConnect = virAccessDriverPolkitCheckConnect,
+ .checkDomain = virAccessDriverPolkitCheckDomain,
+ .checkInterface = virAccessDriverPolkitCheckInterface,
+ .checkNetwork = virAccessDriverPolkitCheckNetwork,
+ .checkNodeDevice = virAccessDriverPolkitCheckNodeDevice,
+ .checkNWFilter = virAccessDriverPolkitCheckNWFilter,
+ .checkSecret = virAccessDriverPolkitCheckSecret,
+ .checkStoragePool = virAccessDriverPolkitCheckStoragePool,
+ .checkStorageVol = virAccessDriverPolkitCheckStorageVol,
+};
diff --git a/src/access/viraccessdriverpolkit.h b/src/access/viraccessdriverpolkit.h
new file mode 100644
index 0000000..00b044f
--- /dev/null
+++ b/src/access/viraccessdriverpolkit.h
@@ -0,0 +1,28 @@
+/*
+ * viraccessdriverpolkit.h: polkited access control driver
+ *
+ * Copyright (C) 2012 Red Hat, Inc.
+ *
+ * This library is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License as published by the Free Software Foundation; either
+ * version 2.1 of the License, or (at your option) any later version.
+ *
+ * This library is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this library. If not, see
+ * <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __VIR_ACCESS_DRIVER_POLKIT_H__
+# define __VIR_ACCESS_DRIVER_POLKIT_H__
+
+# include "viraccessdriver.h"
+
+extern virAccessDriver accessDriverPolkit;
+
+#endif /* __VIR_ACCESS_DRIVER_POLKIT_H__ */
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
index ff1a538..f8c0cae 100644
--- a/src/access/viraccessmanager.c
+++ b/src/access/viraccessmanager.c
@@ -23,6 +23,9 @@
#include "viraccessmanager.h"
#include "viraccessdrivernop.h"
#include "viraccessdriverstack.h"
+#if WITH_POLKIT1
+# include "viraccessdriverpolkit.h"
+#endif
#include "viralloc.h"
#include "virerror.h"
#include "virobject.h"
@@ -108,6 +111,9 @@ static virAccessManagerPtr virAccessManagerNewDriver(virAccessDriverPtr drv)
static virAccessDriverPtr accessDrivers[] = {
&accessDriverNop,
+#if WITH_POLKIT1
+ &accessDriverPolkit,
+#endif
};
--
1.8.1.4
More information about the libvir-list
mailing list