Add ACL checks into the network driver

Insert calls to the ACL checking APIs in all network driver
entrypoints.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/Makefile.am b/src/Makefile.am
index 0958884e961f3c901dc4bef456ebe1839e21f206..51ccb25c82b2c39226c8cac6a7e7bf79ce9edc3a 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1227,8 +1227,11 @@ noinst_LTLIBRARIES += libvirt_driver_network.la
 endif
 
 libvirt_driver_network_impl_la_CFLAGS = \
-               $(LIBNL_CFLAGS) $(DBUS_CFLAGS) \
-               -I$(top_srcdir)/src/conf $(AM_CFLAGS) $(DBUS_CFLAGS)
+               $(LIBNL_CFLAGS) \
+               $(DBUS_CFLAGS) \
+               -I$(top_srcdir)/src/access \
+               -I$(top_srcdir)/src/conf \
+               $(AM_CFLAGS)
 libvirt_driver_network_impl_la_SOURCES = $(NETWORK_DRIVER_SOURCES)
 endif
 EXTRA_DIST += network/default.xml

diff --git a/src/network/bridge_driver.c b/src/network/bridge_driver.c
index f7c2470af4236cba152ee6c671437e3c11604162..598820995db3502dc1b5d871a04c2c50dd821c9c 100644 (file)
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@@ -65,6 +65,7 @@
 #include "virdbus.h"
 #include "virfile.h"
 #include "virstring.h"
+#include "viraccessapicheck.h"
 
 #define VIR_FROM_THIS VIR_FROM_NETWORK
 
@@ -2834,6 +2835,9 @@ static virNetworkPtr networkLookupByUUID(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virNetworkLookupByUUIDEnsureACL(conn, network->def) < 0)
+        goto cleanup;
+
     ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 
 cleanup:
@@ -2857,6 +2861,9 @@ static virNetworkPtr networkLookupByName(virConnectPtr conn,
         goto cleanup;
     }
 
+    if (virNetworkLookupByNameEnsureACL(conn, network->def) < 0)
+        goto cleanup;
+
     ret = virGetNetwork(conn, network->def->name, network->def->uuid);
 
 cleanup:
@@ -2887,6 +2894,9 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {
     int nactive = 0, i;
     struct network_driver *driver = conn->networkPrivateData;
 
+    if (virConnectNumOfNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2903,6 +2913,9 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in
     struct network_driver *driver = conn->networkPrivateData;
     int got = 0, i;
 
+    if (virConnectListNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count && got < nnames; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2930,6 +2943,9 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) {
     int ninactive = 0, i;
     struct network_driver *driver = conn->networkPrivateData;
 
+    if (virConnectNumOfDefinedNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2946,6 +2962,9 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na
     struct network_driver *driver = conn->networkPrivateData;
     int got = 0, i;
 
+    if (virConnectListDefinedNetworksEnsureACL(conn) < 0)
+        return -1;
+
     networkDriverLock(driver);
     for (i = 0; i < driver->networks.count && got < nnames; i++) {
         virNetworkObjLock(driver->networks.objs[i]);
@@ -2978,10 +2997,14 @@ networkConnectListAllNetworks(virConnectPtr conn,
 
     virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);
 
+    if (virConnectListAllNetworksEnsureACL(conn) < 0)
+        goto cleanup;
+
     networkDriverLock(driver);
     ret = virNetworkList(conn, driver->networks, nets, flags);
     networkDriverUnlock(driver);
 
+cleanup:
     return ret;
 }
 
@@ -2998,6 +3021,10 @@ static int networkIsActive(virNetworkPtr net)
         virReportError(VIR_ERR_NO_NETWORK, NULL);
         goto cleanup;
     }
+
+    if (virNetworkIsActiveEnsureACL(net->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = virNetworkObjIsActive(obj);
 
 cleanup:
@@ -3019,6 +3046,10 @@ static int networkIsPersistent(virNetworkPtr net)
         virReportError(VIR_ERR_NO_NETWORK, NULL);
         goto cleanup;
     }
+
+    if (virNetworkIsPersistentEnsureACL(net->conn, obj->def) < 0)
+        goto cleanup;
+
     ret = obj->persistent;
 
 cleanup:
@@ -3186,6 +3217,9 @@ static virNetworkPtr networkCreateXML(virConnectPtr conn, const char *xml) {
     if (!(def = virNetworkDefParseString(xml)))
         goto cleanup;
 
+    if (virNetworkCreateXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (networkValidate(driver, def, true) < 0)
        goto cleanup;
 
@@ -3226,6 +3260,9 @@ static virNetworkPtr networkDefineXML(virConnectPtr conn, const char *xml) {
     if (!(def = virNetworkDefParseString(xml)))
         goto cleanup;
 
+    if (virNetworkDefineXMLEnsureACL(conn, def) < 0)
+        goto cleanup;
+
     if (networkValidate(driver, def, false) < 0)
        goto cleanup;
 
@@ -3284,6 +3321,9 @@ networkUndefine(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkUndefineEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (virNetworkObjIsActive(network))
         active = true;
 
@@ -3344,6 +3384,9 @@ networkUpdate(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkUpdateEnsureACL(net->conn, network->def, flags) < 0)
+        goto cleanup;
+
     /* see if we are listening for dhcp pre-modification */
     for (ii = 0;
          (ipdef = virNetworkDefGetIpByIndex(network->def, AF_INET, ii));
@@ -3479,6 +3522,9 @@ static int networkCreate(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkCreateEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     ret = networkStartNetwork(driver, network);
 
 cleanup:
@@ -3502,6 +3548,9 @@ static int networkDestroy(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkDestroyEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!virNetworkObjIsActive(network)) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        "%s", _("network is not active"));
@@ -3547,6 +3596,9 @@ static char *networkGetXMLDesc(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkGetXMLDescEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if ((flags & VIR_NETWORK_XML_INACTIVE) && network->newDef)
         def = network->newDef;
     else
@@ -3575,6 +3627,9 @@ static char *networkGetBridgeName(virNetworkPtr net) {
         goto cleanup;
     }
 
+    if (virNetworkGetBridgeNameEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!(network->def->bridge)) {
         virReportError(VIR_ERR_INTERNAL_ERROR,
                        _("network '%s' does not have a bridge name."),
@@ -3605,6 +3660,9 @@ static int networkGetAutostart(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkGetAutostartEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     *autostart = network->autostart;
     ret = 0;
 
@@ -3630,6 +3688,9 @@ static int networkSetAutostart(virNetworkPtr net,
         goto cleanup;
     }
 
+    if (virNetworkSetAutostartEnsureACL(net->conn, network->def) < 0)
+        goto cleanup;
+
     if (!network->persistent) {
         virReportError(VIR_ERR_OPERATION_INVALID,
                        "%s", _("cannot set autostart for transient network"));