Fix polkit permission names for storage pools, vols & node devices

The polkit access driver used the wrong permission names for checks
on storage pools, volumes and node devices. This led to them always
being denied access.

The 'dettach' permission was also mis-spelt and should have been
'detach'. While permission names are ABI sensitive, the fact that
the code used the wrong object name for checking node device
permissions, means that no one could have used the mis-spelt
'dettach' permission.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/access/viraccessdriverpolkit.c b/src/access/viraccessdriverpolkit.c
index 4c76e64ebb2ed5d5085521385d9fc38e6adb24be..b472bc3020481953d381cfb8da4488cb8a38cc2a 100644 (file)
--- a/src/access/viraccessdriverpolkit.c
+++ b/src/access/viraccessdriverpolkit.c
@@ -248,7 +248,7 @@ virAccessDriverPolkitCheckNodeDevice(virAccessManagerPtr manager,
     };
 
     return virAccessDriverPolkitCheck(manager,
-                                      "nodedevice",
+                                      "node-device",
                                       virAccessPermNodeDeviceTypeToString(perm),
                                       attrs);
 }
@@ -355,7 +355,7 @@ virAccessDriverPolkitCheckStoragePool(virAccessManagerPtr manager,
     virUUIDFormat(pool->uuid, uuidstr);
 
     return virAccessDriverPolkitCheck(manager,
-                                      "pool",
+                                      "storage-pool",
                                       virAccessPermStoragePoolTypeToString(perm),
                                       attrs);
 }
@@ -379,7 +379,7 @@ virAccessDriverPolkitCheckStorageVol(virAccessManagerPtr manager,
     virUUIDFormat(pool->uuid, uuidstr);
 
     return virAccessDriverPolkitCheck(manager,
-                                      "vol",
+                                      "storage-vol",
                                       virAccessPermStorageVolTypeToString(perm),
                                       attrs);
 }

diff --git a/src/access/viraccessperm.c b/src/access/viraccessperm.c
index 17f6243be7eac07172a438636cabfdb1688fe0c9..9c720f9e290c82bbfa34bd7ab91e34edf014a3a8 100644 (file)
--- a/src/access/viraccessperm.c
+++ b/src/access/viraccessperm.c
@@ -58,7 +58,7 @@ VIR_ENUM_IMPL(virAccessPermNodeDevice,
               VIR_ACCESS_PERM_NODE_DEVICE_LAST,
               "getattr", "read", "write",
               "start", "stop",
-              "dettach");
+              "detach");
 
 VIR_ENUM_IMPL(virAccessPermNWFilter,
               VIR_ACCESS_PERM_NWFILTER_LAST,

diff --git a/src/access/viraccessperm.h b/src/access/viraccessperm.h
index 2f76c95cee14495eb2739c2a8096e0a15614307a..fdc461b640c1dc1791fc8854dc6774a24f97ebbd 100644 (file)
--- a/src/access/viraccessperm.h
+++ b/src/access/viraccessperm.h
@@ -427,7 +427,7 @@ typedef enum {
      * @desc: Detach node device
      * @message: Detaching node device driver requires authorization
      */
-    VIR_ACCESS_PERM_NODE_DEVICE_DETTACH,
+    VIR_ACCESS_PERM_NODE_DEVICE_DETACH,
 
     VIR_ACCESS_PERM_NODE_DEVICE_LAST
 } virAccessPermNodeDevice;

diff --git a/src/remote/remote_protocol.x b/src/remote/remote_protocol.x
index a1c23da516498f97c49c8e303155bfd4f6d637e4..85ad9baef8be0aad1724333017c4b644e4e0618f 100644 (file)
--- a/src/remote/remote_protocol.x
+++ b/src/remote/remote_protocol.x
@@ -3696,19 +3696,19 @@ enum remote_procedure {
 
     /**
      * @generate: server
-     * @acl: node_device:dettach
+     * @acl: node_device:detach
      */
     REMOTE_PROC_NODE_DEVICE_DETTACH = 118,
 
     /**
      * @generate: server
-     * @acl: node_device:dettach
+     * @acl: node_device:detach
      */
     REMOTE_PROC_NODE_DEVICE_RE_ATTACH = 119,
 
     /**
      * @generate: server
-     * @acl: node_device:dettach
+     * @acl: node_device:detach
      */
     REMOTE_PROC_NODE_DEVICE_RESET = 120,
 
@@ -4929,7 +4929,7 @@ enum remote_procedure {
 
     /**
      * @generate: server
-     * @acl: node_device:dettach
+     * @acl: node_device:detach
      */
     REMOTE_PROC_NODE_DEVICE_DETACH_FLAGS = 301,