Ever since ACL filtering was added in commit
7639736 (v1.1.1), a
user could still use event registration to obtain access to a
domain that they could not normally access via virDomainLookup*
or virConnectListAllDomains and friends. We already have the
framework in the RPC generator for creating the filter, and
previous cleanup patches got us to the point that we can now
wire the filter through the entire object event stack.
Furthermore, whether or not domain:getattr is honored, use of
global events is a form of obtaining a list of networks, which
is covered by connect:search_domains added in
a93cd08 (v1.1.0).
Ideally, we'd have a way to enforce connect:search_domains when
doing global registrations while omitting that check on a
per-domain registration. But this patch just unconditionally
requires connect:search_domains, even when no list could be
obtained, based on the following observations:
1. Administrators are unlikely to grant domain:getattr for one
or all domains while still denying connect:search_domains - a
user that is able to manage domains will want to be able to
manage them efficiently, but efficient management includes being
able to list the domains they can access. The idea of denying
connect:search_domains while still granting access to individual
domains is therefore not adding any real security, but just
serves as a layer of obscurity to annoy the end user.
2. In the current implementation, domain events are filtered
on the client; the server has no idea if a domain filter was
requested, and must therefore assume that all domain event
requests are global. Even if we fix the RPC protocol to
allow for server-side filtering for newer client/server combos,
making the connect:serach_domains ACL check conditional on
whether the domain argument was NULL won't benefit older clients.
Therefore, we choose to document that connect:search_domains
is a pre-requisite to any domain event management.
Network events need the same treatment, with the obvious
change of using connect:search_networks and network:getattr.
* src/access/viraccessperm.h
(VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS)
(VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS): Document additional
effect of the permission.
* src/conf/domain_event.h (virDomainEventStateRegister)
(virDomainEventStateRegisterID): Add new parameter.
* src/conf/network_event.h (virNetworkEventStateRegisterID):
Likewise.
* src/conf/object_event_private.h (virObjectEventStateRegisterID):
Likewise.
* src/conf/object_event.c (_virObjectEventCallback): Track a filter.
(virObjectEventDispatchMatchCallback): Use filter.
(virObjectEventCallbackListAddID): Register filter.
* src/conf/domain_event.c (virDomainEventFilter): New function.
(virDomainEventStateRegister, virDomainEventStateRegisterID):
Adjust callers.
* src/conf/network_event.c (virNetworkEventFilter): New function.
(virNetworkEventStateRegisterID): Adjust caller.
* src/remote/remote_protocol.x
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER)
(REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY)
(REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY): Generate a
filter, and require connect:search_domains instead of weaker
connect:read.
* src/test/test_driver.c (testConnectDomainEventRegister)
(testConnectDomainEventRegisterAny)
(testConnectNetworkEventRegisterAny): Update callers.
* src/remote/remote_driver.c (remoteConnectDomainEventRegister)
(remoteConnectDomainEventRegisterAny): Likewise.
* src/xen/xen_driver.c (xenUnifiedConnectDomainEventRegister)
(xenUnifiedConnectDomainEventRegisterAny): Likewise.
* src/vbox/vbox_tmpl.c (vboxDomainGetXMLDesc): Likewise.
* src/libxl/libxl_driver.c (libxlConnectDomainEventRegister)
(libxlConnectDomainEventRegisterAny): Likewise.
* src/qemu/qemu_driver.c (qemuConnectDomainEventRegister)
(qemuConnectDomainEventRegisterAny): Likewise.
* src/uml/uml_driver.c (umlConnectDomainEventRegister)
(umlConnectDomainEventRegisterAny): Likewise.
* src/network/bridge_driver.c
(networkConnectNetworkEventRegisterAny): Likewise.
* src/lxc/lxc_driver.c (lxcConnectDomainEventRegister)
(lxcConnectDomainEventRegisterAny): Likewise.
Signed-off-by: Eric Blake <eblake@redhat.com>
/*
* viraccessperm.h: access control permissions
*
- * Copyright (C) 2012-2013 Red Hat, Inc.
+ * Copyright (C) 2012-2014 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
/**
* @desc: List domains
- * @message: Listing domains requires authorization
+ * @message: Listing domains or using domain events requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_DOMAINS,
/**
* @desc: List networks
- * @message: Listing networks requires authorization
+ * @message: Listing networks or using network events requires authorization
* @anonymous: 1
*/
VIR_ACCESS_PERM_CONNECT_SEARCH_NETWORKS,
}
+/**
+ * virDomainEventFilter:
+ * @conn: pointer to the connection
+ * @event: the event to check
+ * @opaque: opaque data holding ACL filter to use
+ *
+ * Internal function to run ACL filtering before dispatching an event
+ */
+static bool
+virDomainEventFilter(virConnectPtr conn, virObjectEventPtr event, void *opaque)
+{
+ virDomainDef dom;
+ virDomainObjListFilter filter = opaque;
+
+ /* For now, we just create a virDomainDef with enough contents to
+ * satisfy what viraccessdriverpolkit.c references. This is a bit
+ * fragile, but I don't know of anything better. */
+ dom.name = event->meta.name;
+ memcpy(dom.uuid, event->meta.uuid, VIR_UUID_BUFLEN);
+
+ return (filter)(conn, &dom);
+}
+
+
static void *
virDomainEventNew(virClassPtr klass,
int eventID,
* virDomainEventStateRegister:
* @conn: connection to associate with callback
* @state: object event state
+ * @filter: optional ACL filter to limit which events can be sent
* @callback: the callback to add
* @opaque: data blob to pass to @callback
* @freecb: callback to free @opaque
int
virDomainEventStateRegister(virConnectPtr conn,
virObjectEventStatePtr state,
+ virDomainObjListFilter filter,
virConnectDomainEventCallback callback,
void *opaque,
virFreeCallback freecb)
return -1;
return virObjectEventStateRegisterID(conn, state, NULL,
- virDomainEventClass,
+ filter ? virDomainEventFilter : NULL,
+ filter, virDomainEventClass,
VIR_DOMAIN_EVENT_ID_LIFECYCLE,
VIR_OBJECT_EVENT_CALLBACK(callback),
opaque, freecb, NULL, false);
* virDomainEventStateRegisterID:
* @conn: connection to associate with callback
* @state: object event state
+ * @filter: optional ACL filter to limit which events can be sent
* @dom: optional domain for filtering the event
* @eventID: ID of the event type to register for
* @cb: function to invoke when event fires
int
virDomainEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
+ virDomainObjListFilter filter,
virDomainPtr dom,
int eventID,
virConnectDomainEventGenericCallback cb,
return -1;
return virObjectEventStateRegisterID(conn, state, dom ? dom->uuid : NULL,
- virDomainEventClass, eventID,
+ filter ? virDomainEventFilter : NULL,
+ filter, virDomainEventClass, eventID,
VIR_OBJECT_EVENT_CALLBACK(cb),
opaque, freecb, callbackID, false);
}
/*
* domain_event.h: domain event queue processing helpers
*
- * Copyright (C) 2012 Red Hat, Inc.
+ * Copyright (C) 2012-2014 Red Hat, Inc.
* Copyright (C) 2008 VirtualIron
* Copyright (C) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
*
int
virDomainEventStateRegister(virConnectPtr conn,
virObjectEventStatePtr state,
+ virDomainObjListFilter filter,
virConnectDomainEventCallback callback,
void *opaque,
virFreeCallback freecb)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(3);
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(4);
+
int
virDomainEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
+ virDomainObjListFilter filter,
virDomainPtr dom,
int eventID,
virConnectDomainEventGenericCallback cb,
void *opaque,
virFreeCallback freecb,
int *callbackID)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5);
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6);
+
int
virDomainEventStateDeregister(virConnectPtr conn,
virObjectEventStatePtr state,
}
+/**
+ * virNetworkEventFilter:
+ * @conn: pointer to the connection
+ * @event: the event to check
+ * @opaque: opaque data holding ACL filter to use
+ *
+ * Internal function to run ACL filtering before dispatching an event
+ */
+static bool
+virNetworkEventFilter(virConnectPtr conn, virObjectEventPtr event,
+ void *opaque)
+{
+ virNetworkDef net;
+ virNetworkObjListFilter filter = opaque;
+
+ /* For now, we just create a virNetworkDef with enough contents to
+ * satisfy what viraccessdriverpolkit.c references. This is a bit
+ * fragile, but I don't know of anything better. */
+ net.name = event->meta.name;
+ memcpy(net.uuid, event->meta.uuid, VIR_UUID_BUFLEN);
+
+ return (filter)(conn, &net);
+}
+
+
/**
* virNetworkEventStateRegisterID:
* @conn: connection to associate with callback
* @state: object event state
+ * @filter: optional ACL filter to limit which events can be sent
* @net: network to filter on or NULL for all networks
* @eventID: ID of the event type to register for
* @cb: function to invoke when event occurs
int
virNetworkEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
+ virNetworkObjListFilter filter,
virNetworkPtr net,
int eventID,
virConnectNetworkEventGenericCallback cb,
return -1;
return virObjectEventStateRegisterID(conn, state, net ? net->uuid : NULL,
- virNetworkEventClass, eventID,
+ filter ? virNetworkEventFilter : NULL,
+ filter, virNetworkEventClass, eventID,
VIR_OBJECT_EVENT_CALLBACK(cb),
opaque, freecb, callbackID, false);
}
return -1;
return virObjectEventStateRegisterID(conn, state, net ? net->uuid : NULL,
+ NULL, NULL,
virNetworkEventClass, eventID,
VIR_OBJECT_EVENT_CALLBACK(cb),
opaque, freecb, callbackID, true);
#include "internal.h"
#include "object_event.h"
#include "object_event_private.h"
+#include "network_conf.h"
#ifndef __NETWORK_EVENT_H__
# define __NETWORK_EVENT_H__
int
virNetworkEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
+ virNetworkObjListFilter filter,
virNetworkPtr net,
int eventID,
virConnectNetworkEventGenericCallback cb,
void *opaque,
virFreeCallback freecb,
int *callbackID)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(5)
- ATTRIBUTE_NONNULL(8);
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6)
+ ATTRIBUTE_NONNULL(9);
int
virNetworkEventStateRegisterClient(virConnectPtr conn,
int remoteID;
bool uuid_filter;
unsigned char uuid[VIR_UUID_BUFLEN];
+ virObjectEventCallbackFilter filter;
+ void *filter_opaque;
virConnectObjectEventGenericCallback cb;
void *opaque;
virFreeCallback freecb;
* virObjectEventCallbackListAddID:
* @conn: pointer to the connection
* @cbList: the list
- * @uuid: the uuid of the object to filter on
+ * @uuid: the optional uuid of the object to filter on
+ * @filter: optional last-ditch filter callback
+ * @filter_opaque: opaque data to pass to @filter
* @klass: the base event class
* @eventID: the event ID
* @callback: the callback to add
virObjectEventCallbackListAddID(virConnectPtr conn,
virObjectEventCallbackListPtr cbList,
unsigned char uuid[VIR_UUID_BUFLEN],
+ virObjectEventCallbackFilter filter,
+ void *filter_opaque,
virClassPtr klass,
int eventID,
virConnectObjectEventGenericCallback callback,
int ret = -1;
int remoteID = -1;
- VIR_DEBUG("conn=%p cblist=%p uuid=%p "
+ VIR_DEBUG("conn=%p cblist=%p uuid=%p filter=%p filter_opaque=%p "
"klass=%p eventID=%d callback=%p opaque=%p",
- conn, cbList, uuid, klass, eventID, callback, opaque);
+ conn, cbList, uuid, filter, filter_opaque,
+ klass, eventID, callback, opaque);
/* Check incoming */
if (!cbList) {
event->uuid_filter = true;
memcpy(event->uuid, uuid, VIR_UUID_BUFLEN);
}
+ event->filter = filter;
+ event->filter_opaque = filter_opaque;
if (callbackID)
*callbackID = event->callbackID;
if (cb->remoteID != event->remoteID)
return false;
+ if (cb->filter && !(cb->filter)(cb->conn, event, cb->filter_opaque))
+ return false;
+
if (cb->uuid_filter) {
/* Deliberately ignoring 'id' for matching, since that
* will cause problems when a domain switches between
virObjectEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
unsigned char *uuid,
+ virObjectEventCallbackFilter filter,
+ void *filter_opaque,
virClassPtr klass,
int eventID,
virConnectObjectEventGenericCallback cb,
}
ret = virObjectEventCallbackListAddID(conn, state->callbacks,
- uuid, klass, eventID,
+ uuid, filter, filter_opaque,
+ klass, eventID,
cb, opaque, freecb,
callbackID, serverFilter);
virObjectEventDispatchFunc dispatch;
};
+/**
+ * virObjectEventCallbackFilter:
+ * @conn: the connection pointer
+ * @event: the event about to be dispatched
+ * @opaque: opaque data registered with the filter
+ *
+ * Callback to do final filtering for a reason not tracked directly by
+ * virObjectEventStateRegisterID(). Return false if @event must not
+ * be sent to @conn.
+ */
+typedef bool (*virObjectEventCallbackFilter)(virConnectPtr conn,
+ virObjectEventPtr event,
+ void *opaque);
+
virClassPtr
virClassForObjectEvent(void);
virObjectEventStateRegisterID(virConnectPtr conn,
virObjectEventStatePtr state,
unsigned char *uuid,
+ virObjectEventCallbackFilter filter,
+ void *filter_opaque,
virClassPtr klass,
int eventID,
virConnectObjectEventGenericCallback cb,
virFreeCallback freecb,
int *callbackID,
bool remoteFilter)
- ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(4)
- ATTRIBUTE_NONNULL(6);
+ ATTRIBUTE_NONNULL(1) ATTRIBUTE_NONNULL(2) ATTRIBUTE_NONNULL(6)
+ ATTRIBUTE_NONNULL(8);
int
virObjectEventStateCallbackID(virConnectPtr conn,
if (virDomainEventStateRegister(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterCheckACL,
callback, opaque, freecb) < 0)
return -1;
if (virDomainEventStateRegisterID(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterAnyCheckACL,
dom, eventID, callback, opaque,
freecb, &ret) < 0)
ret = -1;
if (virDomainEventStateRegister(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterCheckACL,
callback, opaque, freecb) < 0)
return -1;
if (virDomainEventStateRegisterID(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterAnyCheckACL,
dom, eventID,
callback, opaque, freecb, &ret) < 0)
ret = -1;
goto cleanup;
if (virNetworkEventStateRegisterID(conn, driver->networkEventState,
+ virConnectNetworkEventRegisterAnyCheckACL,
net, eventID, callback,
opaque, freecb, &ret) < 0)
ret = -1;
if (virDomainEventStateRegister(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterCheckACL,
callback, opaque, freecb) < 0)
goto cleanup;
if (virDomainEventStateRegisterID(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterAnyCheckACL,
dom, eventID,
callback, opaque, freecb, &ret) < 0)
ret = -1;
remoteDriverLock(priv);
- if ((count = virDomainEventStateRegister(conn, priv->eventState,
+ if ((count = virDomainEventStateRegister(conn, priv->eventState, NULL,
callback, opaque, freecb)) < 0)
goto done;
remoteDriverLock(priv);
- if ((count = virDomainEventStateRegisterID(conn, priv->eventState,
+ if ((count = virDomainEventStateRegisterID(conn, priv->eventState, NULL,
dom, eventID,
callback, opaque, freecb,
&callbackID)) < 0)
/*
* Events Register/Deregister:
- * It would seem rpcgen does not like both args, and ret
+ * It would seem rpcgen does not like both args and ret
* to be null. It will not generate the prototype otherwise.
* Pass back a redundant boolean to force prototype generation.
*/
/**
* @generate: none
* @priority: high
- * @acl: connect:read
+ * @acl: connect:search_domains
+ * @aclfilter: domain:getattr
*/
REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER = 105,
/**
* @generate: none
* @priority: high
- * @acl: connect:read
+ * @acl: connect:search_domains
+ * @aclfilter: domain:getattr
*/
REMOTE_PROC_CONNECT_DOMAIN_EVENT_REGISTER_ANY = 167,
/**
* @generate: none
* @priority: high
- * @acl: connect:read
+ * @acl: connect:search_networks
+ * @aclfilter: network:getattr
*/
REMOTE_PROC_CONNECT_NETWORK_EVENT_REGISTER_ANY = 313,
int ret = 0;
testDriverLock(driver);
- if (virDomainEventStateRegister(conn, driver->eventState,
+ if (virDomainEventStateRegister(conn, driver->eventState, NULL,
callback, opaque, freecb) < 0)
ret = -1;
testDriverUnlock(driver);
int ret;
testDriverLock(driver);
- if (virDomainEventStateRegisterID(conn, driver->eventState,
+ if (virDomainEventStateRegisterID(conn, driver->eventState, NULL,
dom, eventID,
callback, opaque, freecb, &ret) < 0)
ret = -1;
int ret;
testDriverLock(driver);
- if (virNetworkEventStateRegisterID(conn, driver->eventState,
+ if (virNetworkEventStateRegisterID(conn, driver->eventState, NULL,
net, eventID, callback,
opaque, freecb, &ret) < 0)
ret = -1;
umlDriverLock(driver);
if (virDomainEventStateRegister(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterCheckACL,
callback, opaque, freecb) < 0)
ret = -1;
umlDriverUnlock(driver);
umlDriverLock(driver);
if (virDomainEventStateRegisterID(conn,
driver->domainEventState,
+ virConnectDomainEventRegisterAnyCheckACL,
dom, eventID,
callback, opaque, freecb, &ret) < 0)
ret = -1;
* later you can iterate over them
*/
- ret = virDomainEventStateRegister(conn, data->domainEvents,
+ ret = virDomainEventStateRegister(conn, data->domainEvents, NULL,
callback, opaque, freecb);
VIR_DEBUG("virObjectEventStateRegister (ret = %d) (conn: %p, "
"callback: %p, opaque: %p, "
* later you can iterate over them
*/
- if (virDomainEventStateRegisterID(conn, data->domainEvents,
+ if (virDomainEventStateRegisterID(conn, data->domainEvents, NULL,
dom, eventID,
callback, opaque, freecb, &ret) < 0)
ret = -1;
}
if (virDomainEventStateRegister(conn, priv->domainEvents,
+ virConnectDomainEventRegisterCheckACL,
callback, opaque, freefunc) < 0)
ret = -1;
}
if (virDomainEventStateRegisterID(conn, priv->domainEvents,
+ virConnectDomainEventRegisterAnyCheckACL,
dom, eventID,
callback, opaque, freefunc, &ret) < 0)
ret = -1;
projects / libvirt.git / commitdiff