diff options
author | Daniel P. Berrangé <berrange@redhat.com> | 2019-07-24 12:38:21 +0100 |
---|---|---|
committer | Daniel P. Berrangé <berrange@redhat.com> | 2019-09-16 11:25:01 +0100 |
commit | 305cdc37f0f38a79e541194648e1513d3158a23d (patch) | |
tree | 4623be7621e064a994b934eeaa4e9c782799440c /src/libvirt-host.c | |
parent | 87c8e7dbf539ae170f1f425c955218339c5b72c3 (diff) | |
download | libvirt-305cdc37f0f38a79e541194648e1513d3158a23d.tar.gz |
api: introduce virConnectSetIdentity for passing uid, gid, selinux info
When using the fine grained access control mechanism for APIs, when a
client connects to libvirtd, the latter will fetch the uid, gid, selinux
info of the remote client on the UNIX domain socket. This is then used
as the identity when checking ACLs.
With the new split daemons things are a bit more complicated. The user
can connect to virtproxyd, which in turn connects to virtqemud. When
virtqemud requests the identity over the UNIX domain socket, it will
get the identity that virtproxyd is running as, not the identity of
the real end user/application.
virproxyd knows what the real identity is, and needs to be able to
forward this information to virtqemud. The virConnectSetIdentity API
provides a mechanism for doing this. Obviously virtqemud should not
accept such identity overrides from any client, it must only honour it
from a trusted client, aka one running as the same uid/gid as itself.
The typed parameters exposed in the API are the same as those currently
supported by the internal virIdentity class, with a few small name
changes.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Diffstat (limited to 'src/libvirt-host.c')
-rw-r--r-- | src/libvirt-host.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/src/libvirt-host.c b/src/libvirt-host.c index e5c4e5f72a..d7b1b82277 100644 --- a/src/libvirt-host.c +++ b/src/libvirt-host.c @@ -61,6 +61,57 @@ virConnectRef(virConnectPtr conn) } +/** + * virConnectSetIdentity: + * @conn: pointer to the hypervisor connection + * @params: parameters containing the identity attributes + * @nparams: size of @params array + * @flags: currently unused, pass 0 + * + * Override the default identity information associated with + * the connection. When connecting to a stateful driver over + * a UNIX socket, the daemon will interrogate the remote end + * of the UNIX socket to acquire the application's identity. + * This identity is used for the fine grained access control + * checks on API calls. + * + * There may be times when application is operating on behalf + * of a variety of users, and thus the identity that the + * application runs as is not appropriate for access control + * checks. In this case, if the application is considered + * trustworthy, it can supply alternative identity information. + * + * The driver may reject the request to change the identity + * on a connection if the application is not trustworthy. + * + * Returns: 0 if the identity change was accepted, -1 on error + */ +int +virConnectSetIdentity(virConnectPtr conn, + virTypedParameterPtr params, + int nparams, + unsigned int flags) +{ + VIR_DEBUG("conn=%p params=%p nparams=%d flags=0x%x", conn, params, nparams, flags); + VIR_TYPED_PARAMS_DEBUG(params, nparams); + + virResetLastError(); + + if (conn->driver->connectSetIdentity) { + int ret = conn->driver->connectSetIdentity(conn, params, nparams, flags); + if (ret < 0) + goto error; + return ret; + } + + virReportUnsupportedError(); + + error: + virDispatchError(conn); + return -1; +} + + /* * Not for public use. This function is part of the internal * implementation of driver features in the remote case. |