Add access control filtering of network objects

Ensure that all APIs which list network objects filter them against the access control system. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2025-03-20 06:50:22 +03:00 · 2013-06-26 16:42:27 +01:00 · 2013-06-26 16:42:27 +01:00 · bbaa4e1cba
commit bbaa4e1cba
parent 4d39952ebe
6 changed files with 46 additions and 29 deletions
--- a/src/conf/network_conf.c
+++ b/src/conf/network_conf.c
@ -4289,10 +4289,11 @@ virNetworkMatch(virNetworkObjPtr netobj,
 #undef MATCH

 int
-virNetworkList(virConnectPtr conn,
-               virNetworkObjList netobjs,
-               virNetworkPtr **nets,
-               unsigned int flags)
+virNetworkObjListExport(virConnectPtr conn,
+                        virNetworkObjList netobjs,
+                        virNetworkPtr **nets,
+                        virNetworkObjListFilter filter,
+                        unsigned int flags)
 {
    virNetworkPtr *tmp_nets = NULL;
    virNetworkPtr net = NULL;
@ -4310,7 +4311,8 @@ virNetworkList(virConnectPtr conn,
    for (i = 0; i < netobjs.count; i++) {
        virNetworkObjPtr netobj = netobjs.objs[i];
        virNetworkObjLock(netobj);
-        if (virNetworkMatch(netobj, flags)) {
+        if ((!filter || filter(conn, netobj->def)) &&
+            virNetworkMatch(netobj, flags)) {
            if (nets) {
                if (!(net = virGetNetwork(conn,
                                          netobj->def->name,
--- a/src/conf/network_conf.h
+++ b/src/conf/network_conf.h
@ -296,6 +296,10 @@ void virNetworkDefFree(virNetworkDefPtr def);
 void virNetworkObjFree(virNetworkObjPtr net);
 void virNetworkObjListFree(virNetworkObjListPtr vms);

+
+typedef bool (*virNetworkObjListFilter)(virConnectPtr conn,
+                                        virNetworkDefPtr def);
+
 virNetworkObjPtr virNetworkAssignDef(virNetworkObjListPtr nets,
                                     const virNetworkDefPtr def,
                                     bool live);
@ -417,9 +421,10 @@ VIR_ENUM_DECL(virNetworkForward)
                 VIR_CONNECT_LIST_NETWORKS_FILTERS_PERSISTENT | \
                 VIR_CONNECT_LIST_NETWORKS_FILTERS_AUTOSTART)

-int virNetworkList(virConnectPtr conn,
-                   virNetworkObjList netobjs,
-                   virNetworkPtr **nets,
-                   unsigned int flags);
+int virNetworkObjListExport(virConnectPtr conn,
+                            virNetworkObjList netobjs,
+                            virNetworkPtr **nets,
+                            virNetworkObjListFilter filter,
+                            unsigned int flags);

 #endif /* __NETWORK_CONF_H__ */
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@ -495,13 +495,13 @@ virNetworkFindByUUID;
 virNetworkForwardTypeToString;
 virNetworkIpDefNetmask;
 virNetworkIpDefPrefix;
-virNetworkList;
 virNetworkLoadAllConfigs;
 virNetworkLoadAllState;
 virNetworkObjAssignDef;
 virNetworkObjFree;
 virNetworkObjGetPersistentDef;
 virNetworkObjIsDuplicate;
+virNetworkObjListExport;
 virNetworkObjListFree;
 virNetworkObjLock;
 virNetworkObjReplacePersistentDef;
--- a/src/network/bridge_driver.c
+++ b/src/network/bridge_driver.c
@ -2844,10 +2844,12 @@ static int networkConnectNumOfNetworks(virConnectPtr conn) {

    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
-        if (virNetworkObjIsActive(driver->networks.objs[i]))
+        virNetworkObjPtr obj = driver->networks.objs[i];
+        virNetworkObjLock(obj);
+        if (virConnectNumOfNetworksCheckACL(conn, obj->def) &&
+            virNetworkObjIsActive(obj))
            nactive++;
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);

@ -2863,15 +2865,17 @@ static int networkConnectListNetworks(virConnectPtr conn, char **const names, in

    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
-        if (virNetworkObjIsActive(driver->networks.objs[i])) {
-            if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) {
-                virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
+        virNetworkObjLock(obj);
+        if (virConnectListNetworksCheckACL(conn, obj->def) &&
+            virNetworkObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virNetworkObjUnlock(obj);
                goto cleanup;
            }
            got++;
        }
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);

@ -2893,10 +2897,12 @@ static int networkConnectNumOfDefinedNetworks(virConnectPtr conn) {

    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
-        if (!virNetworkObjIsActive(driver->networks.objs[i]))
+        virNetworkObjPtr obj = driver->networks.objs[i];
+        virNetworkObjLock(obj);
+        if (virConnectNumOfDefinedNetworksCheckACL(conn, obj->def) &&
+            !virNetworkObjIsActive(obj))
            ninactive++;
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);

@ -2912,15 +2918,17 @@ static int networkConnectListDefinedNetworks(virConnectPtr conn, char **const na

    networkDriverLock(driver);
    for (i = 0; i < driver->networks.count && got < nnames; i++) {
-        virNetworkObjLock(driver->networks.objs[i]);
-        if (!virNetworkObjIsActive(driver->networks.objs[i])) {
-            if (VIR_STRDUP(names[got], driver->networks.objs[i]->def->name) < 0) {
-                virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjPtr obj = driver->networks.objs[i];
+        virNetworkObjLock(obj);
+        if (virConnectListDefinedNetworksCheckACL(conn, obj->def) &&
+            !virNetworkObjIsActive(obj)) {
+            if (VIR_STRDUP(names[got], obj->def->name) < 0) {
+                virNetworkObjUnlock(obj);
                goto cleanup;
            }
            got++;
        }
-        virNetworkObjUnlock(driver->networks.objs[i]);
+        virNetworkObjUnlock(obj);
    }
    networkDriverUnlock(driver);
    return got;
@ -2946,7 +2954,9 @@ networkConnectListAllNetworks(virConnectPtr conn,
        goto cleanup;

    networkDriverLock(driver);
-    ret = virNetworkList(conn, driver->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, driver->networks, nets,
+                                  virConnectListAllNetworksCheckACL,
+                                  flags);
    networkDriverUnlock(driver);

 cleanup:
--- a/src/parallels/parallels_network.c
+++ b/src/parallels/parallels_network.c
@ -463,7 +463,7 @@ static int parallelsConnectListAllNetworks(virConnectPtr conn,
    virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);

    parallelsDriverLock(privconn);
-    ret = virNetworkList(conn, privconn->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
    parallelsDriverUnlock(privconn);

    return ret;
--- a/src/test/test_driver.c
+++ b/src/test/test_driver.c
@ -3092,7 +3092,7 @@ testConnectListAllNetworks(virConnectPtr conn,
    virCheckFlags(VIR_CONNECT_LIST_NETWORKS_FILTERS_ALL, -1);

    testDriverLock(privconn);
-    ret = virNetworkList(conn, privconn->networks, nets, flags);
+    ret = virNetworkObjListExport(conn, privconn->networks, nets, NULL, flags);
    testDriverUnlock(privconn);

    return ret;