render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
Source Code
GIT

Blame SOURCES/libvirt-access-Modify-the-VIR_ERR_ACCESS_DENIED-to-include-driverName.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-rhel c8-sig-altarch-stream-rhel c8-stream-rhel c8s-sig-hyperscale c8s-stream-rhel c9 c9-beta c9s-sig-hyperscale libvirt-hyperscale-10.4.0 upgrade-hyperscale-libvirt
  1.   0a74762999e5ec70acee082ab6147707de9db4f1
  2.   SOURCES
  3.   libvirt-access-Modify-the-VIR_ERR_ACCESS_DENIED-to-include-driverName.patch
Blob History Raw
0a7476 
From c7d644f205a64175961218c82f764cdd10766bff Mon Sep 17 00:00:00 2001
0a7476 
Message-Id: <c7d644f205a64175961218c82f764cdd10766bff@dist-git>
0a7476 
From: John Ferlan <jferlan@redhat.com>
0a7476 
Date: Wed, 3 Apr 2019 07:22:20 -0400
0a7476 
Subject: [PATCH] access: Modify the VIR_ERR_ACCESS_DENIED to include
0a7476 
 driverName
0a7476
0a7476 
https://bugzilla.redhat.com/show_bug.cgi?id=1631606
0a7476
0a7476 
Changes made to manage and utilize a secondary connection
0a7476 
driver to APIs outside the scope of the primary connection
0a7476 
driver have resulted in some confusion processing polkit rules
0a7476 
since the simple "access denied" error message doesn't provide
0a7476 
enough of a clue when combined with the "authentication failed:
0a7476 
access denied by policy" as to which connection driver refused
0a7476 
or failed the ACL check.
0a7476
0a7476 
In order to provide some context, let's modify the existing
0a7476 
"access denied" error returned from the various vir*EnsureACL
0a7476 
API's to provide the connection driver name that is causing
0a7476 
the failure. This should provide the context for writing the
0a7476 
polkit rules that would allow access via the driver, but yet
0a7476 
still adhere to the virAccessManagerSanitizeError commentary
0a7476 
regarding not telling the user why access was denied.
0a7476
0a7476 
Signed-off-by: John Ferlan <jferlan@redhat.com>
0a7476 
(cherry picked from commit 605496be609e153526fcdd3e98df8cf5244bc8fa)
0a7476 
Message-Id: <20190403112220.23881-1-jferlan@redhat.com>
0a7476 
Reviewed-by: Erik Skultety <eskultet@redhat.com>
0a7476 
---
0a7476 
 src/access/viraccessmanager.c | 26 ++++++++++++++------------
0a7476 
 src/rpc/gendispatch.pl        |  3 ++-
0a7476 
 2 files changed, 16 insertions(+), 13 deletions(-)
0a7476
0a7476 
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
0a7476 
index e7b5bf38da..f5d62604cf 100644
0a7476 
--- a/src/access/viraccessmanager.c
0a7476 
+++ b/src/access/viraccessmanager.c
0a7476 
@@ -196,11 +196,13 @@ static void virAccessManagerDispose(void *object)
0a7476 
  * should the admin need to debug things
0a7476 
  */
0a7476 
 static int
0a7476 
-virAccessManagerSanitizeError(int ret)
0a7476 
+virAccessManagerSanitizeError(int ret,
0a7476 
+                              const char *driverName)
0a7476 
 {
0a7476 
     if (ret < 0) {
0a7476 
         virResetLastError();
0a7476 
-        virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
0a7476 
+        virAccessError(VIR_ERR_ACCESS_DENIED,
0a7476 
+                       _("'%s' denied access"), driverName);
0a7476 
     }
0a7476
0a7476 
     return ret;
0a7476 
@@ -217,7 +219,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkConnect)
0a7476 
         ret = manager->drv->checkConnect(manager, driverName, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476
0a7476 
@@ -233,7 +235,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkDomain)
0a7476 
         ret = manager->drv->checkDomain(manager, driverName, domain, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckInterface(virAccessManagerPtr manager,
0a7476 
@@ -248,7 +250,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkInterface)
0a7476 
         ret = manager->drv->checkInterface(manager, driverName, iface, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
0a7476 
@@ -263,7 +265,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkNetwork)
0a7476 
         ret = manager->drv->checkNetwork(manager, driverName, network, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
0a7476 
@@ -278,7 +280,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkNodeDevice)
0a7476 
         ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
0a7476 
@@ -293,7 +295,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkNWFilter)
0a7476 
         ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
0a7476 
@@ -308,7 +310,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkNWFilterBinding)
0a7476 
         ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
0a7476 
@@ -323,7 +325,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkSecret)
0a7476 
         ret = manager->drv->checkSecret(manager, driverName, secret, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
0a7476 
@@ -338,7 +340,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkStoragePool)
0a7476 
         ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476
0a7476 
 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
0a7476 
@@ -354,5 +356,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
0a7476 
     if (manager->drv->checkStorageVol)
0a7476 
         ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
0a7476
0a7476 
-    return virAccessManagerSanitizeError(ret);
0a7476 
+    return virAccessManagerSanitizeError(ret, driverName);
0a7476 
 }
0a7476 
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
0a7476 
index 0c4648c0fb..a8b9f5aeca 100755
0a7476 
--- a/src/rpc/gendispatch.pl
0a7476 
+++ b/src/rpc/gendispatch.pl
0a7476 
@@ -2199,7 +2199,8 @@ elsif ($mode eq "client") {
0a7476 
                     print "        virObjectUnref(mgr);\n";
0a7476 
                     if ($action eq "Ensure") {
0a7476 
                         print "        if (rv == 0)\n";
0a7476 
-                        print "            virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n";
0a7476 
+                        print "            virReportError(VIR_ERR_ACCESS_DENIED,\n";
0a7476 
+                        print"                            _(\"'%s' denied access\"), conn->driver->name);\n";
0a7476 
                         print "        return $fail;\n";
0a7476 
                     } else {
0a7476 
                         print "        virResetLastError();\n";
0a7476 
--
0a7476 
2.21.0
0a7476

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation