|
|
edecca |
From 85750b0466aa3719d3d2447abaab2e87db92f552 Mon Sep 17 00:00:00 2001
|
|
|
edecca |
Message-Id: <85750b0466aa3719d3d2447abaab2e87db92f552@dist-git>
|
|
|
edecca |
From: John Ferlan <jferlan@redhat.com>
|
|
|
edecca |
Date: Mon, 5 Nov 2018 07:48:37 -0500
|
|
|
edecca |
Subject: [PATCH] access: Modify the VIR_ERR_ACCESS_DENIED to include
|
|
|
edecca |
driverName
|
|
|
edecca |
|
|
|
edecca |
https://bugzilla.redhat.com/show_bug.cgi?id=1631608 (RHEL 8.0)
|
|
|
edecca |
https://bugzilla.redhat.com/show_bug.cgi?id=1631606 (RHEL 7.7)
|
|
|
edecca |
|
|
|
edecca |
Changes made to manage and utilize a secondary connection
|
|
|
edecca |
driver to APIs outside the scope of the primary connection
|
|
|
edecca |
driver have resulted in some confusion processing polkit rules
|
|
|
edecca |
since the simple "access denied" error message doesn't provide
|
|
|
edecca |
enough of a clue when combined with the "authentication failed:
|
|
|
edecca |
access denied by policy" as to which connection driver refused
|
|
|
edecca |
or failed the ACL check.
|
|
|
edecca |
|
|
|
edecca |
In order to provide some context, let's modify the existing
|
|
|
edecca |
"access denied" error returne from the various vir*EnsureACL
|
|
|
edecca |
API's to provide the connection driver name that is causing
|
|
|
edecca |
the failure. This should provide the context for writing the
|
|
|
edecca |
polkit rules that would allow access via the driver.
|
|
|
edecca |
|
|
|
edecca |
Signed-off-by: John Ferlan <jferlan@redhat.com>
|
|
|
edecca |
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
|
|
|
edecca |
(cherry picked from commit ccc72d5cbdd85f66cb737134b3be40aac1df03ef)
|
|
|
edecca |
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
|
|
|
edecca |
---
|
|
|
edecca |
src/access/viraccessmanager.c | 25 +++++++++++++------------
|
|
|
edecca |
src/rpc/gendispatch.pl | 2 +-
|
|
|
edecca |
src/util/virerror.c | 4 ++--
|
|
|
edecca |
3 files changed, 16 insertions(+), 15 deletions(-)
|
|
|
edecca |
|
|
|
edecca |
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
|
|
|
edecca |
index e7b5bf38da..1dfff32b9d 100644
|
|
|
edecca |
--- a/src/access/viraccessmanager.c
|
|
|
edecca |
+++ b/src/access/viraccessmanager.c
|
|
|
edecca |
@@ -196,11 +196,12 @@ static void virAccessManagerDispose(void *object)
|
|
|
edecca |
* should the admin need to debug things
|
|
|
edecca |
*/
|
|
|
edecca |
static int
|
|
|
edecca |
-virAccessManagerSanitizeError(int ret)
|
|
|
edecca |
+virAccessManagerSanitizeError(int ret,
|
|
|
edecca |
+ const char *driverName)
|
|
|
edecca |
{
|
|
|
edecca |
if (ret < 0) {
|
|
|
edecca |
virResetLastError();
|
|
|
edecca |
- virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
|
|
|
edecca |
+ virAccessError(VIR_ERR_ACCESS_DENIED, driverName, NULL);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
return ret;
|
|
|
edecca |
@@ -217,7 +218,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkConnect)
|
|
|
edecca |
ret = manager->drv->checkConnect(manager, driverName, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
|
|
|
edecca |
@@ -233,7 +234,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkDomain)
|
|
|
edecca |
ret = manager->drv->checkDomain(manager, driverName, domain, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckInterface(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -248,7 +249,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkInterface)
|
|
|
edecca |
ret = manager->drv->checkInterface(manager, driverName, iface, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -263,7 +264,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNetwork)
|
|
|
edecca |
ret = manager->drv->checkNetwork(manager, driverName, network, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -278,7 +279,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNodeDevice)
|
|
|
edecca |
ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -293,7 +294,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNWFilter)
|
|
|
edecca |
ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -308,7 +309,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkNWFilterBinding)
|
|
|
edecca |
ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckSecret(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -323,7 +324,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkSecret)
|
|
|
edecca |
ret = manager->drv->checkSecret(manager, driverName, secret, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -338,7 +339,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkStoragePool)
|
|
|
edecca |
ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
|
|
|
edecca |
int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
|
|
|
edecca |
@@ -354,5 +355,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
|
|
|
edecca |
if (manager->drv->checkStorageVol)
|
|
|
edecca |
ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
|
|
|
edecca |
|
|
|
edecca |
- return virAccessManagerSanitizeError(ret);
|
|
|
edecca |
+ return virAccessManagerSanitizeError(ret, driverName);
|
|
|
edecca |
}
|
|
|
edecca |
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
|
|
|
edecca |
index 0c4648c0fb..f599002056 100755
|
|
|
edecca |
--- a/src/rpc/gendispatch.pl
|
|
|
edecca |
+++ b/src/rpc/gendispatch.pl
|
|
|
edecca |
@@ -2199,7 +2199,7 @@ elsif ($mode eq "client") {
|
|
|
edecca |
print " virObjectUnref(mgr);\n";
|
|
|
edecca |
if ($action eq "Ensure") {
|
|
|
edecca |
print " if (rv == 0)\n";
|
|
|
edecca |
- print " virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n";
|
|
|
edecca |
+ print " virReportError(VIR_ERR_ACCESS_DENIED, conn->driver->name, NULL);\n";
|
|
|
edecca |
print " return $fail;\n";
|
|
|
edecca |
} else {
|
|
|
edecca |
print " virResetLastError();\n";
|
|
|
edecca |
diff --git a/src/util/virerror.c b/src/util/virerror.c
|
|
|
edecca |
index f198f27957..5f50fa0349 100644
|
|
|
edecca |
--- a/src/util/virerror.c
|
|
|
edecca |
+++ b/src/util/virerror.c
|
|
|
edecca |
@@ -1439,9 +1439,9 @@ virErrorMsg(virErrorNumber error, const char *info)
|
|
|
edecca |
break;
|
|
|
edecca |
case VIR_ERR_ACCESS_DENIED:
|
|
|
edecca |
if (info == NULL)
|
|
|
edecca |
- errmsg = _("access denied");
|
|
|
edecca |
+ errmsg = _("access denied from '%s'");
|
|
|
edecca |
else
|
|
|
edecca |
- errmsg = _("access denied: %s");
|
|
|
edecca |
+ errmsg = _("access denied from '%s': %s");
|
|
|
edecca |
break;
|
|
|
edecca |
case VIR_ERR_DBUS_SERVICE:
|
|
|
edecca |
if (info == NULL)
|
|
|
edecca |
--
|
|
|
edecca |
2.19.1
|
|
|
edecca |
|