render / rpms / libvirt

Forked from rpms/libvirt 11 months ago
Clone
edecca
From 85750b0466aa3719d3d2447abaab2e87db92f552 Mon Sep 17 00:00:00 2001
edecca
Message-Id: <85750b0466aa3719d3d2447abaab2e87db92f552@dist-git>
edecca
From: John Ferlan <jferlan@redhat.com>
edecca
Date: Mon, 5 Nov 2018 07:48:37 -0500
edecca
Subject: [PATCH] access: Modify the VIR_ERR_ACCESS_DENIED to include
edecca
 driverName
edecca
edecca
https://bugzilla.redhat.com/show_bug.cgi?id=1631608 (RHEL 8.0)
edecca
https://bugzilla.redhat.com/show_bug.cgi?id=1631606 (RHEL 7.7)
edecca
edecca
Changes made to manage and utilize a secondary connection
edecca
driver to APIs outside the scope of the primary connection
edecca
driver have resulted in some confusion processing polkit rules
edecca
since the simple "access denied" error message doesn't provide
edecca
enough of a clue when combined with the "authentication failed:
edecca
access denied by policy" as to which connection driver refused
edecca
or failed the ACL check.
edecca
edecca
In order to provide some context, let's modify the existing
edecca
"access denied" error returne from the various vir*EnsureACL
edecca
API's to provide the connection driver name that is causing
edecca
the failure. This should provide the context for writing the
edecca
polkit rules that would allow access via the driver.
edecca
edecca
Signed-off-by: John Ferlan <jferlan@redhat.com>
edecca
ACKed-by: Michal Privoznik <mprivozn@redhat.com>
edecca
(cherry picked from commit ccc72d5cbdd85f66cb737134b3be40aac1df03ef)
edecca
Reviewed-by: Jiri Denemark <jdenemar@redhat.com>
edecca
---
edecca
 src/access/viraccessmanager.c | 25 +++++++++++++------------
edecca
 src/rpc/gendispatch.pl        |  2 +-
edecca
 src/util/virerror.c           |  4 ++--
edecca
 3 files changed, 16 insertions(+), 15 deletions(-)
edecca
edecca
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
edecca
index e7b5bf38da..1dfff32b9d 100644
edecca
--- a/src/access/viraccessmanager.c
edecca
+++ b/src/access/viraccessmanager.c
edecca
@@ -196,11 +196,12 @@ static void virAccessManagerDispose(void *object)
edecca
  * should the admin need to debug things
edecca
  */
edecca
 static int
edecca
-virAccessManagerSanitizeError(int ret)
edecca
+virAccessManagerSanitizeError(int ret,
edecca
+                              const char *driverName)
edecca
 {
edecca
     if (ret < 0) {
edecca
         virResetLastError();
edecca
-        virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
edecca
+        virAccessError(VIR_ERR_ACCESS_DENIED, driverName, NULL);
edecca
     }
edecca
 
edecca
     return ret;
edecca
@@ -217,7 +218,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkConnect)
edecca
         ret = manager->drv->checkConnect(manager, driverName, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 
edecca
@@ -233,7 +234,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkDomain)
edecca
         ret = manager->drv->checkDomain(manager, driverName, domain, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckInterface(virAccessManagerPtr manager,
edecca
@@ -248,7 +249,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkInterface)
edecca
         ret = manager->drv->checkInterface(manager, driverName, iface, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
edecca
@@ -263,7 +264,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNetwork)
edecca
         ret = manager->drv->checkNetwork(manager, driverName, network, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
edecca
@@ -278,7 +279,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNodeDevice)
edecca
         ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
edecca
@@ -293,7 +294,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNWFilter)
edecca
         ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
edecca
@@ -308,7 +309,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNWFilterBinding)
edecca
         ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
edecca
@@ -323,7 +324,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkSecret)
edecca
         ret = manager->drv->checkSecret(manager, driverName, secret, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
edecca
@@ -338,7 +339,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkStoragePool)
edecca
         ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
edecca
@@ -354,5 +355,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkStorageVol)
edecca
         ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
edecca
index 0c4648c0fb..f599002056 100755
edecca
--- a/src/rpc/gendispatch.pl
edecca
+++ b/src/rpc/gendispatch.pl
edecca
@@ -2199,7 +2199,7 @@ elsif ($mode eq "client") {
edecca
                     print "        virObjectUnref(mgr);\n";
edecca
                     if ($action eq "Ensure") {
edecca
                         print "        if (rv == 0)\n";
edecca
-                        print "            virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n";
edecca
+                        print "            virReportError(VIR_ERR_ACCESS_DENIED, conn->driver->name, NULL);\n";
edecca
                         print "        return $fail;\n";
edecca
                     } else {
edecca
                         print "        virResetLastError();\n";
edecca
diff --git a/src/util/virerror.c b/src/util/virerror.c
edecca
index f198f27957..5f50fa0349 100644
edecca
--- a/src/util/virerror.c
edecca
+++ b/src/util/virerror.c
edecca
@@ -1439,9 +1439,9 @@ virErrorMsg(virErrorNumber error, const char *info)
edecca
             break;
edecca
         case VIR_ERR_ACCESS_DENIED:
edecca
             if (info == NULL)
edecca
-                errmsg = _("access denied");
edecca
+                errmsg = _("access denied from '%s'");
edecca
             else
edecca
-                errmsg = _("access denied: %s");
edecca
+                errmsg = _("access denied from '%s': %s");
edecca
             break;
edecca
         case VIR_ERR_DBUS_SERVICE:
edecca
             if (info == NULL)
edecca
-- 
edecca
2.19.1
edecca