render / rpms / libvirt

Forked from rpms/libvirt 9 months ago
Clone
edecca
From 541a154e0f98604f63cb22356287dfa3858748c9 Mon Sep 17 00:00:00 2001
edecca
Message-Id: <541a154e0f98604f63cb22356287dfa3858748c9@dist-git>
edecca
From: John Ferlan <jferlan@redhat.com>
edecca
Date: Thu, 15 Nov 2018 06:43:59 -0500
edecca
Subject: [PATCH] access: Modify the VIR_ERR_ACCESS_DENIED to include
edecca
 driverName
edecca
edecca
https://bugzilla.redhat.com/show_bug.cgi?id=1631608 (RHEL8)
edecca
https://bugzilla.redhat.com/show_bug.cgi?id=1631606 (RHEL7)
edecca
edecca
Changes made to manage and utilize a secondary connection
edecca
driver to APIs outside the scope of the primary connection
edecca
driver have resulted in some confusion processing polkit rules
edecca
since the simple "access denied" error message doesn't provide
edecca
enough of a clue when combined with the "authentication failed:
edecca
access denied by policy" as to which connection driver refused
edecca
or failed the ACL check.
edecca
edecca
In order to provide some context, let's modify the existing
edecca
"access denied" error returned from the various vir*EnsureACL
edecca
API's to provide the connection driver name that is causing
edecca
the failure. This should provide the context for writing the
edecca
polkit rules that would allow access via the driver, but yet
edecca
still adhere to the virAccessManagerSanitizeError commentary
edecca
regarding not telling the user why access was denied.
edecca
edecca
Signed-off-by: John Ferlan <jferlan@redhat.com>
edecca
(cherry picked from commit 605496be609e153526fcdd3e98df8cf5244bc8fa)
edecca
Reviewed-by: Erik Skultety <eskultet@redhat.com>
edecca
---
edecca
 src/access/viraccessmanager.c | 26 ++++++++++++++------------
edecca
 src/rpc/gendispatch.pl        |  3 ++-
edecca
 2 files changed, 16 insertions(+), 13 deletions(-)
edecca
edecca
diff --git a/src/access/viraccessmanager.c b/src/access/viraccessmanager.c
edecca
index e7b5bf38da..f5d62604cf 100644
edecca
--- a/src/access/viraccessmanager.c
edecca
+++ b/src/access/viraccessmanager.c
edecca
@@ -196,11 +196,13 @@ static void virAccessManagerDispose(void *object)
edecca
  * should the admin need to debug things
edecca
  */
edecca
 static int
edecca
-virAccessManagerSanitizeError(int ret)
edecca
+virAccessManagerSanitizeError(int ret,
edecca
+                              const char *driverName)
edecca
 {
edecca
     if (ret < 0) {
edecca
         virResetLastError();
edecca
-        virAccessError(VIR_ERR_ACCESS_DENIED, NULL);
edecca
+        virAccessError(VIR_ERR_ACCESS_DENIED,
edecca
+                       _("'%s' denied access"), driverName);
edecca
     }
edecca
 
edecca
     return ret;
edecca
@@ -217,7 +219,7 @@ int virAccessManagerCheckConnect(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkConnect)
edecca
         ret = manager->drv->checkConnect(manager, driverName, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 
edecca
@@ -233,7 +235,7 @@ int virAccessManagerCheckDomain(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkDomain)
edecca
         ret = manager->drv->checkDomain(manager, driverName, domain, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckInterface(virAccessManagerPtr manager,
edecca
@@ -248,7 +250,7 @@ int virAccessManagerCheckInterface(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkInterface)
edecca
         ret = manager->drv->checkInterface(manager, driverName, iface, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
edecca
@@ -263,7 +265,7 @@ int virAccessManagerCheckNetwork(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNetwork)
edecca
         ret = manager->drv->checkNetwork(manager, driverName, network, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
edecca
@@ -278,7 +280,7 @@ int virAccessManagerCheckNodeDevice(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNodeDevice)
edecca
         ret = manager->drv->checkNodeDevice(manager, driverName, nodedev, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
edecca
@@ -293,7 +295,7 @@ int virAccessManagerCheckNWFilter(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNWFilter)
edecca
         ret = manager->drv->checkNWFilter(manager, driverName, nwfilter, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
edecca
@@ -308,7 +310,7 @@ int virAccessManagerCheckNWFilterBinding(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkNWFilterBinding)
edecca
         ret = manager->drv->checkNWFilterBinding(manager, driverName, binding, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckSecret(virAccessManagerPtr manager,
edecca
@@ -323,7 +325,7 @@ int virAccessManagerCheckSecret(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkSecret)
edecca
         ret = manager->drv->checkSecret(manager, driverName, secret, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
edecca
@@ -338,7 +340,7 @@ int virAccessManagerCheckStoragePool(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkStoragePool)
edecca
         ret = manager->drv->checkStoragePool(manager, driverName, pool, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
 
edecca
 int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
edecca
@@ -354,5 +356,5 @@ int virAccessManagerCheckStorageVol(virAccessManagerPtr manager,
edecca
     if (manager->drv->checkStorageVol)
edecca
         ret = manager->drv->checkStorageVol(manager, driverName, pool, vol, perm);
edecca
 
edecca
-    return virAccessManagerSanitizeError(ret);
edecca
+    return virAccessManagerSanitizeError(ret, driverName);
edecca
 }
edecca
diff --git a/src/rpc/gendispatch.pl b/src/rpc/gendispatch.pl
edecca
index 0c4648c0fb..a8b9f5aeca 100755
edecca
--- a/src/rpc/gendispatch.pl
edecca
+++ b/src/rpc/gendispatch.pl
edecca
@@ -2199,7 +2199,8 @@ elsif ($mode eq "client") {
edecca
                     print "        virObjectUnref(mgr);\n";
edecca
                     if ($action eq "Ensure") {
edecca
                         print "        if (rv == 0)\n";
edecca
-                        print "            virReportError(VIR_ERR_ACCESS_DENIED, NULL);\n";
edecca
+                        print "            virReportError(VIR_ERR_ACCESS_DENIED,\n";
edecca
+                        print"                            _(\"'%s' denied access\"), conn->driver->name);\n";
edecca
                         print "        return $fail;\n";
edecca
                     } else {
edecca
                         print "        virResetLastError();\n";
edecca
-- 
edecca
2.19.2
edecca