/**
* virIdentityGetSystem:
*
* Returns an identity that represents the system itself.
* This is the identity that the process is running as
*
* Returns a reference to the system identity, or NULL
*/
virIdentityPtr virIdentityGetSystem(void)
{
char *username = NULL;
char *groupname = NULL;
char *seccontext = NULL;
virIdentityPtr ret = NULL;
#if WITH_SELINUX
security_context_t con;
#endif
if (!(username = virGetUserName(getuid())))
goto cleanup;
if (!(groupname = virGetGroupName(getgid())))
goto cleanup;
#if WITH_SELINUX
if (getcon(&con) < 0) {
virReportSystemError(errno, "%s",
_("Unable to lookup SELinux process context"));
goto cleanup;
}
if (VIR_STRDUP(seccontext, con) < 0) {
freecon(con);
goto cleanup;
}
freecon(con);
#endif
if (!(ret = virIdentityNew()))
goto cleanup;
if (username &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
if (groupname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
if (seccontext &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
seccontext) < 0)
goto error;
cleanup:
VIR_FREE(username);
VIR_FREE(groupname);
VIR_FREE(seccontext);
return ret;
error:
virObjectUnref(ret);
ret = NULL;
goto cleanup;
}
/**
* virIdentityGetSystem:
*
* Returns an identity that represents the system itself.
* This is the identity that the process is running as
*
* Returns a reference to the system identity, or NULL
*/
virIdentityPtr virIdentityGetSystem(void)
{
VIR_AUTOFREE(char *) username = NULL;
VIR_AUTOFREE(char *) groupname = NULL;
unsigned long long startTime;
virIdentityPtr ret = NULL;
#if WITH_SELINUX
security_context_t con;
#endif
if (!(ret = virIdentityNew()))
goto error;
if (virIdentitySetUNIXProcessID(ret, getpid()) < 0)
goto error;
if (virProcessGetStartTime(getpid(), &startTime) < 0)
goto error;
if (startTime != 0 &&
virIdentitySetUNIXProcessTime(ret, startTime) < 0)
goto error;
if (!(username = virGetUserName(geteuid())))
return ret;
if (virIdentitySetUNIXUserName(ret, username) < 0)
goto error;
if (virIdentitySetUNIXUserID(ret, getuid()) < 0)
goto error;
if (!(groupname = virGetGroupName(getegid())))
return ret;
if (virIdentitySetUNIXGroupName(ret, groupname) < 0)
goto error;
if (virIdentitySetUNIXGroupID(ret, getgid()) < 0)
goto error;
#if WITH_SELINUX
if (is_selinux_enabled() > 0) {
if (getcon(&con) < 0) {
virReportSystemError(errno, "%s",
_("Unable to lookup SELinux process context"));
return ret;
}
if (virIdentitySetSELinuxContext(ret, con) < 0) {
freecon(con);
goto error;
}
freecon(con);
}
#endif
return ret;
error:
virObjectUnref(ret);
return NULL;
}
static int virLoginShellAllowedUser(virConfPtr conf,
const char *name,
gid_t *groups)
{
virConfValuePtr p;
int ret = -1;
char *ptr = NULL;
size_t i;
char *gname = NULL;
p = virConfGetValue(conf, "allowed_users");
if (p && p->type == VIR_CONF_LIST) {
virConfValuePtr pp;
/* Calc length and check items */
for (pp = p->list; pp; pp = pp->next) {
if (pp->type != VIR_CONF_STRING) {
virReportSystemError(EINVAL, "%s",
_("shell must be a list of strings"));
goto cleanup;
} else {
/*
If string begins with a % this indicates a linux group.
Check to see if the user is in the Linux Group.
*/
if (pp->str[0] == '%') {
ptr = &pp->str[1];
if (!*ptr)
continue;
for (i = 0; groups[i]; i++) {
if (!(gname = virGetGroupName(groups[i])))
continue;
if (fnmatch(ptr, gname, 0) == 0) {
ret = 0;
goto cleanup;
}
VIR_FREE(gname);
}
continue;
}
if (fnmatch(pp->str, name, 0) == 0) {
ret = 0;
goto cleanup;
}
}
}
}
virReportSystemError(EPERM,
_("%s not matched against 'allowed_users' in %s"),
name, conf_file);
cleanup:
VIR_FREE(gname);
return ret;
}
static int
virStorageBackendVzPoolStart(virStoragePoolObjPtr pool)
{
virStoragePoolDefPtr def = virStoragePoolObjGetDef(pool);
VIR_AUTOFREE(char *) grp_name = NULL;
VIR_AUTOFREE(char *) usr_name = NULL;
VIR_AUTOFREE(char *) mode = NULL;
VIR_AUTOPTR(virCommand) cmd = NULL;
/* Check the permissions */
if (def->target.perms.mode == (mode_t)-1)
def->target.perms.mode = VIR_STORAGE_DEFAULT_POOL_PERM_MODE;
if (def->target.perms.uid == (uid_t)-1)
def->target.perms.uid = geteuid();
if (def->target.perms.gid == (gid_t)-1)
def->target.perms.gid = getegid();
/* Convert ids to names because vstorage uses names */
if (!(grp_name = virGetGroupName(def->target.perms.gid)))
return -1;
if (!(usr_name = virGetUserName(def->target.perms.uid)))
return -1;
if (virAsprintf(&mode, "%o", def->target.perms.mode) < 0)
return -1;
cmd = virCommandNewArgList(VSTORAGE_MOUNT,
"-c", def->source.name,
def->target.path,
"-m", mode,
"-g", grp_name, "-u", usr_name,
NULL);
return virCommandRun(cmd, NULL);
}
static virIdentityPtr
virNetServerClientCreateIdentity(virNetServerClientPtr client)
{
char *username = NULL;
char *groupname = NULL;
char *seccontext = NULL;
virIdentityPtr ret = NULL;
if (!(ret = virIdentityNew()))
goto error;
if (client->sock && virNetSocketIsLocal(client->sock)) {
gid_t gid;
uid_t uid;
pid_t pid;
unsigned long long timestamp;
if (virNetSocketGetUNIXIdentity(client->sock,
&uid, &gid, &pid,
×tamp) < 0)
goto error;
if (!(username = virGetUserName(uid)))
goto error;
if (virIdentitySetUNIXUserName(ret, username) < 0)
goto error;
if (virIdentitySetUNIXUserID(ret, uid) < 0)
goto error;
if (!(groupname = virGetGroupName(gid)))
goto error;
if (virIdentitySetUNIXGroupName(ret, groupname) < 0)
goto error;
if (virIdentitySetUNIXGroupID(ret, gid) < 0)
goto error;
if (virIdentitySetUNIXProcessID(ret, pid) < 0)
goto error;
if (virIdentitySetUNIXProcessTime(ret, timestamp) < 0)
goto error;
}
#if WITH_SASL
if (client->sasl) {
const char *identity = virNetSASLSessionGetIdentity(client->sasl);
if (virIdentitySetSASLUserName(ret, identity) < 0)
goto error;
}
#endif
#if WITH_GNUTLS
if (client->tls) {
const char *identity = virNetTLSSessionGetX509DName(client->tls);
if (virIdentitySetX509DName(ret, identity) < 0)
goto error;
}
#endif
if (client->sock &&
virNetSocketGetSELinuxContext(client->sock, &seccontext) < 0)
goto error;
if (seccontext &&
virIdentitySetSELinuxContext(ret, seccontext) < 0)
goto error;
cleanup:
VIR_FREE(username);
VIR_FREE(groupname);
VIR_FREE(seccontext);
return ret;
error:
virObjectUnref(ret);
ret = NULL;
goto cleanup;
}
static virIdentityPtr
virNetServerClientCreateIdentity(virNetServerClientPtr client)
{
char *processid = NULL;
char *processtime = NULL;
char *username = NULL;
char *userid = NULL;
char *groupname = NULL;
char *groupid = NULL;
#if WITH_SASL
char *saslname = NULL;
#endif
#if WITH_GNUTLS
char *x509dname = NULL;
#endif
char *seccontext = NULL;
virIdentityPtr ret = NULL;
if (client->sock && virNetSocketIsLocal(client->sock)) {
gid_t gid;
uid_t uid;
pid_t pid;
unsigned long long timestamp;
if (virNetSocketGetUNIXIdentity(client->sock,
&uid, &gid, &pid,
×tamp) < 0)
goto cleanup;
if (!(username = virGetUserName(uid)))
goto cleanup;
if (virAsprintf(&userid, "%d", (int)uid) < 0)
goto cleanup;
if (!(groupname = virGetGroupName(gid)))
goto cleanup;
if (virAsprintf(&groupid, "%d", (int)gid) < 0)
goto cleanup;
if (virAsprintf(&processid, "%llu",
(unsigned long long)pid) < 0)
goto cleanup;
if (virAsprintf(&processtime, "%llu",
timestamp) < 0)
goto cleanup;
}
#if WITH_SASL
if (client->sasl) {
const char *identity = virNetSASLSessionGetIdentity(client->sasl);
if (VIR_STRDUP(saslname, identity) < 0)
goto cleanup;
}
#endif
#if WITH_GNUTLS
if (client->tls) {
const char *identity = virNetTLSSessionGetX509DName(client->tls);
if (VIR_STRDUP(x509dname, identity) < 0)
goto cleanup;
}
#endif
if (client->sock &&
virNetSocketGetSELinuxContext(client->sock, &seccontext) < 0)
goto cleanup;
if (!(ret = virIdentityNew()))
goto cleanup;
if (username &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_USER_NAME,
username) < 0)
goto error;
if (userid &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_USER_ID,
userid) < 0)
goto error;
if (groupname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_NAME,
groupname) < 0)
goto error;
if (groupid &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_GROUP_ID,
groupid) < 0)
goto error;
if (processid &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_PROCESS_ID,
processid) < 0)
goto error;
if (processtime &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_UNIX_PROCESS_TIME,
processtime) < 0)
goto error;
#if WITH_SASL
if (saslname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_SASL_USER_NAME,
saslname) < 0)
goto error;
#endif
#if WITH_GNUTLS
if (x509dname &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_X509_DISTINGUISHED_NAME,
x509dname) < 0)
goto error;
#endif
if (seccontext &&
virIdentitySetAttr(ret,
VIR_IDENTITY_ATTR_SELINUX_CONTEXT,
seccontext) < 0)
goto error;
cleanup:
VIR_FREE(username);
VIR_FREE(userid);
VIR_FREE(groupname);
VIR_FREE(groupid);
VIR_FREE(processid);
VIR_FREE(processtime);
VIR_FREE(seccontext);
#if WITH_SASL
VIR_FREE(saslname);
#endif
#if WITH_GNUTLS
VIR_FREE(x509dname);
#endif
return ret;
error:
virObjectUnref(ret);
ret = NULL;
goto cleanup;
}
