Add access control filtering of node device objects

Ensure that all APIs which list node device objects filter
them against the access control system.

Signed-off-by: Daniel P. Berrange <berrange@redhat.com>

diff --git a/src/conf/node_device_conf.c b/src/conf/node_device_conf.c
index 087cebb4b1de88cd5454dc466f60e32c18ee5454..32096040016267ff32ab7bb90055eb3393ef9f59 100644 (file)
--- a/src/conf/node_device_conf.c
+++ b/src/conf/node_device_conf.c
@@ -1594,10 +1594,11 @@ virNodeDeviceMatch(virNodeDeviceObjPtr devobj,
 #undef MATCH
 
 int
-virNodeDeviceList(virConnectPtr conn,
-                  virNodeDeviceObjList devobjs,
-                  virNodeDevicePtr **devices,
-                  unsigned int flags)
+virNodeDeviceObjListExport(virConnectPtr conn,
+                           virNodeDeviceObjList devobjs,
+                           virNodeDevicePtr **devices,
+                           virNodeDeviceObjListFilter filter,
+                           unsigned int flags)
 {
     virNodeDevicePtr *tmp_devices = NULL;
     virNodeDevicePtr device = NULL;
@@ -1615,7 +1616,8 @@ virNodeDeviceList(virConnectPtr conn,
     for (i = 0; i < devobjs.count; i++) {
         virNodeDeviceObjPtr devobj = devobjs.objs[i];
         virNodeDeviceObjLock(devobj);
-        if (virNodeDeviceMatch(devobj, flags)) {
+        if ((!filter || filter(conn, devobj->def)) &&
+            virNodeDeviceMatch(devobj, flags)) {
             if (devices) {
                 if (!(device = virGetNodeDevice(conn,
                                                 devobj->def->name))) {

diff --git a/src/conf/node_device_conf.h b/src/conf/node_device_conf.h
index ec35da2a20e35778c02ceec34f476ba4a4e1a1e8..1fa61b53f01cd3fdc972a0d75736695b007a7ef6 100644 (file)
--- a/src/conf/node_device_conf.h
+++ b/src/conf/node_device_conf.h
@@ -280,9 +280,13 @@ void virNodeDeviceObjUnlock(virNodeDeviceObjPtr obj);
                  VIR_CONNECT_LIST_NODE_DEVICES_CAP_VPORTS        | \
                  VIR_CONNECT_LIST_NODE_DEVICES_CAP_SCSI_GENERIC)
 
-int virNodeDeviceList(virConnectPtr conn,
-                      virNodeDeviceObjList devobjs,
-                      virNodeDevicePtr **devices,
-                      unsigned int flags);
+typedef bool (*virNodeDeviceObjListFilter)(virConnectPtr conn,
+                                           virNodeDeviceDefPtr def);
+
+int virNodeDeviceObjListExport(virConnectPtr conn,
+                               virNodeDeviceObjList devobjs,
+                               virNodeDevicePtr **devices,
+                               virNodeDeviceObjListFilter filter,
+                               unsigned int flags);
 
 #endif /* __VIR_NODE_DEVICE_CONF_H__ */

diff --git a/src/libvirt_private.syms b/src/libvirt_private.syms
index 18437328d366cbb964ba858e6eecca093423c9d6..3bc9da01b46fea707230222685b8e15021712a11 100644 (file)
--- a/src/libvirt_private.syms
+++ b/src/libvirt_private.syms
@@ -532,7 +532,7 @@ virNodeDeviceFindBySysfsPath;
 virNodeDeviceGetParentHost;
 virNodeDeviceGetWWNs;
 virNodeDeviceHasCap;
-virNodeDeviceList;
+virNodeDeviceObjListExport;
 virNodeDeviceObjListFree;
 virNodeDeviceObjLock;
 virNodeDeviceObjRemove;

diff --git a/src/node_device/node_device_driver.c b/src/node_device/node_device_driver.c
index 8e6911acdb5ac088bda8c0747995570e80966982..1f7e0fd4d2f008c0689ab2629177723a033c06e9 100644 (file)
--- a/src/node_device/node_device_driver.c
+++ b/src/node_device/node_device_driver.c
@@ -140,11 +140,13 @@ nodeNumOfDevices(virConnectPtr conn,
 
     nodeDeviceLock(driver);
     for (i = 0; i < driver->devs.count; i++) {
-        virNodeDeviceObjLock(driver->devs.objs[i]);
-        if ((cap == NULL) ||
-            virNodeDeviceHasCap(driver->devs.objs[i], cap))
+        virNodeDeviceObjPtr obj = driver->devs.objs[i];
+        virNodeDeviceObjLock(obj);
+        if (virNodeNumOfDevicesCheckACL(conn, obj->def) &&
+            ((cap == NULL) ||
+             virNodeDeviceHasCap(obj, cap)))
             ++ndevs;
-        virNodeDeviceObjUnlock(driver->devs.objs[i]);
+        virNodeDeviceObjUnlock(obj);
     }
     nodeDeviceUnlock(driver);
 
@@ -168,15 +170,17 @@ nodeListDevices(virConnectPtr conn,
 
     nodeDeviceLock(driver);
     for (i = 0; i < driver->devs.count && ndevs < maxnames; i++) {
-        virNodeDeviceObjLock(driver->devs.objs[i]);
-        if (cap == NULL ||
-            virNodeDeviceHasCap(driver->devs.objs[i], cap)) {
-            if (VIR_STRDUP(names[ndevs++], driver->devs.objs[i]->def->name) < 0) {
-                virNodeDeviceObjUnlock(driver->devs.objs[i]);
+        virNodeDeviceObjPtr obj = driver->devs.objs[i];
+        virNodeDeviceObjLock(obj);
+        if (virNodeListDevicesCheckACL(conn, obj->def) &&
+            (cap == NULL ||
+             virNodeDeviceHasCap(obj, cap))) {
+            if (VIR_STRDUP(names[ndevs++], obj->def->name) < 0) {
+                virNodeDeviceObjUnlock(obj);
                 goto failure;
             }
         }
-        virNodeDeviceObjUnlock(driver->devs.objs[i]);
+        virNodeDeviceObjUnlock(obj);
     }
     nodeDeviceUnlock(driver);
 
@@ -204,7 +208,9 @@ nodeConnectListAllNodeDevices(virConnectPtr conn,
         return -1;
 
     nodeDeviceLock(driver);
-    ret = virNodeDeviceList(conn, driver->devs, devices, flags);
+    ret = virNodeDeviceObjListExport(conn, driver->devs, devices,
+                                     virConnectListAllNodeDevicesCheckACL,
+                                     flags);
     nodeDeviceUnlock(driver);
     return ret;
 }