projects / qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 8953caf3 DB |
1 | /* |
| 2 | * QEMU PAM authorization driver | |
| 3 | * | |
| 4 | * Copyright (c) 2018 Red Hat, Inc. | |
| 5 | * | |
| 6 | * This library is free software; you can redistribute it and/or | |
| 7 | * modify it under the terms of the GNU Lesser General Public | |
| 8 | * License as published by the Free Software Foundation; either | |
| 9 | * version 2 of the License, or (at your option) any later version. | |
| 10 | * | |
| 11 | * This library is distributed in the hope that it will be useful, | |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 14 | * Lesser General Public License for more details. | |
| 15 | * | |
| 16 | * You should have received a copy of the GNU Lesser General Public | |
| 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
| 18 | * | |
| 19 | */ | |
| 20 | ||
| 58ea30f5 MA |
21 | #ifndef QAUTHZ_PAMACCT_H |
| 22 | #define QAUTHZ_PAMACCT_H | |
| 8953caf3 DB |
23 | |
| 24 | #include "authz/base.h" | |
| 25 | ||
| 26 | ||
| 27 | #define TYPE_QAUTHZ_PAM "authz-pam" | |
| 28 | ||
| 29 | #define QAUTHZ_PAM_CLASS(klass) \ | |
| 30 | OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ | |
| 31 | TYPE_QAUTHZ_PAM) | |
| 32 | #define QAUTHZ_PAM_GET_CLASS(obj) \ | |
| 33 | OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ | |
| 34 | TYPE_QAUTHZ_PAM) | |
| 35 | #define QAUTHZ_PAM(obj) \ | |
| 063603d4 PMD |
36 | OBJECT_CHECK(QAuthZPAM, (obj), \ |
| 37 | TYPE_QAUTHZ_PAM) | |
| 8953caf3 DB |
38 | |
| 39 | typedef struct QAuthZPAM QAuthZPAM; | |
| 40 | typedef struct QAuthZPAMClass QAuthZPAMClass; | |
| 41 | ||
| 42 | ||
| 43 | /** | |
| 44 | * QAuthZPAM: | |
| 45 | * | |
| 46 | * This authorization driver provides a PAM mechanism | |
| 47 | * for granting access by matching user names against a | |
| 48 | * list of globs. Each match rule has an associated policy | |
| 49 | * and a catch all policy applies if no rule matches | |
| 50 | * | |
| 51 | * To create an instance of this class via QMP: | |
| 52 | * | |
| 53 | * { | |
| 54 | * "execute": "object-add", | |
| 55 | * "arguments": { | |
| 56 | * "qom-type": "authz-pam", | |
| 57 | * "id": "authz0", | |
| 58 | * "parameters": { | |
| 59 | * "service": "qemu-vnc-tls" | |
| 60 | * } | |
| 61 | * } | |
| 62 | * } | |
| 63 | * | |
| 64 | * The driver only uses the PAM "account" verification | |
| 65 | * subsystem. The above config would require a config | |
| 66 | * file /etc/pam.d/qemu-vnc-tls. For a simple file | |
| 67 | * lookup it would contain | |
| 68 | * | |
| 69 | * account requisite pam_listfile.so item=user sense=allow \ | |
| 70 | * file=/etc/qemu/vnc.allow | |
| 71 | * | |
| 72 | * The external file would then contain a list of usernames. | |
| 73 | * If x509 cert was being used as the username, a suitable | |
| 74 | * entry would match the distinguish name: | |
| 75 | * | |
| 76 | * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB | |
| 77 | * | |
| 78 | * On the command line it can be created using | |
| 79 | * | |
| 80 | * -object authz-pam,id=authz0,service=qemu-vnc-tls | |
| 81 | * | |
| 82 | */ | |
| 83 | struct QAuthZPAM { | |
| 84 | QAuthZ parent_obj; | |
| 85 | ||
| 86 | char *service; | |
| 87 | }; | |
| 88 | ||
| 89 | ||
| 90 | struct QAuthZPAMClass { | |
| 91 | QAuthZClass parent_class; | |
| 92 | }; | |
| 93 | ||
| 94 | ||
| 95 | QAuthZPAM *qauthz_pam_new(const char *id, | |
| 96 | const char *service, | |
| 97 | Error **errp); | |
| 98 | ||
| 58ea30f5 | 99 | #endif /* QAUTHZ_PAMACCT_H */ |