projects / qemu.git / blame
| Commit | Line | Data |
|---|---|---|
| 55d86984 DB |
1 | /* |
| 2 | * QEMU list file authorization driver | |
| 3 | * | |
| 4 | * Copyright (c) 2018 Red Hat, Inc. | |
| 5 | * | |
| 6 | * This library is free software; you can redistribute it and/or | |
| 7 | * modify it under the terms of the GNU Lesser General Public | |
| 8 | * License as published by the Free Software Foundation; either | |
| 9 | * version 2 of the License, or (at your option) any later version. | |
| 10 | * | |
| 11 | * This library is distributed in the hope that it will be useful, | |
| 12 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
| 13 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
| 14 | * Lesser General Public License for more details. | |
| 15 | * | |
| 16 | * You should have received a copy of the GNU Lesser General Public | |
| 17 | * License along with this library; if not, see <http://www.gnu.org/licenses/>. | |
| 18 | * | |
| 19 | */ | |
| 20 | ||
| 21 | #ifndef QAUTHZ_LIST_FILE_H__ | |
| 22 | #define QAUTHZ_LIST_FILE_H__ | |
| 23 | ||
| 24 | #include "authz/list.h" | |
| 25 | #include "qapi/qapi-types-authz.h" | |
| 26 | #include "qemu/filemonitor.h" | |
| 27 | ||
| 28 | #define TYPE_QAUTHZ_LIST_FILE "authz-list-file" | |
| 29 | ||
| 30 | #define QAUTHZ_LIST_FILE_CLASS(klass) \ | |
| 31 | OBJECT_CLASS_CHECK(QAuthZListFileClass, (klass), \ | |
| 32 | TYPE_QAUTHZ_LIST_FILE) | |
| 33 | #define QAUTHZ_LIST_FILE_GET_CLASS(obj) \ | |
| 34 | OBJECT_GET_CLASS(QAuthZListFileClass, (obj), \ | |
| 35 | TYPE_QAUTHZ_LIST_FILE) | |
| 36 | #define QAUTHZ_LIST_FILE(obj) \ | |
| 063603d4 PMD |
37 | OBJECT_CHECK(QAuthZListFile, (obj), \ |
| 38 | TYPE_QAUTHZ_LIST_FILE) | |
| 55d86984 DB |
39 | |
| 40 | typedef struct QAuthZListFile QAuthZListFile; | |
| 41 | typedef struct QAuthZListFileClass QAuthZListFileClass; | |
| 42 | ||
| 43 | ||
| 44 | /** | |
| 45 | * QAuthZListFile: | |
| 46 | * | |
| 47 | * This authorization driver provides a file mechanism | |
| 48 | * for granting access by matching user names against a | |
| 49 | * file of globs. Each match rule has an associated policy | |
| 50 | * and a catch all policy applies if no rule matches | |
| 51 | * | |
| 52 | * To create an instance of this class via QMP: | |
| 53 | * | |
| 54 | * { | |
| 55 | * "execute": "object-add", | |
| 56 | * "arguments": { | |
| 57 | * "qom-type": "authz-list-file", | |
| 58 | * "id": "authz0", | |
| 59 | * "props": { | |
| 60 | * "filename": "/etc/qemu/myvm-vnc.acl", | |
| 61 | * "refresh": true | |
| 62 | * } | |
| 63 | * } | |
| 64 | * } | |
| 65 | * | |
| 66 | * If 'refresh' is 'yes', inotify is used to monitor for changes | |
| 67 | * to the file and auto-reload the rules. | |
| 68 | * | |
| 69 | * The myvm-vnc.acl file should contain the parameters for | |
| 70 | * the QAuthZList object in JSON format: | |
| 71 | * | |
| 72 | * { | |
| 73 | * "rules": [ | |
| 74 | * { "match": "fred", "policy": "allow", "format": "exact" }, | |
| 75 | * { "match": "bob", "policy": "allow", "format": "exact" }, | |
| 76 | * { "match": "danb", "policy": "deny", "format": "exact" }, | |
| 77 | * { "match": "dan*", "policy": "allow", "format": "glob" } | |
| 78 | * ], | |
| 79 | * "policy": "deny" | |
| 80 | * } | |
| 81 | * | |
| 82 | * The object can be created on the command line using | |
| 83 | * | |
| 84 | * -object authz-list-file,id=authz0,\ | |
| 85 | * filename=/etc/qemu/myvm-vnc.acl,refresh=yes | |
| 86 | * | |
| 87 | */ | |
| 88 | struct QAuthZListFile { | |
| 89 | QAuthZ parent_obj; | |
| 90 | ||
| 91 | QAuthZ *list; | |
| 92 | char *filename; | |
| 93 | bool refresh; | |
| 94 | QFileMonitor *file_monitor; | |
| 95 | int file_watch; | |
| 96 | }; | |
| 97 | ||
| 98 | ||
| 99 | struct QAuthZListFileClass { | |
| 100 | QAuthZClass parent_class; | |
| 101 | }; | |
| 102 | ||
| 103 | ||
| 104 | QAuthZListFile *qauthz_list_file_new(const char *id, | |
| 105 | const char *filename, | |
| 106 | bool refresh, | |
| 107 | Error **errp); | |
| 108 | ||
| 109 | ||
| 110 | #endif /* QAUTHZ_LIST_FILE_H__ */ | |
| 111 |