155d86984SDaniel P. Berrangé /* 255d86984SDaniel P. Berrangé * QEMU list file authorization driver 355d86984SDaniel P. Berrangé * 455d86984SDaniel P. Berrangé * Copyright (c) 2018 Red Hat, Inc. 555d86984SDaniel P. Berrangé * 655d86984SDaniel P. Berrangé * This library is free software; you can redistribute it and/or 755d86984SDaniel P. Berrangé * modify it under the terms of the GNU Lesser General Public 855d86984SDaniel P. Berrangé * License as published by the Free Software Foundation; either 955d86984SDaniel P. Berrangé * version 2 of the License, or (at your option) any later version. 1055d86984SDaniel P. Berrangé * 1155d86984SDaniel P. Berrangé * This library is distributed in the hope that it will be useful, 1255d86984SDaniel P. Berrangé * but WITHOUT ANY WARRANTY; without even the implied warranty of 1355d86984SDaniel P. Berrangé * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 1455d86984SDaniel P. Berrangé * Lesser General Public License for more details. 1555d86984SDaniel P. Berrangé * 1655d86984SDaniel P. Berrangé * You should have received a copy of the GNU Lesser General Public 1755d86984SDaniel P. Berrangé * License along with this library; if not, see <http://www.gnu.org/licenses/>. 1855d86984SDaniel P. Berrangé * 1955d86984SDaniel P. Berrangé */ 2055d86984SDaniel P. Berrangé 2158ea30f5SMarkus Armbruster #ifndef QAUTHZ_LISTFILE_H 2258ea30f5SMarkus Armbruster #define QAUTHZ_LISTFILE_H 2355d86984SDaniel P. Berrangé 2455d86984SDaniel P. Berrangé #include "authz/list.h" 2555d86984SDaniel P. Berrangé #include "qemu/filemonitor.h" 26*db1015e9SEduardo Habkost #include "qom/object.h" 2755d86984SDaniel P. Berrangé 2855d86984SDaniel P. Berrangé #define TYPE_QAUTHZ_LIST_FILE "authz-list-file" 2955d86984SDaniel P. Berrangé 30*db1015e9SEduardo Habkost typedef struct QAuthZListFile QAuthZListFile; 31*db1015e9SEduardo Habkost typedef struct QAuthZListFileClass QAuthZListFileClass; 3255d86984SDaniel P. Berrangé #define QAUTHZ_LIST_FILE_CLASS(klass) \ 3355d86984SDaniel P. Berrangé OBJECT_CLASS_CHECK(QAuthZListFileClass, (klass), \ 3455d86984SDaniel P. Berrangé TYPE_QAUTHZ_LIST_FILE) 3555d86984SDaniel P. Berrangé #define QAUTHZ_LIST_FILE_GET_CLASS(obj) \ 3655d86984SDaniel P. Berrangé OBJECT_GET_CLASS(QAuthZListFileClass, (obj), \ 3755d86984SDaniel P. Berrangé TYPE_QAUTHZ_LIST_FILE) 3855d86984SDaniel P. Berrangé #define QAUTHZ_LIST_FILE(obj) \ 39063603d4SPhilippe Mathieu-Daudé OBJECT_CHECK(QAuthZListFile, (obj), \ 4055d86984SDaniel P. Berrangé TYPE_QAUTHZ_LIST_FILE) 4155d86984SDaniel P. Berrangé 4255d86984SDaniel P. Berrangé 4355d86984SDaniel P. Berrangé 4455d86984SDaniel P. Berrangé /** 4555d86984SDaniel P. Berrangé * QAuthZListFile: 4655d86984SDaniel P. Berrangé * 4755d86984SDaniel P. Berrangé * This authorization driver provides a file mechanism 4855d86984SDaniel P. Berrangé * for granting access by matching user names against a 4955d86984SDaniel P. Berrangé * file of globs. Each match rule has an associated policy 5055d86984SDaniel P. Berrangé * and a catch all policy applies if no rule matches 5155d86984SDaniel P. Berrangé * 5255d86984SDaniel P. Berrangé * To create an instance of this class via QMP: 5355d86984SDaniel P. Berrangé * 5455d86984SDaniel P. Berrangé * { 5555d86984SDaniel P. Berrangé * "execute": "object-add", 5655d86984SDaniel P. Berrangé * "arguments": { 5755d86984SDaniel P. Berrangé * "qom-type": "authz-list-file", 5855d86984SDaniel P. Berrangé * "id": "authz0", 5955d86984SDaniel P. Berrangé * "props": { 6055d86984SDaniel P. Berrangé * "filename": "/etc/qemu/myvm-vnc.acl", 6155d86984SDaniel P. Berrangé * "refresh": true 6255d86984SDaniel P. Berrangé * } 6355d86984SDaniel P. Berrangé * } 6455d86984SDaniel P. Berrangé * } 6555d86984SDaniel P. Berrangé * 6655d86984SDaniel P. Berrangé * If 'refresh' is 'yes', inotify is used to monitor for changes 6755d86984SDaniel P. Berrangé * to the file and auto-reload the rules. 6855d86984SDaniel P. Berrangé * 6955d86984SDaniel P. Berrangé * The myvm-vnc.acl file should contain the parameters for 7055d86984SDaniel P. Berrangé * the QAuthZList object in JSON format: 7155d86984SDaniel P. Berrangé * 7255d86984SDaniel P. Berrangé * { 7355d86984SDaniel P. Berrangé * "rules": [ 7455d86984SDaniel P. Berrangé * { "match": "fred", "policy": "allow", "format": "exact" }, 7555d86984SDaniel P. Berrangé * { "match": "bob", "policy": "allow", "format": "exact" }, 7655d86984SDaniel P. Berrangé * { "match": "danb", "policy": "deny", "format": "exact" }, 7755d86984SDaniel P. Berrangé * { "match": "dan*", "policy": "allow", "format": "glob" } 7855d86984SDaniel P. Berrangé * ], 7955d86984SDaniel P. Berrangé * "policy": "deny" 8055d86984SDaniel P. Berrangé * } 8155d86984SDaniel P. Berrangé * 8255d86984SDaniel P. Berrangé * The object can be created on the command line using 8355d86984SDaniel P. Berrangé * 8455d86984SDaniel P. Berrangé * -object authz-list-file,id=authz0,\ 8555d86984SDaniel P. Berrangé * filename=/etc/qemu/myvm-vnc.acl,refresh=yes 8655d86984SDaniel P. Berrangé * 8755d86984SDaniel P. Berrangé */ 8855d86984SDaniel P. Berrangé struct QAuthZListFile { 8955d86984SDaniel P. Berrangé QAuthZ parent_obj; 9055d86984SDaniel P. Berrangé 9155d86984SDaniel P. Berrangé QAuthZ *list; 9255d86984SDaniel P. Berrangé char *filename; 9355d86984SDaniel P. Berrangé bool refresh; 9455d86984SDaniel P. Berrangé QFileMonitor *file_monitor; 95b4682a63SDaniel P. Berrangé int64_t file_watch; 9655d86984SDaniel P. Berrangé }; 9755d86984SDaniel P. Berrangé 9855d86984SDaniel P. Berrangé 9955d86984SDaniel P. Berrangé struct QAuthZListFileClass { 10055d86984SDaniel P. Berrangé QAuthZClass parent_class; 10155d86984SDaniel P. Berrangé }; 10255d86984SDaniel P. Berrangé 10355d86984SDaniel P. Berrangé 10455d86984SDaniel P. Berrangé QAuthZListFile *qauthz_list_file_new(const char *id, 10555d86984SDaniel P. Berrangé const char *filename, 10655d86984SDaniel P. Berrangé bool refresh, 10755d86984SDaniel P. Berrangé Error **errp); 10855d86984SDaniel P. Berrangé 10958ea30f5SMarkus Armbruster #endif /* QAUTHZ_LISTFILE_H */ 110