18953caf3SDaniel P. Berrange /* 28953caf3SDaniel P. Berrange * QEMU PAM authorization driver 38953caf3SDaniel P. Berrange * 48953caf3SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 58953caf3SDaniel P. Berrange * 68953caf3SDaniel P. Berrange * This library is free software; you can redistribute it and/or 78953caf3SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 88953caf3SDaniel P. Berrange * License as published by the Free Software Foundation; either 98953caf3SDaniel P. Berrange * version 2 of the License, or (at your option) any later version. 108953caf3SDaniel P. Berrange * 118953caf3SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 128953caf3SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 138953caf3SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 148953caf3SDaniel P. Berrange * Lesser General Public License for more details. 158953caf3SDaniel P. Berrange * 168953caf3SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 178953caf3SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 188953caf3SDaniel P. Berrange * 198953caf3SDaniel P. Berrange */ 208953caf3SDaniel P. Berrange 21*58ea30f5SMarkus Armbruster #ifndef QAUTHZ_PAMACCT_H 22*58ea30f5SMarkus Armbruster #define QAUTHZ_PAMACCT_H 238953caf3SDaniel P. Berrange 248953caf3SDaniel P. Berrange #include "authz/base.h" 258953caf3SDaniel P. Berrange 268953caf3SDaniel P. Berrange 278953caf3SDaniel P. Berrange #define TYPE_QAUTHZ_PAM "authz-pam" 288953caf3SDaniel P. Berrange 298953caf3SDaniel P. Berrange #define QAUTHZ_PAM_CLASS(klass) \ 308953caf3SDaniel P. Berrange OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ 318953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 328953caf3SDaniel P. Berrange #define QAUTHZ_PAM_GET_CLASS(obj) \ 338953caf3SDaniel P. Berrange OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ 348953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 358953caf3SDaniel P. Berrange #define QAUTHZ_PAM(obj) \ 36063603d4SPhilippe Mathieu-Daudé OBJECT_CHECK(QAuthZPAM, (obj), \ 378953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 388953caf3SDaniel P. Berrange 398953caf3SDaniel P. Berrange typedef struct QAuthZPAM QAuthZPAM; 408953caf3SDaniel P. Berrange typedef struct QAuthZPAMClass QAuthZPAMClass; 418953caf3SDaniel P. Berrange 428953caf3SDaniel P. Berrange 438953caf3SDaniel P. Berrange /** 448953caf3SDaniel P. Berrange * QAuthZPAM: 458953caf3SDaniel P. Berrange * 468953caf3SDaniel P. Berrange * This authorization driver provides a PAM mechanism 478953caf3SDaniel P. Berrange * for granting access by matching user names against a 488953caf3SDaniel P. Berrange * list of globs. Each match rule has an associated policy 498953caf3SDaniel P. Berrange * and a catch all policy applies if no rule matches 508953caf3SDaniel P. Berrange * 518953caf3SDaniel P. Berrange * To create an instance of this class via QMP: 528953caf3SDaniel P. Berrange * 538953caf3SDaniel P. Berrange * { 548953caf3SDaniel P. Berrange * "execute": "object-add", 558953caf3SDaniel P. Berrange * "arguments": { 568953caf3SDaniel P. Berrange * "qom-type": "authz-pam", 578953caf3SDaniel P. Berrange * "id": "authz0", 588953caf3SDaniel P. Berrange * "parameters": { 598953caf3SDaniel P. Berrange * "service": "qemu-vnc-tls" 608953caf3SDaniel P. Berrange * } 618953caf3SDaniel P. Berrange * } 628953caf3SDaniel P. Berrange * } 638953caf3SDaniel P. Berrange * 648953caf3SDaniel P. Berrange * The driver only uses the PAM "account" verification 658953caf3SDaniel P. Berrange * subsystem. The above config would require a config 668953caf3SDaniel P. Berrange * file /etc/pam.d/qemu-vnc-tls. For a simple file 678953caf3SDaniel P. Berrange * lookup it would contain 688953caf3SDaniel P. Berrange * 698953caf3SDaniel P. Berrange * account requisite pam_listfile.so item=user sense=allow \ 708953caf3SDaniel P. Berrange * file=/etc/qemu/vnc.allow 718953caf3SDaniel P. Berrange * 728953caf3SDaniel P. Berrange * The external file would then contain a list of usernames. 738953caf3SDaniel P. Berrange * If x509 cert was being used as the username, a suitable 748953caf3SDaniel P. Berrange * entry would match the distinguish name: 758953caf3SDaniel P. Berrange * 768953caf3SDaniel P. Berrange * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB 778953caf3SDaniel P. Berrange * 788953caf3SDaniel P. Berrange * On the command line it can be created using 798953caf3SDaniel P. Berrange * 808953caf3SDaniel P. Berrange * -object authz-pam,id=authz0,service=qemu-vnc-tls 818953caf3SDaniel P. Berrange * 828953caf3SDaniel P. Berrange */ 838953caf3SDaniel P. Berrange struct QAuthZPAM { 848953caf3SDaniel P. Berrange QAuthZ parent_obj; 858953caf3SDaniel P. Berrange 868953caf3SDaniel P. Berrange char *service; 878953caf3SDaniel P. Berrange }; 888953caf3SDaniel P. Berrange 898953caf3SDaniel P. Berrange 908953caf3SDaniel P. Berrange struct QAuthZPAMClass { 918953caf3SDaniel P. Berrange QAuthZClass parent_class; 928953caf3SDaniel P. Berrange }; 938953caf3SDaniel P. Berrange 948953caf3SDaniel P. Berrange 958953caf3SDaniel P. Berrange QAuthZPAM *qauthz_pam_new(const char *id, 968953caf3SDaniel P. Berrange const char *service, 978953caf3SDaniel P. Berrange Error **errp); 988953caf3SDaniel P. Berrange 99*58ea30f5SMarkus Armbruster #endif /* QAUTHZ_PAMACCT_H */ 100