18953caf3SDaniel P. Berrange /* 28953caf3SDaniel P. Berrange * QEMU PAM authorization driver 38953caf3SDaniel P. Berrange * 48953caf3SDaniel P. Berrange * Copyright (c) 2018 Red Hat, Inc. 58953caf3SDaniel P. Berrange * 68953caf3SDaniel P. Berrange * This library is free software; you can redistribute it and/or 78953caf3SDaniel P. Berrange * modify it under the terms of the GNU Lesser General Public 88953caf3SDaniel P. Berrange * License as published by the Free Software Foundation; either 98953caf3SDaniel P. Berrange * version 2 of the License, or (at your option) any later version. 108953caf3SDaniel P. Berrange * 118953caf3SDaniel P. Berrange * This library is distributed in the hope that it will be useful, 128953caf3SDaniel P. Berrange * but WITHOUT ANY WARRANTY; without even the implied warranty of 138953caf3SDaniel P. Berrange * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 148953caf3SDaniel P. Berrange * Lesser General Public License for more details. 158953caf3SDaniel P. Berrange * 168953caf3SDaniel P. Berrange * You should have received a copy of the GNU Lesser General Public 178953caf3SDaniel P. Berrange * License along with this library; if not, see <http://www.gnu.org/licenses/>. 188953caf3SDaniel P. Berrange * 198953caf3SDaniel P. Berrange */ 208953caf3SDaniel P. Berrange 2158ea30f5SMarkus Armbruster #ifndef QAUTHZ_PAMACCT_H 2258ea30f5SMarkus Armbruster #define QAUTHZ_PAMACCT_H 238953caf3SDaniel P. Berrange 248953caf3SDaniel P. Berrange #include "authz/base.h" 25*db1015e9SEduardo Habkost #include "qom/object.h" 268953caf3SDaniel P. Berrange 278953caf3SDaniel P. Berrange 288953caf3SDaniel P. Berrange #define TYPE_QAUTHZ_PAM "authz-pam" 298953caf3SDaniel P. Berrange 30*db1015e9SEduardo Habkost typedef struct QAuthZPAM QAuthZPAM; 31*db1015e9SEduardo Habkost typedef struct QAuthZPAMClass QAuthZPAMClass; 328953caf3SDaniel P. Berrange #define QAUTHZ_PAM_CLASS(klass) \ 338953caf3SDaniel P. Berrange OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ 348953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 358953caf3SDaniel P. Berrange #define QAUTHZ_PAM_GET_CLASS(obj) \ 368953caf3SDaniel P. Berrange OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ 378953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 388953caf3SDaniel P. Berrange #define QAUTHZ_PAM(obj) \ 39063603d4SPhilippe Mathieu-Daudé OBJECT_CHECK(QAuthZPAM, (obj), \ 408953caf3SDaniel P. Berrange TYPE_QAUTHZ_PAM) 418953caf3SDaniel P. Berrange 428953caf3SDaniel P. Berrange 438953caf3SDaniel P. Berrange 448953caf3SDaniel P. Berrange /** 458953caf3SDaniel P. Berrange * QAuthZPAM: 468953caf3SDaniel P. Berrange * 478953caf3SDaniel P. Berrange * This authorization driver provides a PAM mechanism 488953caf3SDaniel P. Berrange * for granting access by matching user names against a 498953caf3SDaniel P. Berrange * list of globs. Each match rule has an associated policy 508953caf3SDaniel P. Berrange * and a catch all policy applies if no rule matches 518953caf3SDaniel P. Berrange * 528953caf3SDaniel P. Berrange * To create an instance of this class via QMP: 538953caf3SDaniel P. Berrange * 548953caf3SDaniel P. Berrange * { 558953caf3SDaniel P. Berrange * "execute": "object-add", 568953caf3SDaniel P. Berrange * "arguments": { 578953caf3SDaniel P. Berrange * "qom-type": "authz-pam", 588953caf3SDaniel P. Berrange * "id": "authz0", 598953caf3SDaniel P. Berrange * "parameters": { 608953caf3SDaniel P. Berrange * "service": "qemu-vnc-tls" 618953caf3SDaniel P. Berrange * } 628953caf3SDaniel P. Berrange * } 638953caf3SDaniel P. Berrange * } 648953caf3SDaniel P. Berrange * 658953caf3SDaniel P. Berrange * The driver only uses the PAM "account" verification 668953caf3SDaniel P. Berrange * subsystem. The above config would require a config 678953caf3SDaniel P. Berrange * file /etc/pam.d/qemu-vnc-tls. For a simple file 688953caf3SDaniel P. Berrange * lookup it would contain 698953caf3SDaniel P. Berrange * 708953caf3SDaniel P. Berrange * account requisite pam_listfile.so item=user sense=allow \ 718953caf3SDaniel P. Berrange * file=/etc/qemu/vnc.allow 728953caf3SDaniel P. Berrange * 738953caf3SDaniel P. Berrange * The external file would then contain a list of usernames. 748953caf3SDaniel P. Berrange * If x509 cert was being used as the username, a suitable 758953caf3SDaniel P. Berrange * entry would match the distinguish name: 768953caf3SDaniel P. Berrange * 778953caf3SDaniel P. Berrange * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB 788953caf3SDaniel P. Berrange * 798953caf3SDaniel P. Berrange * On the command line it can be created using 808953caf3SDaniel P. Berrange * 818953caf3SDaniel P. Berrange * -object authz-pam,id=authz0,service=qemu-vnc-tls 828953caf3SDaniel P. Berrange * 838953caf3SDaniel P. Berrange */ 848953caf3SDaniel P. Berrange struct QAuthZPAM { 858953caf3SDaniel P. Berrange QAuthZ parent_obj; 868953caf3SDaniel P. Berrange 878953caf3SDaniel P. Berrange char *service; 888953caf3SDaniel P. Berrange }; 898953caf3SDaniel P. Berrange 908953caf3SDaniel P. Berrange 918953caf3SDaniel P. Berrange struct QAuthZPAMClass { 928953caf3SDaniel P. Berrange QAuthZClass parent_class; 938953caf3SDaniel P. Berrange }; 948953caf3SDaniel P. Berrange 958953caf3SDaniel P. Berrange 968953caf3SDaniel P. Berrange QAuthZPAM *qauthz_pam_new(const char *id, 978953caf3SDaniel P. Berrange const char *service, 988953caf3SDaniel P. Berrange Error **errp); 998953caf3SDaniel P. Berrange 10058ea30f5SMarkus Armbruster #endif /* QAUTHZ_PAMACCT_H */ 101