Google Git
Sign in
qemu / qemu / bdef79a2994d6f0383e07e9597675711662b3031
commitbdef79a2994d6f0383e07e9597675711662b3031[log] [tgz]
authorCorey Bryant <coreyb@linux.vnet.ibm.com>Thu Jan 26 09:42:25 2012 -0500
committerAnthony Liguori <aliguori@us.ibm.com>Wed Feb 01 16:24:39 2012 -0600
tree290449d0ac4a61363584b973ff20667ee8f392a9
parent7b93fadf3a38d1ed65ea5536a52efc2772c6e3b8 [diff]
Add access control support to qemu bridge helper

We go to great lengths to restrict ourselves to just cap_net_admin as an OS
enforced security mechanism.  However, we further restrict what we allow users
to do to simply adding a tap device to a bridge interface by virtue of the fact
that this is the only functionality we expose.

This is not good enough though.  An administrator is likely to want to restrict
the bridges that an unprivileged user can access, in particular, to restrict
an unprivileged user from putting a guest on what should be isolated networks.

This patch implements an ACL mechanism that is enforced by qemu-bridge-helper.
The ACLs are fairly simple whitelist/blacklist mechanisms with a wildcard of
'all'.  All users are blacklisted by default, and deny takes precedence over
allow.

An interesting feature of this ACL mechanism is that you can include external
ACL files.  The main reason to support this is so that you can set different
file system permissions on those external ACL files.  This allows an
administrator to implement rather sophisticated ACL policies based on
user/group policies via the file system.

As an example:

/etc/qemu/bridge.conf root:qemu 0640

 allow br0
 include /etc/qemu/alice.conf
 include /etc/qemu/bob.conf
 include /etc/qemu/charlie.conf

/etc/qemu/alice.conf root:alice 0640
 allow br1

/etc/qemu/bob.conf root:bob 0640
 allow br2

/etc/qemu/charlie.conf root:charlie 0640
 deny all

This ACL pattern allows any user in the qemu group to get a tap device
connected to br0 (which is bridged to the physical network).

Users in the alice group can additionally get a tap device connected to br1.
This allows br1 to act as a private bridge for the alice group.

Users in the bob group can additionally get a tap device connected to br2.
This allows br2 to act as a private bridge for the bob group.

Users in the charlie group cannot get a tap device connected to any bridge.

Under no circumstance can the bob group get access to br1 or can the alice
group get access to br2.  And under no cicumstance can the charlie group
get access to any bridge.

Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Signed-off-by: Richa Marwaha <rmarwah@linux.vnet.ibm.com>
Signed-off-by: Corey Bryant <coreyb@linux.vnet.ibm.com>
Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
1 file changed
tree: 290449d0ac4a61363584b973ff20667ee8f392a9
  1. audio/
  2. block/
  3. bsd-user/
  4. darwin-user/
  5. default-configs/
  6. docs/
  7. fpu/
  8. fsdev/
  9. gdb-xml/
  10. hw/
  11. include/
  12. libcacard/
  13. linux-headers/
  14. linux-user/
  15. net/
  16. pc-bios/
  17. qapi/
  18. qga/
  19. QMP/
  20. qom/
  21. roms/
  22. scripts/
  23. slirp/
  24. sysconfigs/
  25. target-alpha/
  26. target-arm/
  27. target-cris/
  28. target-i386/
  29. target-lm32/
  30. target-m68k/
  31. target-microblaze/
  32. target-mips/
  33. target-ppc/
  34. target-s390x/
  35. target-sh4/
  36. target-sparc/
  37. target-unicore32/
  38. target-xtensa/
  39. tcg/
  40. tests/
  41. trace/
  42. ui/
  43. .gitignore
  44. .gitmodules
  45. .mailmap
  46. a.out.h
  47. acl.c
  48. acl.h
  49. aes.c
  50. aes.h
  51. aio.c
  52. alpha-dis.c
  53. alpha.ld
  54. arch_init.c
  55. arch_init.h
  56. arm-dis.c
  57. arm-semi.c
  58. arm.ld
  59. async.c
  60. balloon.c
  61. balloon.h
  62. bitmap.c
  63. bitmap.h
  64. bitops.c
  65. bitops.h
  66. block-migration.c
  67. block-migration.h
  68. block.c
  69. block.h
  70. block_int.h
  71. blockdev.c
  72. blockdev.h
  73. bswap.h
  74. bt-host.c
  75. bt-host.h
  76. bt-vhci.c
  77. buffered_file.c
  78. buffered_file.h
  79. cache-utils.c
  80. cache-utils.h
  81. Changelog
  82. check-qdict.c
  83. check-qfloat.c
  84. check-qint.c
  85. check-qjson.c
  86. check-qlist.c
  87. check-qstring.c
  88. cmd.c
  89. cmd.h
  90. CODING_STYLE
  91. compatfd.c
  92. compatfd.h
  93. compiler.h
  94. config.h
  95. configure
  96. console.c
  97. console.h
  98. COPYING
  99. COPYING.LIB
  100. coroutine-gthread.c
  101. coroutine-ucontext.c
  102. coroutine-win32.c
  103. cpu-all.h
  104. cpu-common.h
  105. cpu-defs.h
  106. cpu-exec.c
  107. cpus.c
  108. cpus.h
  109. cris-dis.c
  110. cursor.c
  111. cursor_hidden.xpm
  112. cursor_left_ptr.xpm
  113. cutils.c
  114. def-helper.h
  115. device_tree.c
  116. device_tree.h
  117. dis-asm.h
  118. disas.c
  119. disas.h
  120. dma-helpers.c
  121. dma.h
  122. dyngen-exec.h
  123. elf.h
  124. envlist.c
  125. envlist.h
  126. error.c
  127. error.h
  128. error_int.h
  129. event_notifier.c
  130. event_notifier.h
  131. exec-all.h
  132. exec-memory.h
  133. exec-obsolete.h
  134. exec.c
  135. gdbstub.c
  136. gdbstub.h
  137. gen-icount.h
  138. HACKING
  139. hmp-commands.hx
  140. hmp.c
  141. hmp.h
  142. host-utils.c
  143. host-utils.h
  144. hppa-dis.c
  145. hppa.ld
  146. i386-dis.c
  147. i386.ld
  148. ia64-dis.c
  149. ia64.ld
  150. input.c
  151. int128.h
  152. iohandler.c
  153. ioport-user.c
  154. ioport.c
  155. ioport.h
  156. iorange.h
  157. iov.c
  158. iov.h
  159. json-lexer.c
  160. json-lexer.h
  161. json-parser.c
  162. json-parser.h
  163. json-streamer.c
  164. json-streamer.h
  165. kvm-all.c
  166. kvm-stub.c
  167. kvm.h
  168. libfdt_env.h
  169. LICENSE
  170. linux-aio.c
  171. m68k-dis.c
  172. m68k-semi.c
  173. m68k.ld
  174. main-loop.c
  175. main-loop.h
  176. MAINTAINERS
  177. Makefile
  178. Makefile.dis
  179. Makefile.hw
  180. Makefile.objs
  181. Makefile.target
  182. Makefile.user
  183. memory.c
  184. memory.h
  185. microblaze-dis.c
  186. migration-exec.c
  187. migration-fd.c
  188. migration-tcp.c
  189. migration-unix.c
  190. migration.c
  191. migration.h
  192. mips-dis.c
  193. mips.ld
  194. module.c
  195. module.h
  196. monitor.c
  197. monitor.h
  198. nbd.c
  199. nbd.h
  200. net.c
  201. net.h
  202. notify.c
  203. notify.h
  204. os-posix.c
  205. os-win32.c
  206. osdep.c
  207. osdep.h
  208. oslib-posix.c
  209. oslib-win32.c
  210. path.c
  211. pci-ids.txt
  212. pflib.c
  213. pflib.h
  214. poison.h
  215. posix-aio-compat.c
  216. ppc-dis.c
  217. ppc.ld
  218. ppc64.ld
  219. qapi-schema-guest.json
  220. qapi-schema-test.json
  221. qapi-schema.json
  222. qbool.c
  223. qbool.h
  224. qdict-test-data.txt
  225. qdict.c
  226. qdict.h
  227. qemu-aio.h
  228. qemu-barrier.h
  229. qemu-bridge-helper.c
  230. qemu-char.c
  231. qemu-char.h
  232. qemu-common.h
  233. qemu-config.c
  234. qemu-config.h
  235. qemu-coroutine-int.h
  236. qemu-coroutine-io.c
  237. qemu-coroutine-lock.c
  238. qemu-coroutine-sleep.c
  239. qemu-coroutine.c
  240. qemu-coroutine.h
  241. qemu-doc.texi
  242. qemu-error.c
  243. qemu-error.h
  244. qemu-file.h
  245. qemu-ga.c
  246. qemu-img-cmds.hx
  247. qemu-img.c
  248. qemu-img.texi
  249. qemu-io.c
  250. qemu-lock.h
  251. qemu-log.h
  252. qemu-nbd.c
  253. qemu-nbd.texi
  254. qemu-objects.h
  255. qemu-option.c
  256. qemu-option.h
  257. qemu-options-wrapper.h
  258. qemu-options.h
  259. qemu-options.hx
  260. qemu-os-posix.h
  261. qemu-os-win32.h
  262. qemu-progress.c
  263. qemu-queue.h
  264. qemu-sockets.c
  265. qemu-tech.texi
  266. qemu-thread-posix.c
  267. qemu-thread-posix.h
  268. qemu-thread-win32.c
  269. qemu-thread-win32.h
  270. qemu-thread.h
  271. qemu-timer-common.c
  272. qemu-timer.c
  273. qemu-timer.h
  274. qemu-tls.h
  275. qemu-tool.c
  276. qemu-x509.h
  277. qemu-xattr.h
  278. qemu.sasl
  279. qemu_socket.h
  280. qerror.c
  281. qerror.h
  282. qfloat.c
  283. qfloat.h
  284. qint.c
  285. qint.h
  286. qjson.c
  287. qjson.h
  288. qlist.c
  289. qlist.h
  290. qmp-commands.hx
  291. qmp.c
  292. qobject.h
  293. qstring.c
  294. qstring.h
  295. range.h
  296. readline.c
  297. readline.h
  298. README
  299. rules.mak
  300. s390-dis.c
  301. s390.ld
  302. savevm.c
  303. sh4-dis.c
  304. softmmu-semi.h
  305. softmmu_defs.h
  306. softmmu_exec.h
  307. softmmu_header.h
  308. softmmu_template.h
  309. sparc-dis.c
  310. sparc.ld
  311. sparc64.ld
  312. spice-qemu-char.c
  313. sysemu.h
  314. targphys.h
  315. tcg-runtime.c
  316. tci-dis.c
  317. tci.c
  318. test-coroutine.c
  319. test-qmp-commands.c
  320. test-qmp-input-visitor.c
  321. test-qmp-output-visitor.c
  322. thunk.c
  323. thunk.h
  324. TODO
  325. trace-events
  326. translate-all.c
  327. uboot_image.h
  328. usb-bsd.c
  329. usb-linux.c
  330. usb-redir.c
  331. usb-stub.c
  332. user-exec.c
  333. VERSION
  334. version.rc
  335. vgafont.h
  336. vl.c
  337. vmstate.h
  338. x86_64.ld
  339. xen-all.c
  340. xen-mapcache.c
  341. xen-mapcache.h
  342. xen-stub.c
  343. xtensa-semi.c