forked from pool/libvirt
e214671409
- Add new API virDomain{S,G}etInterfaceParameters
- Add new API virDomain{G,S}etNumaParameters
- Add support for ppc64 qemu
- Support Xen domctl v8
OBS-URL: https://build.opensuse.org/package/show/Virtualization/libvirt?expand=0&rev=188
80 lines
3.0 KiB
Diff
80 lines
3.0 KiB
Diff
commit 9ae4ac7ac07d872cd32d0a3a1b1b44730b04bda7
|
|
Author: Jim Fehlig <jfehlig@suse.com>
|
|
Date: Tue Jan 3 11:35:06 2012 -0700
|
|
|
|
PolicyKit: Check auth before asking client to obtain it
|
|
|
|
I previously mentioned [1] a PolicyKit issue where libvirt would
|
|
proceed with authentication even though polkit-auth failed:
|
|
|
|
testusr xen134:~> virsh list --all
|
|
Attempting to obtain authorization for org.libvirt.unix.manage.
|
|
polkit-grant-helper: given auth type (8 -> yes) is bogus
|
|
Failed to obtain authorization for org.libvirt.unix.manage.
|
|
Id Name State
|
|
----------------------------------
|
|
0 Domain-0 running
|
|
- sles11sp1-pv shut off
|
|
|
|
AFAICT, libvirt attempts to obtain a privilege it already has,
|
|
causing polkit-auth to fail with above message. Instead of calling
|
|
obtain and then checking auth, IMO the workflow should be for the
|
|
server to check auth first, and if that fails ask the client to
|
|
obtain it and check again. This workflow also allows for checking
|
|
only successful exit of polkit-auth in virConnectAuthGainPolkit().
|
|
|
|
[1] https://www.redhat.com/archives/libvir-list/2011-December/msg00837.html
|
|
|
|
Index: libvirt-0.9.9/src/libvirt.c
|
|
===================================================================
|
|
--- libvirt-0.9.9.orig/src/libvirt.c
|
|
+++ libvirt-0.9.9/src/libvirt.c
|
|
@@ -119,7 +119,7 @@ static int virConnectAuthGainPolkit(cons
|
|
|
|
cmd = virCommandNewArgList(POLKIT_AUTH, "--obtain", privilege, NULL);
|
|
if (virCommandRun(cmd, &status) < 0 ||
|
|
- status > 1)
|
|
+ status > 0)
|
|
goto cleanup;
|
|
|
|
ret = 0;
|
|
Index: libvirt-0.9.9/src/remote/remote_driver.c
|
|
===================================================================
|
|
--- libvirt-0.9.9.orig/src/remote/remote_driver.c
|
|
+++ libvirt-0.9.9/src/remote/remote_driver.c
|
|
@@ -3121,6 +3121,14 @@ remoteAuthPolkit (virConnectPtr conn, st
|
|
};
|
|
VIR_DEBUG("Client initialize PolicyKit-0 authentication");
|
|
|
|
+ /* Check auth first and if it succeeds we are done. */
|
|
+ memset (&ret, 0, sizeof ret);
|
|
+ if (call (conn, priv, 0, REMOTE_PROC_AUTH_POLKIT,
|
|
+ (xdrproc_t) xdr_void, (char *)NULL,
|
|
+ (xdrproc_t) xdr_remote_auth_polkit_ret, (char *) &ret) == 0)
|
|
+ goto out;
|
|
+
|
|
+ /* Auth failed. Ask client to obtain it and check again. */
|
|
if (auth && auth->cb) {
|
|
/* Check if the necessary credential type for PolicyKit is supported */
|
|
for (i = 0 ; i < auth->ncredtype ; i++) {
|
|
@@ -3138,9 +3146,11 @@ remoteAuthPolkit (virConnectPtr conn, st
|
|
}
|
|
} else {
|
|
VIR_DEBUG("Client auth callback does not support PolicyKit");
|
|
+ return -1;
|
|
}
|
|
} else {
|
|
VIR_DEBUG("No auth callback provided");
|
|
+ return -1;
|
|
}
|
|
|
|
memset (&ret, 0, sizeof ret);
|
|
@@ -3150,6 +3160,7 @@ remoteAuthPolkit (virConnectPtr conn, st
|
|
return -1; /* virError already set by call */
|
|
}
|
|
|
|
+out:
|
|
VIR_DEBUG("PolicyKit-0 authentication complete");
|
|
return 0;
|
|
}
|