util/acl.c

   1 /*
   2  * QEMU access control list management
   3  *
   4  * Copyright (C) 2009 Red Hat, Inc
   5  *
   6  * Permission is hereby granted, free of charge, to any person obtaining a copy
   7  * of this software and associated documentation files (the "Software"), to deal
   8  * in the Software without restriction, including without limitation the rights
   9  * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
  10  * copies of the Software, and to permit persons to whom the Software is
  11  * furnished to do so, subject to the following conditions:
  12  *
  13  * The above copyright notice and this permission notice shall be included in
  14  * all copies or substantial portions of the Software.
  15  *
  16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
  17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
  18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
  19  * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
  20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
  21  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  22  * THE SOFTWARE.
  23  */
  24
  25
  26 #include "qemu/osdep.h"
  27 #include "qemu-common.h"
  28 #include "qemu/acl.h"
  29
  30 #ifdef CONFIG_FNMATCH
  31 #include <fnmatch.h>
  32 #endif
  33
  34
  35 static unsigned int nacls = 0;
  36 static qemu_acl **acls = NULL;
  37
  38
  39
  40 qemu_acl *qemu_acl_find(const char *aclname)
  41 {
  42     int i;
  43     for (i = 0 ; i < nacls ; i++) {
  44         if (strcmp(acls[i]->aclname, aclname) == 0)
  45             return acls[i];
  46     }
  47
  48     return NULL;
  49 }
  50
  51 qemu_acl *qemu_acl_init(const char *aclname)
  52 {
  53     qemu_acl *acl;
  54
  55     acl = qemu_acl_find(aclname);
  56     if (acl)
  57         return acl;
  58
  59     acl = g_malloc(sizeof(*acl));
  60     acl->aclname = g_strdup(aclname);
  61     /* Deny by default, so there is no window of "open
  62      * access" between QEMU starting, and the user setting
  63      * up ACLs in the monitor */
  64     acl->defaultDeny = 1;
  65
  66     acl->nentries = 0;
  67     QTAILQ_INIT(&acl->entries);
  68
  69     acls = g_realloc(acls, sizeof(*acls) * (nacls +1));
  70     acls[nacls] = acl;
  71     nacls++;
  72
  73     return acl;
  74 }
  75
  76 int qemu_acl_party_is_allowed(qemu_acl *acl,
  77                               const char *party)
  78 {
  79     qemu_acl_entry *entry;
  80
  81     QTAILQ_FOREACH(entry, &acl->entries, next) {
  82 #ifdef CONFIG_FNMATCH
  83         if (fnmatch(entry->match, party, 0) == 0)
  84             return entry->deny ? 0 : 1;
  85 #else
  86         /* No fnmatch, so fallback to exact string matching
  87          * instead of allowing wildcards */
  88         if (strcmp(entry->match, party) == 0)
  89             return entry->deny ? 0 : 1;
  90 #endif
  91     }
  92
  93     return acl->defaultDeny ? 0 : 1;
  94 }
  95
  96
  97 void qemu_acl_reset(qemu_acl *acl)
  98 {
  99     qemu_acl_entry *entry, *next_entry;
 100
 101     /* Put back to deny by default, so there is no window
 102      * of "open access" while the user re-initializes the
 103      * access control list */
 104     acl->defaultDeny = 1;
 105     QTAILQ_FOREACH_SAFE(entry, &acl->entries, next, next_entry) {
 106         QTAILQ_REMOVE(&acl->entries, entry, next);
 107         g_free(entry->match);
 108         g_free(entry);
 109     }
 110     acl->nentries = 0;
 111 }
 112
 113
 114 int qemu_acl_append(qemu_acl *acl,
 115                     int deny,
 116                     const char *match)
 117 {
 118     qemu_acl_entry *entry;
 119
 120     entry = g_malloc(sizeof(*entry));
 121     entry->match = g_strdup(match);
 122     entry->deny = deny;
 123
 124     QTAILQ_INSERT_TAIL(&acl->entries, entry, next);
 125     acl->nentries++;
 126
 127     return acl->nentries;
 128 }
 129
 130
 131 int qemu_acl_insert(qemu_acl *acl,
 132                     int deny,
 133                     const char *match,
 134                     int index)
 135 {
 136     qemu_acl_entry *tmp;
 137     int i = 0;
 138
 139     if (index <= 0)
 140         return -1;
 141     if (index > acl->nentries) {
 142         return qemu_acl_append(acl, deny, match);
 143     }
 144
 145     QTAILQ_FOREACH(tmp, &acl->entries, next) {
 146         i++;
 147         if (i == index) {
 148             qemu_acl_entry *entry;
 149             entry = g_malloc(sizeof(*entry));
 150             entry->match = g_strdup(match);
 151             entry->deny = deny;
 152
 153             QTAILQ_INSERT_BEFORE(tmp, entry, next);
 154             acl->nentries++;
 155             break;
 156         }
 157     }
 158
 159     return i;
 160 }
 161
 162 int qemu_acl_remove(qemu_acl *acl,
 163                     const char *match)
 164 {
 165     qemu_acl_entry *entry;
 166     int i = 0;
 167
 168     QTAILQ_FOREACH(entry, &acl->entries, next) {
 169         i++;
 170         if (strcmp(entry->match, match) == 0) {
 171             QTAILQ_REMOVE(&acl->entries, entry, next);
 172             acl->nentries--;
 173             g_free(entry->match);
 174             g_free(entry);
 175             return i;
 176         }
 177     }
 178     return -1;
 179 }