155d86984SDaniel P. Berrangé /* 255d86984SDaniel P. Berrangé * QEMU list file authorization driver 355d86984SDaniel P. Berrangé * 455d86984SDaniel P. Berrangé * Copyright (c) 2018 Red Hat, Inc. 555d86984SDaniel P. Berrangé * 655d86984SDaniel P. Berrangé * This library is free software; you can redistribute it and/or 755d86984SDaniel P. Berrangé * modify it under the terms of the GNU Lesser General Public 855d86984SDaniel P. Berrangé * License as published by the Free Software Foundation; either 9036a80cdSChetan Pant * version 2.1 of the License, or (at your option) any later version. 1055d86984SDaniel P. Berrangé * 1155d86984SDaniel P. Berrangé * This library is distributed in the hope that it will be useful, 1255d86984SDaniel P. Berrangé * but WITHOUT ANY WARRANTY; without even the implied warranty of 1355d86984SDaniel P. Berrangé * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 1455d86984SDaniel P. Berrangé * Lesser General Public License for more details. 1555d86984SDaniel P. Berrangé * 1655d86984SDaniel P. Berrangé * You should have received a copy of the GNU Lesser General Public 1755d86984SDaniel P. Berrangé * License along with this library; if not, see <http://www.gnu.org/licenses/>. 1855d86984SDaniel P. Berrangé * 1955d86984SDaniel P. Berrangé */ 2055d86984SDaniel P. Berrangé 2158ea30f5SMarkus Armbruster #ifndef QAUTHZ_LISTFILE_H 2258ea30f5SMarkus Armbruster #define QAUTHZ_LISTFILE_H 2355d86984SDaniel P. Berrangé 2455d86984SDaniel P. Berrangé #include "authz/list.h" 2555d86984SDaniel P. Berrangé #include "qemu/filemonitor.h" 26db1015e9SEduardo Habkost #include "qom/object.h" 2755d86984SDaniel P. Berrangé 2855d86984SDaniel P. Berrangé #define TYPE_QAUTHZ_LIST_FILE "authz-list-file" 2955d86984SDaniel P. Berrangé 3030b5707cSEduardo Habkost OBJECT_DECLARE_SIMPLE_TYPE(QAuthZListFile, 31c734cd40SEduardo Habkost QAUTHZ_LIST_FILE) 3255d86984SDaniel P. Berrangé 3355d86984SDaniel P. Berrangé 3455d86984SDaniel P. Berrangé 3555d86984SDaniel P. Berrangé /** 3655d86984SDaniel P. Berrangé * QAuthZListFile: 3755d86984SDaniel P. Berrangé * 3855d86984SDaniel P. Berrangé * This authorization driver provides a file mechanism 3955d86984SDaniel P. Berrangé * for granting access by matching user names against a 4055d86984SDaniel P. Berrangé * file of globs. Each match rule has an associated policy 4155d86984SDaniel P. Berrangé * and a catch all policy applies if no rule matches 4255d86984SDaniel P. Berrangé * 4355d86984SDaniel P. Berrangé * To create an instance of this class via QMP: 4455d86984SDaniel P. Berrangé * 4555d86984SDaniel P. Berrangé * { 4655d86984SDaniel P. Berrangé * "execute": "object-add", 4755d86984SDaniel P. Berrangé * "arguments": { 4855d86984SDaniel P. Berrangé * "qom-type": "authz-list-file", 4955d86984SDaniel P. Berrangé * "id": "authz0", 5055d86984SDaniel P. Berrangé * "props": { 5155d86984SDaniel P. Berrangé * "filename": "/etc/qemu/myvm-vnc.acl", 5255d86984SDaniel P. Berrangé * "refresh": true 5355d86984SDaniel P. Berrangé * } 5455d86984SDaniel P. Berrangé * } 5555d86984SDaniel P. Berrangé * } 5655d86984SDaniel P. Berrangé * 5755d86984SDaniel P. Berrangé * If 'refresh' is 'yes', inotify is used to monitor for changes 5855d86984SDaniel P. Berrangé * to the file and auto-reload the rules. 5955d86984SDaniel P. Berrangé * 6055d86984SDaniel P. Berrangé * The myvm-vnc.acl file should contain the parameters for 6155d86984SDaniel P. Berrangé * the QAuthZList object in JSON format: 6255d86984SDaniel P. Berrangé * 6355d86984SDaniel P. Berrangé * { 6455d86984SDaniel P. Berrangé * "rules": [ 6555d86984SDaniel P. Berrangé * { "match": "fred", "policy": "allow", "format": "exact" }, 6655d86984SDaniel P. Berrangé * { "match": "bob", "policy": "allow", "format": "exact" }, 6755d86984SDaniel P. Berrangé * { "match": "danb", "policy": "deny", "format": "exact" }, 6855d86984SDaniel P. Berrangé * { "match": "dan*", "policy": "allow", "format": "glob" } 6955d86984SDaniel P. Berrangé * ], 7055d86984SDaniel P. Berrangé * "policy": "deny" 7155d86984SDaniel P. Berrangé * } 7255d86984SDaniel P. Berrangé * 7355d86984SDaniel P. Berrangé * The object can be created on the command line using 7455d86984SDaniel P. Berrangé * 7555d86984SDaniel P. Berrangé * -object authz-list-file,id=authz0,\ 76*4d7beeabSDaniel P. Berrangé * filename=/etc/qemu/myvm-vnc.acl,refresh=on 7755d86984SDaniel P. Berrangé * 7855d86984SDaniel P. Berrangé */ 7955d86984SDaniel P. Berrangé struct QAuthZListFile { 8055d86984SDaniel P. Berrangé QAuthZ parent_obj; 8155d86984SDaniel P. Berrangé 8255d86984SDaniel P. Berrangé QAuthZ *list; 8355d86984SDaniel P. Berrangé char *filename; 8455d86984SDaniel P. Berrangé bool refresh; 8555d86984SDaniel P. Berrangé QFileMonitor *file_monitor; 86b4682a63SDaniel P. Berrangé int64_t file_watch; 8755d86984SDaniel P. Berrangé }; 8855d86984SDaniel P. Berrangé 8955d86984SDaniel P. Berrangé 9055d86984SDaniel P. Berrangé 9155d86984SDaniel P. Berrangé 9255d86984SDaniel P. Berrangé QAuthZListFile *qauthz_list_file_new(const char *id, 9355d86984SDaniel P. Berrangé const char *filename, 9455d86984SDaniel P. Berrangé bool refresh, 9555d86984SDaniel P. Berrangé Error **errp); 9655d86984SDaniel P. Berrangé 9758ea30f5SMarkus Armbruster #endif /* QAUTHZ_LISTFILE_H */ 98