xref: /openbmc/qemu/include/authz/pamacct.h (revision 8110fa1d94f2997badc2af39231a1d279c5bb1ee) 
1 /*
2  * QEMU PAM authorization driver
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_PAMACCT_H
22 #define QAUTHZ_PAMACCT_H
23 
24 #include "authz/base.h"
25 #include "qom/object.h"
26 
27 
28 #define TYPE_QAUTHZ_PAM "authz-pam"
29 
30 typedef struct QAuthZPAM QAuthZPAM;
31 typedef struct QAuthZPAMClass QAuthZPAMClass;
32 DECLARE_OBJ_CHECKERS(QAuthZPAM, QAuthZPAMClass,
33                      QAUTHZ_PAM, TYPE_QAUTHZ_PAM)
34 
35 
36 
37 /**
38  * QAuthZPAM:
39  *
40  * This authorization driver provides a PAM mechanism
41  * for granting access by matching user names against a
42  * list of globs. Each match rule has an associated policy
43  * and a catch all policy applies if no rule matches
44  *
45  * To create an instance of this class via QMP:
46  *
47  *  {
48  *    "execute": "object-add",
49  *    "arguments": {
50  *      "qom-type": "authz-pam",
51  *      "id": "authz0",
52  *      "parameters": {
53  *        "service": "qemu-vnc-tls"
54  *      }
55  *    }
56  *  }
57  *
58  * The driver only uses the PAM "account" verification
59  * subsystem. The above config would require a config
60  * file /etc/pam.d/qemu-vnc-tls. For a simple file
61  * lookup it would contain
62  *
63  *   account requisite  pam_listfile.so item=user sense=allow \
64  *           file=/etc/qemu/vnc.allow
65  *
66  * The external file would then contain a list of usernames.
67  * If x509 cert was being used as the username, a suitable
68  * entry would match the distinguish name:
69  *
70  *  CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
71  *
72  * On the command line it can be created using
73  *
74  *   -object authz-pam,id=authz0,service=qemu-vnc-tls
75  *
76  */
77 struct QAuthZPAM {
78     QAuthZ parent_obj;
79 
80     char *service;
81 };
82 
83 
84 struct QAuthZPAMClass {
85     QAuthZClass parent_class;
86 };
87 
88 
89 QAuthZPAM *qauthz_pam_new(const char *id,
90                           const char *service,
91                           Error **errp);
92 
93 #endif /* QAUTHZ_PAMACCT_H */
94