xref: /openbmc/qemu/include/authz/pamacct.h (revision db1015e92e04835c9eb50c29625fe566d1202dbd) 
1 /*
2  * QEMU PAM authorization driver
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_PAMACCT_H
22 #define QAUTHZ_PAMACCT_H
23 
24 #include "authz/base.h"
25 #include "qom/object.h"
26 
27 
28 #define TYPE_QAUTHZ_PAM "authz-pam"
29 
30 typedef struct QAuthZPAM QAuthZPAM;
31 typedef struct QAuthZPAMClass QAuthZPAMClass;
32 #define QAUTHZ_PAM_CLASS(klass) \
33      OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \
34                         TYPE_QAUTHZ_PAM)
35 #define QAUTHZ_PAM_GET_CLASS(obj) \
36      OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \
37                       TYPE_QAUTHZ_PAM)
38 #define QAUTHZ_PAM(obj) \
39      OBJECT_CHECK(QAuthZPAM, (obj), \
40                   TYPE_QAUTHZ_PAM)
41 
42 
43 
44 /**
45  * QAuthZPAM:
46  *
47  * This authorization driver provides a PAM mechanism
48  * for granting access by matching user names against a
49  * list of globs. Each match rule has an associated policy
50  * and a catch all policy applies if no rule matches
51  *
52  * To create an instance of this class via QMP:
53  *
54  *  {
55  *    "execute": "object-add",
56  *    "arguments": {
57  *      "qom-type": "authz-pam",
58  *      "id": "authz0",
59  *      "parameters": {
60  *        "service": "qemu-vnc-tls"
61  *      }
62  *    }
63  *  }
64  *
65  * The driver only uses the PAM "account" verification
66  * subsystem. The above config would require a config
67  * file /etc/pam.d/qemu-vnc-tls. For a simple file
68  * lookup it would contain
69  *
70  *   account requisite  pam_listfile.so item=user sense=allow \
71  *           file=/etc/qemu/vnc.allow
72  *
73  * The external file would then contain a list of usernames.
74  * If x509 cert was being used as the username, a suitable
75  * entry would match the distinguish name:
76  *
77  *  CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB
78  *
79  * On the command line it can be created using
80  *
81  *   -object authz-pam,id=authz0,service=qemu-vnc-tls
82  *
83  */
84 struct QAuthZPAM {
85     QAuthZ parent_obj;
86 
87     char *service;
88 };
89 
90 
91 struct QAuthZPAMClass {
92     QAuthZClass parent_class;
93 };
94 
95 
96 QAuthZPAM *qauthz_pam_new(const char *id,
97                           const char *service,
98                           Error **errp);
99 
100 #endif /* QAUTHZ_PAMACCT_H */
101