1 /* 2 * QEMU list file authorization driver 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QAUTHZ_LISTFILE_H 22 #define QAUTHZ_LISTFILE_H 23 24 #include "authz/list.h" 25 #include "qemu/filemonitor.h" 26 27 #define TYPE_QAUTHZ_LIST_FILE "authz-list-file" 28 29 #define QAUTHZ_LIST_FILE_CLASS(klass) \ 30 OBJECT_CLASS_CHECK(QAuthZListFileClass, (klass), \ 31 TYPE_QAUTHZ_LIST_FILE) 32 #define QAUTHZ_LIST_FILE_GET_CLASS(obj) \ 33 OBJECT_GET_CLASS(QAuthZListFileClass, (obj), \ 34 TYPE_QAUTHZ_LIST_FILE) 35 #define QAUTHZ_LIST_FILE(obj) \ 36 OBJECT_CHECK(QAuthZListFile, (obj), \ 37 TYPE_QAUTHZ_LIST_FILE) 38 39 typedef struct QAuthZListFile QAuthZListFile; 40 typedef struct QAuthZListFileClass QAuthZListFileClass; 41 42 43 /** 44 * QAuthZListFile: 45 * 46 * This authorization driver provides a file mechanism 47 * for granting access by matching user names against a 48 * file of globs. Each match rule has an associated policy 49 * and a catch all policy applies if no rule matches 50 * 51 * To create an instance of this class via QMP: 52 * 53 * { 54 * "execute": "object-add", 55 * "arguments": { 56 * "qom-type": "authz-list-file", 57 * "id": "authz0", 58 * "props": { 59 * "filename": "/etc/qemu/myvm-vnc.acl", 60 * "refresh": true 61 * } 62 * } 63 * } 64 * 65 * If 'refresh' is 'yes', inotify is used to monitor for changes 66 * to the file and auto-reload the rules. 67 * 68 * The myvm-vnc.acl file should contain the parameters for 69 * the QAuthZList object in JSON format: 70 * 71 * { 72 * "rules": [ 73 * { "match": "fred", "policy": "allow", "format": "exact" }, 74 * { "match": "bob", "policy": "allow", "format": "exact" }, 75 * { "match": "danb", "policy": "deny", "format": "exact" }, 76 * { "match": "dan*", "policy": "allow", "format": "glob" } 77 * ], 78 * "policy": "deny" 79 * } 80 * 81 * The object can be created on the command line using 82 * 83 * -object authz-list-file,id=authz0,\ 84 * filename=/etc/qemu/myvm-vnc.acl,refresh=yes 85 * 86 */ 87 struct QAuthZListFile { 88 QAuthZ parent_obj; 89 90 QAuthZ *list; 91 char *filename; 92 bool refresh; 93 QFileMonitor *file_monitor; 94 int64_t file_watch; 95 }; 96 97 98 struct QAuthZListFileClass { 99 QAuthZClass parent_class; 100 }; 101 102 103 QAuthZListFile *qauthz_list_file_new(const char *id, 104 const char *filename, 105 bool refresh, 106 Error **errp); 107 108 #endif /* QAUTHZ_LISTFILE_H */ 109