xref: /openbmc/qemu/include/authz/listfile.h (revision 135b03cb)
1 /*
2  * QEMU list file authorization driver
3  *
4  * Copyright (c) 2018 Red Hat, Inc.
5  *
6  * This library is free software; you can redistribute it and/or
7  * modify it under the terms of the GNU Lesser General Public
8  * License as published by the Free Software Foundation; either
9  * version 2 of the License, or (at your option) any later version.
10  *
11  * This library is distributed in the hope that it will be useful,
12  * but WITHOUT ANY WARRANTY; without even the implied warranty of
13  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
14  * Lesser General Public License for more details.
15  *
16  * You should have received a copy of the GNU Lesser General Public
17  * License along with this library; if not, see <http://www.gnu.org/licenses/>.
18  *
19  */
20 
21 #ifndef QAUTHZ_LISTFILE_H
22 #define QAUTHZ_LISTFILE_H
23 
24 #include "authz/list.h"
25 #include "qemu/filemonitor.h"
26 
27 #define TYPE_QAUTHZ_LIST_FILE "authz-list-file"
28 
29 #define QAUTHZ_LIST_FILE_CLASS(klass)                        \
30     OBJECT_CLASS_CHECK(QAuthZListFileClass, (klass),        \
31                        TYPE_QAUTHZ_LIST_FILE)
32 #define QAUTHZ_LIST_FILE_GET_CLASS(obj)              \
33     OBJECT_GET_CLASS(QAuthZListFileClass, (obj),    \
34                       TYPE_QAUTHZ_LIST_FILE)
35 #define QAUTHZ_LIST_FILE(obj) \
36     OBJECT_CHECK(QAuthZListFile, (obj), \
37                  TYPE_QAUTHZ_LIST_FILE)
38 
39 typedef struct QAuthZListFile QAuthZListFile;
40 typedef struct QAuthZListFileClass QAuthZListFileClass;
41 
42 
43 /**
44  * QAuthZListFile:
45  *
46  * This authorization driver provides a file mechanism
47  * for granting access by matching user names against a
48  * file of globs. Each match rule has an associated policy
49  * and a catch all policy applies if no rule matches
50  *
51  * To create an instance of this class via QMP:
52  *
53  *  {
54  *    "execute": "object-add",
55  *    "arguments": {
56  *      "qom-type": "authz-list-file",
57  *      "id": "authz0",
58  *      "props": {
59  *        "filename": "/etc/qemu/myvm-vnc.acl",
60  *        "refresh": true
61  *      }
62  *    }
63  *  }
64  *
65  * If 'refresh' is 'yes', inotify is used to monitor for changes
66  * to the file and auto-reload the rules.
67  *
68  * The myvm-vnc.acl file should contain the parameters for
69  * the QAuthZList object in JSON format:
70  *
71  *      {
72  *        "rules": [
73  *           { "match": "fred", "policy": "allow", "format": "exact" },
74  *           { "match": "bob", "policy": "allow", "format": "exact" },
75  *           { "match": "danb", "policy": "deny", "format": "exact" },
76  *           { "match": "dan*", "policy": "allow", "format": "glob" }
77  *        ],
78  *        "policy": "deny"
79  *      }
80  *
81  * The object can be created on the command line using
82  *
83  *   -object authz-list-file,id=authz0,\
84  *           filename=/etc/qemu/myvm-vnc.acl,refresh=yes
85  *
86  */
87 struct QAuthZListFile {
88     QAuthZ parent_obj;
89 
90     QAuthZ *list;
91     char *filename;
92     bool refresh;
93     QFileMonitor *file_monitor;
94     int64_t file_watch;
95 };
96 
97 
98 struct QAuthZListFileClass {
99     QAuthZClass parent_class;
100 };
101 
102 
103 QAuthZListFile *qauthz_list_file_new(const char *id,
104                                      const char *filename,
105                                      bool refresh,
106                                      Error **errp);
107 
108 #endif /* QAUTHZ_LISTFILE_H */
109