1 /* 2 * QEMU list file authorization driver 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QAUTHZ_LIST_FILE_H__ 22 #define QAUTHZ_LIST_FILE_H__ 23 24 #include "authz/list.h" 25 #include "qapi/qapi-types-authz.h" 26 #include "qemu/filemonitor.h" 27 28 #define TYPE_QAUTHZ_LIST_FILE "authz-list-file" 29 30 #define QAUTHZ_LIST_FILE_CLASS(klass) \ 31 OBJECT_CLASS_CHECK(QAuthZListFileClass, (klass), \ 32 TYPE_QAUTHZ_LIST_FILE) 33 #define QAUTHZ_LIST_FILE_GET_CLASS(obj) \ 34 OBJECT_GET_CLASS(QAuthZListFileClass, (obj), \ 35 TYPE_QAUTHZ_LIST_FILE) 36 #define QAUTHZ_LIST_FILE(obj) \ 37 INTERFACE_CHECK(QAuthZListFile, (obj), \ 38 TYPE_QAUTHZ_LIST_FILE) 39 40 typedef struct QAuthZListFile QAuthZListFile; 41 typedef struct QAuthZListFileClass QAuthZListFileClass; 42 43 44 /** 45 * QAuthZListFile: 46 * 47 * This authorization driver provides a file mechanism 48 * for granting access by matching user names against a 49 * file of globs. Each match rule has an associated policy 50 * and a catch all policy applies if no rule matches 51 * 52 * To create an instance of this class via QMP: 53 * 54 * { 55 * "execute": "object-add", 56 * "arguments": { 57 * "qom-type": "authz-list-file", 58 * "id": "authz0", 59 * "props": { 60 * "filename": "/etc/qemu/myvm-vnc.acl", 61 * "refresh": true 62 * } 63 * } 64 * } 65 * 66 * If 'refresh' is 'yes', inotify is used to monitor for changes 67 * to the file and auto-reload the rules. 68 * 69 * The myvm-vnc.acl file should contain the parameters for 70 * the QAuthZList object in JSON format: 71 * 72 * { 73 * "rules": [ 74 * { "match": "fred", "policy": "allow", "format": "exact" }, 75 * { "match": "bob", "policy": "allow", "format": "exact" }, 76 * { "match": "danb", "policy": "deny", "format": "exact" }, 77 * { "match": "dan*", "policy": "allow", "format": "glob" } 78 * ], 79 * "policy": "deny" 80 * } 81 * 82 * The object can be created on the command line using 83 * 84 * -object authz-list-file,id=authz0,\ 85 * filename=/etc/qemu/myvm-vnc.acl,refresh=yes 86 * 87 */ 88 struct QAuthZListFile { 89 QAuthZ parent_obj; 90 91 QAuthZ *list; 92 char *filename; 93 bool refresh; 94 QFileMonitor *file_monitor; 95 int file_watch; 96 }; 97 98 99 struct QAuthZListFileClass { 100 QAuthZClass parent_class; 101 }; 102 103 104 QAuthZListFile *qauthz_list_file_new(const char *id, 105 const char *filename, 106 bool refresh, 107 Error **errp); 108 109 110 #endif /* QAUTHZ_LIST_FILE_H__ */ 111 112