1 /* 2 * QEMU PAM authorization driver 3 * 4 * Copyright (c) 2018 Red Hat, Inc. 5 * 6 * This library is free software; you can redistribute it and/or 7 * modify it under the terms of the GNU Lesser General Public 8 * License as published by the Free Software Foundation; either 9 * version 2 of the License, or (at your option) any later version. 10 * 11 * This library is distributed in the hope that it will be useful, 12 * but WITHOUT ANY WARRANTY; without even the implied warranty of 13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 14 * Lesser General Public License for more details. 15 * 16 * You should have received a copy of the GNU Lesser General Public 17 * License along with this library; if not, see <http://www.gnu.org/licenses/>. 18 * 19 */ 20 21 #ifndef QAUTHZ_PAM_H__ 22 #define QAUTHZ_PAM_H__ 23 24 #include "authz/base.h" 25 26 27 #define TYPE_QAUTHZ_PAM "authz-pam" 28 29 #define QAUTHZ_PAM_CLASS(klass) \ 30 OBJECT_CLASS_CHECK(QAuthZPAMClass, (klass), \ 31 TYPE_QAUTHZ_PAM) 32 #define QAUTHZ_PAM_GET_CLASS(obj) \ 33 OBJECT_GET_CLASS(QAuthZPAMClass, (obj), \ 34 TYPE_QAUTHZ_PAM) 35 #define QAUTHZ_PAM(obj) \ 36 OBJECT_CHECK(QAuthZPAM, (obj), \ 37 TYPE_QAUTHZ_PAM) 38 39 typedef struct QAuthZPAM QAuthZPAM; 40 typedef struct QAuthZPAMClass QAuthZPAMClass; 41 42 43 /** 44 * QAuthZPAM: 45 * 46 * This authorization driver provides a PAM mechanism 47 * for granting access by matching user names against a 48 * list of globs. Each match rule has an associated policy 49 * and a catch all policy applies if no rule matches 50 * 51 * To create an instance of this class via QMP: 52 * 53 * { 54 * "execute": "object-add", 55 * "arguments": { 56 * "qom-type": "authz-pam", 57 * "id": "authz0", 58 * "parameters": { 59 * "service": "qemu-vnc-tls" 60 * } 61 * } 62 * } 63 * 64 * The driver only uses the PAM "account" verification 65 * subsystem. The above config would require a config 66 * file /etc/pam.d/qemu-vnc-tls. For a simple file 67 * lookup it would contain 68 * 69 * account requisite pam_listfile.so item=user sense=allow \ 70 * file=/etc/qemu/vnc.allow 71 * 72 * The external file would then contain a list of usernames. 73 * If x509 cert was being used as the username, a suitable 74 * entry would match the distinguish name: 75 * 76 * CN=laptop.berrange.com,O=Berrange Home,L=London,ST=London,C=GB 77 * 78 * On the command line it can be created using 79 * 80 * -object authz-pam,id=authz0,service=qemu-vnc-tls 81 * 82 */ 83 struct QAuthZPAM { 84 QAuthZ parent_obj; 85 86 char *service; 87 }; 88 89 90 struct QAuthZPAMClass { 91 QAuthZClass parent_class; 92 }; 93 94 95 QAuthZPAM *qauthz_pam_new(const char *id, 96 const char *service, 97 Error **errp); 98 99 100 #endif /* QAUTHZ_PAM_H__ */ 101